Turkey: Registration To Data Controllers Registry

Introduction

The article 16 of the Law No. 6698 on the Protection of Personal Data (the "Law")¹ (i) sets forth that a Data Controllers Registry (the "Registry"), to which all of the data controllers are obliged to register, is kept by the Presidency of the Protection of Personal Data (the "Presidency") under the supervision of the Personal Data Protection Board (the "Board"); and (ii) authorizes the Board for regulating the principals and procedures as well as for determining the exemptions relating to the registration obligation. The clause (d) of the article 22 of the Law further assigns the Board with the duty of keeping the Registry.

Based on such authority and duty prescribed in the Law, the Board (i) published the Regulation on the Data Controllers Registry (the "Regulation")² with the purposes of establishing and maintaining the Registry, determining the principles and procedures relating to the registrations required to be made thereof, and providing the compliance with the foregoing; and (ii) issued various decisions (the "Decisions")³ relating to the scope and the calendar of the registration obligation.  

Pursuant to the Law and the Regulation, all individuals and legal entities that process personal data under the Law (collectively the "Data Controller(s)"), shall be required to be registered with the Registry prior to commencing with data processing, regardless of the fact that they are resident in Turkey or not. Therefore, not only the Data Controllers residing in Turkey, but also the Data Controllers, residing outside of Turkey, shall be required to be registered with the Registry and appoint a Data Controller Representative (the "Representative"), who need to be either an individual with Turkish nationality or a legal entity residing in Turkey.

In light of the Law, the Regulation and the Decisions, the following facts shall be important in terms of ensuring that the registration obligation is duly fulfilled by the Data Controllers.

1. Registration Procedure

The actions and transactions relating to the Registry shall be conducted via Internet, by means of digital system called Data Registry Information System ("VERBİS"). The obligation to register with the Registry shall be complied with upon uploading the necessary information requested on the VERBİS system. 

2. Registration Fee

No registration fee shall be charged to Data Controllers for registration to the Registry.

3. Obligations of the Data Controllers outside of Turkey

Data Controllers shall have the registration obligation, even if they are residing outside of Turkey. The actions and transactions required for the fulfilment of the registration obligation by the Data Controllers outside of Turkey shall be carried out by their duly authorized Representatives, who need to be either an individual with Turkish nationality or a legal entity residing in Turkey.

The Representative shall also (i) receive and accept the notifications and correspondences made by the Personal Data Protection Authority (the "Authority"), on behalf of the data controller; (ii) transmit the requests directed to the Data Controller by the Authority as well as the responses to be given by the Data Controller to the Authority; and (iii) (provided that other measures are not designated by the Board for doing so) collect and forward the applications made by data subjects to the Data Controller under the Law and communicate the responses to be given thereof to the data subjects,.

The Representative shall be appointed by means of a resolution to be made by the competent body / person of the Data Controller, residing outside of Turkey. The resolution shall contain the authorization of the Representative for the foregoing matters and a certified copy of it shall be supplied to the Authority by the Data Controller at registration to the Registry.

4. Information Required to be Supplied at the Application for Registration with the Registry

The information to be supplied at the application for registration with the Registry shall be as follows:

1. Information provided within the application form to be specified by the Board concerning the identification and address information of the Data Controller and the Representative,
2. Purposes for processing personal data,
3. Explanations concerning the persons or person groups that are subjects of data and the categories of data relating to such persons,
4. Recipients or recipient groups to which the personal data may be transferred,
5. Personal data that are predicted to be transferred abroad,
6. Measures taken regarding the data security,
7. Maximum retention periods of personal data as required by the purpose of processing.

Yet, the Data Controllers shall also be required to notify any changes as to such information to the Presidency, immediately.

5. Obligation to Prepare a Personal Data Processing Inventory

Pursuant to the article 5 of the Regulation, the information that will be supplied to the Registry by the Data Controllers shall be prepared based on the Personal Data Processing Inventory ("Inventory").

Therefore, it is construed that the Data Controllers shall be required to create an Inventory, in which they describe and elaborate on (i) the personal data processing activities they perform in accordance with their business processes, along with the personal data processing purposes, data categories, recipient groups, and data subject groups; (ii) the maximum retention periods of personal data as required by the purpose of processing, (iii) the personal data that are predicted to be transferred to abroad, and (iv) the measures taken regarding data security.

6. Data Controllers that are Exempted from the Registration Obligation

As per the Decisions, the Board decided that the following data controllers shall not be required to be registered with the Registry⁴:

1. Persons who process personal data being part of any data recording system only in non-automatic ways,
2. Notaries,
3. Associations, foundations and syndicates that process personal data for their employees, members and donors, only in accordance with relevant legislation, purposes and limited to their areas of activity,
4. Political parties,
5. Lawyers,
6. Independent Accountant and Financial Advisors and Certified Public Accountants,
7. Customs brokers and authorized customs brokers,
8. Mediators,
9. Real persons or legal entities, whose (i) annual headcount is less than 50, (ii) annual sum of financial balance sheet is less than 25,000,000 TL, and (iii) main field of activity is not personal data processing.

7. Personal Data Processing Activities that Are Exempted from the Registration Obligation

As per the article 15 of the Regulation, the Data Controller shall have no obligation to register or otherwise notify the following personal data processing activities to the Registry:

1. If personal data processing is required to prevent or investigate a crime,
2. If processing is relating to the personal data publicized by the person concerned,
3. If personal data processing is required for disciplinary investigation or prosecution or for carrying out auditing or regulating duties by public institutions and organizations as well as by professional organizations in the form of public institutions, based on the authorization granted by law,
4. If personal data processing is required to protect the economic and financial interests of the State in relation to budget, tax and financial matters.

8.  Non-compliance with the Registration Obligation

As per the article 18 of the Law, the Data Controllers that fail to comply with the registration or notification obligation, shall be imposed with an administrative fine, amount of which will be changing between 20,000 TL to 1,000,000 TL.

9. Start Date for the Registry Obligation

As per the Decisions, the calendar for effecting the registration obligation, depending on the category of the Data Controller, shall be as follows:

The above calendar is brought for providing the registration of the Data Controllers that are already processing data, with the newly established Registry. Under normal circumstances, a Data Controller shall be required to register with the Registry prior to commencing with data processing activities. Similarly, the Data Controllers that become bound by the registration obligation at a certain date (despite not being subject to it before), shall be required to fulfill it within a period of 30 days, starting from such date.

If a Data Controller, which is subject to the registration obligation, is not able to fulfill it due to any actual, technical or legal impossibility, it may request an additional time from the Authority, within a period of 7 days following the occurrence of the impossibility, in writing and by explaining the reasons. In this case, the Authority may, for once, grant an additional period, which should not be exceeding 30 days.

Footnotes

1 Published in the Official Gazette dated 7 April 2016 and numbered 29677 and entered into force on its publication date.

2 Published in the Official Gazette dated 30 December 2017 and numbered 30286 and entered into force on 1 January 2018.

3 The Decisions numbered 2018/32, 2018/68, 2018/75, 2018/87 and 2018/88 have been issued from 2 April 2018 to 19 July 2018.

4 The Board is authorized to and may broaden or otherwise amend this list, as per the authority vested to it by the Law.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.