Introduction

The Turkish Personal Data Protection Board (the "Board") has finally launched VERBIS, the online registration platform for data controllers (the "Registry") on 01 October 2018.

The Registry will provide information with regard to data controllers' personal data processing activities and the terms and conditions of such processing in general.

Data controllers subject to registration requirements will have a period of approximately 1 year from the registration commencement date applying to them to complete all registration formalities.

Are you required to register with the Registry?

Article 16 of the Personal Data Protection Law1 (the "PDPL") stipulates that all data controllers must be registered with the Registry, unless held exempt by a decision of the Board.

The Board has announced that the following categories of data controllers will be held exempt from the requirement to register with the Registry:

  • Data controllers who have less than 50 employees and an annual balance sheet below TL 25 million, provided that such data controller's main activity does not require the processing of special category personal data2;
  • Customs brokers;
  • Mediators;
  • Data controllers who process data only by non-electronical means;
  • Public notaries;
  • Associations, foundations and syndicates;
  • Political parties;
  • Lawyers; and
  • Certified public accountants.

Note that registration exempt data controllers are still required to comply with the PDPL and applicable decisions of the Board.

What is the penalty for failure to register?

Data controllers who fail to comply with registration requirements are subject to penalties between TL20,000 and TL1,000,000.

Is there a registration fee?

No, there are no registration fees payable for registration with the Registry.

How to register?

Step 1. Prepare an Inventory

The Regulation on the Data Controllers' Registry (the "Regulation") sets out that the information to be provided to the Registry must be in line with the personal data processing inventory (the "Inventory") of the relevant data controller. The Inventory, in simple terms, is a comprehensive list of all personal data processing activities of a data controller, categorised (not being limited with the following) by reference to:

  • the type, purpose, duration, method of the processing activity;
  • the data subject and the type of the personal data;
  • the data transferring activities; and
  • the applicable technical measures for protection.

Step 2. Designate your Representative (for data controllers outside of Turkey)

All data controllers residing outside of Turkey must designate a representative, which needs to be either a natural person that is a Turkish citizen or a legal entity incorporated in Turkey (the "Representative"). This designation needs to be carried out through a resolution of the authorised corporate body of the relevant data controller, and a notarised and apostilled copy of such resolution must be submitted to the Board at registration.

In case such Representative is a legal entity registered in Turkey, it must assign a contact person (as defined below).

Step 3. Designate your contact person

All legal entity data controllers or Representatives registered in Turkey must designate a contact person, which must be a natural person, for registration purposes. Such designation can be made by simply entering the Turkish identity number of such contact person, without needing to demonstrate further corporate action to the Board. The designated contact person will carry out registration formalities and serve as a point off contract for applications of any data subjects to the relevant data controller.

The designated contact person's duties are intended to be administrative and accordingly, he is not liable for legal and regulatory compliance of the data controller. Note that an individual may not serve as a contact person for multiple data controllers.

What is the timeline for registration?

The Board has announced different registration commencement dates and deadlines for different categories of data controllers. These are as follows:

Data Controller Commencement Date Deadline
Data controllers who have more than 50 employees or an annual balance sheet above TL25 million 1 October 2018 30 September 2019
Data controllers who have less than 50 employees and an annual balance sheet below TL25 million, but process special category personal data as part of its main activities 1 January 2019 31 March 2020
Data Controllers residing / registered outside of Turkey 1 October 2018 30 September 2019
Data controllers who are public institutions 1 April 2019 30 June 2020

Keeping current with the Registry

Data controllers should always bear in mind that they are required to keep their information at the Registry up-to-date and reflect any changes in their data processing activities.

Conclusion

Following the launch of the Registry, the countdown to VERBIS registration has officially begun.

While registration deadlines may currently appear to be at a comfortable distance, data controllers should be mindful of the potentially complex steps they may need to take to ready themselves for official registration and general PDPL compliance and start progressing through the appropriate steps as soon as possible.

Footnotes

1. Published in the Official Gazette dated 7 April 2016 and numbered 29677.

2. Such as hospitals and insurance companies processing personal data such as health-related information.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.