As our readers will recall from our coverage of the new Turkish "Data Protection Law", one of the main obligations of the data controllers is to register with a publicly available Data Controllers' Registry ("Registry"), non-compliance of which may lead to an administrative fine up to €250,000.
The Turkish Data Protection Authority ("DPA") has announced this week via its website that it is still working on the secondary legislation concerning the Registry and the technical infrastructure to be utilized for the registration procedures, adding "Therefore, the commencement date of the registrations shall be declared via our website later on."
The members of the Data Protection Board ("Board"), which is the decision-making body of the DPA, also confirmed verbally at a workshop held last week that the Registry will be an online database and the applications thereto will be accepted online.
Other Obligations of Data Controllers
The Data Protection Law imposes many obligations on data controllers, some of which are, in summary, the following:
- To legitimise the processing of personal data as per the Data Protection Law or other laws, non-compliance of which is punishable by imprisonment pursuant to the Turkish Criminal Code;
- To inform data subjects with regard to the data controller's identity, purpose, method, and legal ground of the processing, transfer of data to third parties, and the rights of the data subjects, non-compliance of which may lead to an administrative fine up to €25,000;
- To ensure the security of the collected data, and to notify the Board and the data subject of data breaches, non-compliance of which may lead to an administrative fine up to €250,000;
- To delete or anonymize outdated data, non-compliance of which is punishable by imprisonment pursuant to Turkish Criminal Code;
- To abide by the rights of the data subject and reply to their applications in 30 days;
- To comply with the decisions of the Board, non-compliance of which may lead to an administrative fine up to €250,000.
ErsoyBilgehan helps its clients achieve sustainable compliance by building a data protection program that creates firm procedures as well as a proactive corporate culture in order to enable the business to respond effectively to privacy-related matters.
We offer a number of solutions for compliance with the Data Protection Law, which are fine-tuned to the unique needs and characteristics of our clients.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.