On Friday, May 5th 2017, the Turkish Data Protection Authority published the Draft Regulation on Data Controllers' Registry. The Regulation is still a Draft and our law firm is working on the Draft Regulation to submit our professional views to the Data Protection Authority.
The Draft Regulation brings new requirements to real and legal persons that collect personal data from Turkey. Therefore, whether you have a presence (office) in Turkey or not, if you collect personal data from Turkey you are subject to the obligations in the Draft Regulation. Please be informed that certain obligations in the Draft Regulation is different than the obligations in the GDPR or the 95/46/EC Directive, therefore fundamental changes or operation may be required even for EU companies which have solid data processing practices.
Here are the new obligations brought by the Draft Regulation:
Data Controller's Registry: The Draft Regulation establishes the Data Controller's Registry and obliges all data controller's to register with the Data Controller's Registry before commencing collection of personal data. The registration to the registry will be made using a system named VERBIS online. The Data Controller's Registry will be publicly available.
Data Controller's are required to provide the following information through VERBIS;
- Identifying information and address of the Data Controller or it's representative,
- Purpose of data processing,
- Data subject groups and data categories,
- Third parties which data may be transferred to,
- Personal data which may be transferred abroad,
- Safety and security measures taken,
- Maximum term for processing personal data which is in line with the purpose of processing.
Personal Data Processing Inventory: The Draft Regulation requires data controllers to hold an inventory which contains detailed information on their data processing procedures, data processing purposes, personal data categories, receivers of personal data and categories of data subjects. This inventory is the basis for all information that will be sent to the Data Controller's Registry. The information in the inventory will prevail therefore it is important for companies to hold the Inventory in a timely and accurate manner.
Data Storage and Destruction Policy: Data Controller's are required to draft a data storage and destruction policy. The policy must be the basis for determining the maximum term for storing data in line with the purpose of collection & processing.
Liability: Data Controller's are liable for all non-compliance with the obligations in the Draft Regulation. Assigning an individual or a group of individuals specific for compliance with data protection requirements such as a DPO does not limit the liability of the Data Controller and the legal and criminal liability Board of Directors Members.
Administrative Fines: Non-compliance with the registration and information requirement in the Draft Law is subject to an administrative fine of up to TRY 1.000.000 (aprox. USD 275.000). Please be informed that this is not a one-time fine and can be issued for each case of non-compliance.
What you should do?:
As mentioned above, the Regulation is still a Draft however we expect the Regulation to be published and enter into force before mid-June. Therefore, if you collect personal data from Turkey it is best if you start preparing by starting to draft your personal data inventory.
Please also continue to follow our updates as we are closely following the developments to provide timely advice to our clients.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.