The "Regulation on Data Controller Registry" ("Regulation") is published in the Official Gazette of 30 December 2017 and entered into force on 1st of January 2018.

The purpose of this Regulation is to establish the Data Controller Registry ("Registry"), which will be publicly available, under the supervision of the Data Protection Board ("Board"). The Regulation seeks to determine the procedures and principles concerning the registrations to be made with the Registry and to ensure their compliance, according to the Law No. 6698 on the Protection of Personal Data ("Law"). The Regulation sheds new light into the principles of the Registry as well as data controllers' obligations.

A) General Principles

According to the Regulation, both legal and real data controllers must be registered to the Registry before processing personal data. Data controllers who do not reside in Turkey are also obliged to register with the Registry through a data controller representative. Data controller representatives must either be a Turkish legal entity or a real person having Turkish citizenship.

Data controllers shall first establish an inventory of personal data processing, through associating with their personal data processing activities related to their business processes, their purposes of processing personal data, data category, transferred recipient groups and data subject group. Data controllers will then apply to the Registry through an online system called VERBIS before they start processing data. Department of Data Management is responsible for the establishment and administration of the Registry.

Data controllers shall be liable to ensure that the information submitted to the Registry are up-to-date, accurate and lawful. Registration with the Registry will not rule out any other liabilities or obligations imposed on the data controllers under the Law. Similarly, Article 16 of the Regulation stipulates certain exemption measures determined by the Board. However, the exemption of certain data controllers from the obligation to register with the Registry by the Board (based on the objective criteria set out under this secondary regulation) does not exempt such data controllers from their additional obligations under the Law.

The Registry will be open to the public. The Board, with the principle of public availability in mind, shall be authorized to assign the scope and exemptions of this public access.

B) The Registration Process

According to the recent announcement made by the Personal Data Protection Authority ("Authority"), the registration requirement will begin with VERBIS coming into service and with a commencement date set by the Board and will be announced by the Authority together with the exemptions of the registration requirements.

  1. The beginning of the registration requirement

Data controllers must be registered to the Registry before processing personal data. Data controllers who were not obliged to be registered but became obligated later, shall register to the Registry within 30 days starting from the date on which the obligation arose. Data controllers who were obliged to be registered but could not apply because of legal, technical or practical impossibilities, shall demand an additional period for the application to register from the Authority by submitting a written request, stating the cause, within 7 days beginning from the date of the impossibility. The additional period shall only be given once and shall not be longer than 30 days.

  1. Liability of Data Controller, Data Controller Representative and Contact Person

Data controller of a legal entity is the legal entity itself. According to the Law and other relevant legislation, data controller's obligations shall be carried out by the authorised body to represent and bind the entity or other real person stated in the relevant legislation, for the legal entities residing in Turkey. The authorised body to represent the legal entity shall assign one or more person(s) to carry out the obligations of the data controller. Such assignment shall not rule out the liability of the legal entity.

For the data controllers who do not reside in Turkey, a data controller representative shall be authorized regarding the duties set forth in Article 11/3 of the Regulation. The data controller representative shall be in communication with the Authority and the Board, including directing the requests addressed to the data controller, accepting or informing the data controller with notifications or starting the proceedings with the Registry on behalf of the data controller.

Pursuant to the Article 11/4 of the Regulation, the legal entities established in Turkey shall assign a contact person during the application to the Registry. The contact person shall solely be authorized for communication purposes with the Board or the Authority regarding the requests addressed to the legal entity, and shall not represent the data controller.

Pursuant to Article 12 of this Regulation, communication between the data controller and the Board regarding the application of the Law shall be made through;

  • The relevant legal entity, via their mailing address or registered electronic mail, for legal entities who are established in Turkey,
  • The relevant real person, via their mailing address or registered electronic mail, for real persons who reside in Turkey, and
  • The data controller representative registered with the Registry, for data controllers who do not reside in Turkey.

Data controllers shall notify the Board through VERBIS regarding the changes of their registered information within 7 days.

  1. Erasing Registration Records

Pursuant Article 14 of the Regulation, data controllers shall apply to the Authority through VERBIS for erasing their registry records. When the activity that required processing personal data ended, the registry records will be erased from the Registry. These records shall be kept in such way that no change can be made on them and these records will also be accessible if demanded. However, erasing these records shall not rule out the liability of the data controller pertaining to the time period when the data controller was registered to the Registry.

C) Exemption from the Registration Requirement

Article 15 the Regulation sets forth some exemptions to the foregoing requirements. According to Article 15, data controllers will not be obligated to register some of their activities (e.g., processing of personal data that is necessary for the prevention of a crime or for assisting crime investigations, or processing of personal data that is made public by the data subject, etc.) with the Registry.

Moreover, pursuant to Article 16 of the Regulation, the Board shall determine the exemptions to the obligation for the data controllers to be registered to the Registry. When determining these exemptions, the Board shall consider the following criteria:

  • Personal data type
  • Personal data quantity,
  • Processing purpose,
  • Field of activity that the data are processed,
  • Transfer of data to third parties,
  • Whether processing is specifically envisaged under the laws,
  • Data retention period,
  • Categories of data and individuals.

D) Administrative Sanctions

Pursuant to Article 17 of the Regulation, data controllers who fail to comply with the registration obligation will be subjected to an administrative fine under Article 18 of the Law (i.e. fines between TRY 20,000 and TRY 1,000,000). If the state institutions and organizations or professional organisations with public institution status fail to comply with the registration and notification obligations, disciplinary action will be taken for the officials who work in these institutions.  

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.