The "Draft Regulation on the Data Controllers' Registry" ("Draft Regulation") was published on the official website (wwwlcvkk.gov.tr) of the Data Protection Authority ("DPA"), and the DPA opened it to public comment between 5 May 2017, and 20 May 2017. The Draft Law is not yet in effect and may be subject to various changes before it finally comes into effect.
The purpose of this Draft Regulation is to establish the Data Controllers' Registry, which will be publicly available, under the supervision of the Data Protection Board. Furthermore, the Draft Regulation seeks to determine the procedures and principles concerning the registrations to be made with the Data Controllers' Registry and to ensure their implementation, according to the Law No. 6698 on the Protection of Personal Data ("Law No. 6698").
The basic principles that the Draft Regulation introduces may be listed as follows:
(i) The Draft Regulation sets forth a registration obligation, which is also governed by and regulated under the Law No. 6698. According to Article 5 of the Draft Regulation, before processing any personal data, data controllers will be obliged to register with the Data Controllers' Registry.
It's worth noting that, according to the same provision, data controllers who reside outside of Turkey will also be obliged to register with the Data Controllers' Registry through a data controller representative. The Draft Regulation differs significantly from the Law No. 6698 on this point. Designation of a data controller representative is not an obligation imposed under the Law No. 6698, and that law implies that the designation of a data controller representative is entirely optional; whereas the Draft Regulation renders the designation of a data controller representative mandatory. Furthermore, according to the Draft Regulation, a designated data controller representative must be "a legal entity residing in Turkey or a citizen of the Republic of Turkey."
The registration obligation imposed on foreign data controllers by the Draft Regulation also differs significantly from EU regulations. For instance, under current EU data-protection laws, the registration obligation only arises for entities which are established in a member state, or which make use of equipment located in a member state for data processing purposes. On the other hand, the Draft Regulation imposes this obligation on all data controllers residing outside of Turkey, without providing any exceptions or exclusions or limiting it based on certain criteria, which would mean that every data controller in the world, regardless of where they may be located, will be obliged to register with the Data Controllers' Registry, if the Draft Law comes into legal force in its current form.
(ii) The Data Controllers' Registry will be publicly available and the Data Protection Board will have the authority to determine the scope of its public availability and dissemination.
(iii) The information that will be required to be disclosed to the Data Controllers' Registry during the registration process will be predicated on the inventory of personal data being processed.
(iv) The information submitted to the Data Controllers' Registry and subsequently published in the Data Controllers' Registry will be taken as the basis for determining the extent of the obligation of the data controller to provide information to the data subject, to respond to the claims and requests of the data subject, and to determine the scope of the explicit consent given by the data subjects.
(v) Data controllers will be responsible for ensuring that the information submitted to the Data Controllers' Registry and published in the Data Controllers' Registry are accurate, up-to-date, and in accordance with the law. Registration with the Data Controllers' Registry will not remove or negate any other liabilities or obligations imposed on the data controllers under the Law No. 6698.
(vi) Article 16 the Draft Regulation sets forth some exemptions to the foregoing requirements. According to Article 16, data controllers will not be obligated to register some of their activities (e.g., processing of personal data that is necessary for the prevention of a crime or for assisting crime investigations, or processing of personal data that is made public by the data subject) with the Data Controllers' Registry.
Similarly, Article 17 of the Draft Regulation stipulates certain exemption measures determined by the Data Protection Board. However, the exemption of certain data controllers from the obligation to register with the Registry by the Data Protection Board (based on the objective criteria set out under this secondary regulation) does not exempt such data controllers from their additional obligations under the Law No. 6698. (vii) The data controllers' interactions with the Data Controllers' Registry will be conducted through "VERBIS" ("Data Registration Information System") which is an information system that will be used by the data controllers to apply to and register with the Data Controllers' Registry and to carry out other actions related to the Data Controllers' Registry. VERBIS can be accessed through the internet, and the system will be established and administered by the DPA.
(viii) The maximum time period established for processing personal data, which is presented to and published in the Data Controllers' Registry by the data controllers, will be taken into account for determining the scope of the obligation of the data controller to erase, destroy or anonymize personal data, as per Article 7 of the Law No. 6698.
The DPA opened the Draft Regulation to public comment, obtained the views and comments of the relevant players and stakeholders in the sector, and now continues its work on finalizing the Draft Regulation. In light of the foregoing explanations, it is clear that the Draft Regulation needs certain amendments before it comes into effect, in order to be in line with the Law No. 6698 and current EU practice.
This article was first published in Legal Insights Quarterly by ELIG, Attorneys-at-Law in September 2017. A link to the full Legal Insight Quarterly may be found here
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.