It is easy to say that every day is exciting and full of wonders for people who are concerned about data protection in Turkey. Following the adoption of the Turkish Data Protection Law ("Law") which presents significant attributes of the EU Directive 95/46/EC ("Directive"), the newly established Data Protection Board ("Board") is working swiftly to bring data protection practice into reality for everyone, hence, taking decisions regarding significant issues on a regular basis.
Timeline for Entities to Register to the Data Controllers Registry
According to the subparagraph 2 of the Article 16 of the Law, anyone intends to process data shall be registered to the Data Controllers Registry ("DCR") before the start of their operations, and the Board has the power to exempt entities from this obligation on objective criteria. Additionally, as per the subparagraph 2 of the Provisional Article 1 of the Law, data controllers are obliged to comply with the timeline presented by the Board to register to the DCR. As expected, the Board recently published its decisions which introduce the timelines for data controllers to conclude their registration proceedings before the DCR. As it can be seen from the below table, while defining the due dates for data controllers for registration, the Board divided timelines based on certain criteria:
| Timeline for Entities to Register to the Data Controllers Registry | |||
| Data Controller | Start of the Registration Requirement | Time for Registration | Due Date for Registration |
| Real and legal persons whom their annual number of employees is exceeding 50, or whom their annual financial balance total is exceeding TRY25MM | 01.10.2018 | 12 months | 30.09.2019 |
| Real and legal person data controllers residing abroad | 01.10.2018 | 12 months | 30.09.2019 |
| Real and legal persons whom their annual number of employees is below 50, and whom their annual financial balance total is below TRY25MM, but whom their main area of practice is processing sensitive data | 01.01.2019 | 15 months | 31.03.2020 |
| Data controllers who are state institutions | 01.04.2019 | 15 months | 30.06.2020 |
New Exemptions from the Requirement to Register
Apart from the timeline decision, the Board also published its decisions exempting certain entities from the requirement to register to the DCR, as per the subparagraph 2 of the Article 16 of the Law. Accordingly, the Board excluded the following from the requirement to register to the DCR:
- Real and legal persons whom their main area of focus is not processing sensitive data, and whom their annual number of employees is not exceeding 50, and whom their annual financial balance total is not exceeding TRY25MM,
- Mediators,
- Customs brokers and authorized customs brokers operating according to the Turkish Customs Law numbered 4458,
It shall be noted that the above stated entities are still required to comply with the rules of the Law while processing data, since being exempt from registration requirement is one thing and following the rules of the Law while processing data is another.
Decision Summaries
Apart from the decisions containing general rules like above stated, the Board also keeps publishing decision summaries where it fines the entities failing to comply with the Law.
In one of these decisions, a data subject requested to deletion of an opinion column where his name was mentioned. But the Board refused to take action in this case, stating that such use of data shall be considered within the freedom of press, since the data subject is still in a position involving public interest.
Another decision is containing an administrative fine imposed by the Board. In this case, medical report of a data subject has been made public on the internet, and the Board decided that the data controller shall have been taken necessary security protocols, therefore, data controller is subjected to an administrative fine as per the item (c) of the subparagraph 1 of the Article 12 of the Law.
Lastly, the Board published a decision summary which is crucial for the group of companies, where the data controller failed to comply with the subparagraph 1 of the Article 12 of the Law and bound by administrative fine. In this case, a group company shares the data of a person who applied for a job with another group company, where the Board decided that the data transfer between group companies will be construed as data transfer to a third party, and therefore a group company shall comply with the Article 8 of the Law. In some cases, we see Turkish authorities and the courts tend to consider the group of companies as one entity, but this decision shows that the Board is not one of them.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
