Obligation to register with the Data Controllers Registry and Applicable Exemptions
The Turkish Data Protection Law (the "Law") stipulates that all data controllers must register with the Data Controllers Registry ("Registry") unless they are exempt from doing so.
The Turkish Data Protection Board ("DPB") had already announced those exempt from having to register with the Registry in its decision of 2 April 2018. Please see our E-Alert where further information can be found.
Timelines for Registration with the Registry
The DPB was then expected to announce the start date and timeline for those entities it had not exempted to register with the Registry.
As expected, on 19 July 2018, the DPB announced its decisions about when the period for registration would begin and the ensuing timeline.
Various dates and timelines applicable in this regard. These differ, for example, according to the number of employees or the annual turnover of the data controller in question.
Further details about the timeline are outlined below:
| Type of Data Controller | Starting Date | Applicable Period | Deadline |
| Natural persons and legal entities who employ more than 50 employees annually or who have an annual balance-sheet total exceeding 25,000,000 Turkish Liras (approximately 3,300,000 Euros) | 01.10.2018 | 12 months | 30.09.2019 |
| Natural persons and legal entities residing abroad | 01.10.2018 | 12 months | 30.09.2019 |
| Natural persons and legal entities who employ fewer than 50 employees annually and who have an annual balance-sheet total of less than 25,000,000 Turkish Liras (approximately 3,300,000 Euros) but whose principle activities involve processing sensitive data ("özel nitelikli veri") | 01.01.2019 | 15 months | 31.03.2020 |
| Public institutions and organizations determined to be data controllers | 01.04.2019 | 15 months | 31.03.2020 |
Conclusion:
The DPB has granted a rather lengthy period for the various types of data controller to register with the Registry. As a result, the data controllers covered by the decision have ample time to register with the Registry and avoid breaking the Law.
On the other hand, the wording of the decision implies that the DPB has not yet determined deadlines for the types of data controller not specified in this decision. For instance, entities that employ fewer than 50 employees annually and have an annual balance-sheet total of less than 25,000,000 Turkish Liras (approximately 3,300,000 Euros) but which do not process any sensitive personal data are not covered by this decision and so a specific deadline is not available for them.
For this reason, we expect the DPB to continue to announce further decisions about the registration deadlines for the remaining data controllers and provide further clarification.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
