As our readers will recall from our coverage of the new Turkish "Data Protection Law", one of the main obligations of the data controllers is to register with a publicly available Data Controllers' Registry ("Registry"), non-compliance of which may lead to administrative fines up to c. €250,000.
The Regulation on Data Controllers' Registry (the "Regulation"), yet another anticipated regulation to be drafted within the framework of the Data Protection Law, is published in the Official Gazette no. 30286 and dated 30 December 2017.
Below is a brief summary of the major revelations under the Regulation.
Obligation to register with the Registry
The Regulation requires data controllers to register with the Registry before they engage in any personal data processing activities. The Registry will be an online database and the applications thereto shall be accepted through an electronic system called VERBIS (i.e. data controllers' registry information system). The data controllers are also obliged to keep their entry in the Registry up-to-date and notify the DPA of any changes within 7 days, again, through VERBIS.
The following information and documents shall be provided to the DPA within the registration application ("Required Information and Documents"):
- Identity and contact information of the contact person or representative along with the other information requested by the Turkish Data Protection Authority ("DPA") within the application form;
- Purposes for which personal data will be processed;
- Data subject groups and explanations regarding the data categories in relation to those persons;
- Recipient groups to whom personal data may be transferred;
- Personal data which is envisaged to be transferred abroad;
- Data security measures implemented by the data controller;
- The maximum period of time (i) necessitated by the purposes for which personal data are processed or (ii) designated by the legislation.
Within the framework of the above, the data controllers will need to (i) appoint a contact person and, if the controller resides abroad, a representative, (ii) prepare a Personal Data Processing Inventory, and (iii) draft a Personal Data Retention and Destruction Policy.
Contact Person and Representative
The Regulation provides that each data controller shall designate a contact person who will facilitate the communication between the data controller and the DPA. The contact person is required to be a natural person.
The contact person can be appointed directly by the data controller if such controller resides in Turkey. However, the data controllers residing outside Turkey shall appoint and duly authorise a representative who is either (i) a legal entity resident in Turkey or (ii) a natural person who is a Turkish citizen. The contact person can then be appointed by the representative.
As mentioned above, the identity and contact information of the contact person and the representative, if any, shall be notified to the DPA within the registration application.
Personal Data Processing Inventory
The Regulation refers to a Personal Data Processing Inventory ("Data Inventory") on several occasions and defines it as an inventory prepared and detailed by the data controllers by way of associating their personal data processing activities with their processing purposes, data categories, recipient groups, and data subject groups. The Data Inventory is also required to include the maximum period of time for data processing and the data security measures implemented by the controller.
The Data Inventory will be shared with the DPA within the registration procedures, providing most of the Required Information and Documents to the DPA.
Personal Data Retention and Destruction Policy
The data controllers who are under the obligation to register with the Registry shall be required to draft and implement a company-wide "Personal Data Retention and Destruction Policy". This policy will need to be drafted in accordance with the guidance provided by another regulation, namely Regulation on Deletion, Removal, or Anonymization of Personal Data, which we covered recently in a client alert.
The Regulation also provides guidance as to the criteria that are to be taken into account in determination of the maximum time periods for storing personal data.
What is next
The publication of the Regulation in the Official Gazette does not mean that the registration obligations are due. This is because the Data Protection Law requires a separate announcement from the DPA, informing the data controllers that they are expected to register with the Registry along with a timeframe for the registration. The DPA is likely to make such an announcement in the upcoming months.
We recommend our clients to start working on their Data Inventories as soon as possible and implement an organisation-wide compliance program in order to address their obligations stipulated under the Data Protection Law.
ErsoyBilgehan is ready to assist its clients achieve sustainable compliance by building a data protection program which creates firm procedures as well as a proactive corporate culture, enabling the businesses to respond effectively to privacy-related matters. Such assistance includes, among others, the registration obligations mentioned above.
We offer a wide-range of solutions for compliance with the Data Protection Law, which are fine-tuned to the unique needs and characteristics of our clients.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.