Recently, there have been remarkable developments in the Turkish jurisdiction with respect to the registration obligations of data controllers. The Turkish Personal Data Protection Authority ("DPA") has launched the long-awaited Data Controllers Registry Information System ("VERBIS"), through which data controllers will enroll to the Data Controllers' Registry. Meanwhile the Turkish Data Protection Board ("Board") has published two important decisions, one of which concerns the grace periods for registration (Decision No. 2018/88) and the other of which addresses exemptions from the registration obligation (Decision No. 2018/87).
Under the Turkish Data Protection Law ("DP Law"), real persons and legal entities processing personal data are obliged to enroll to the Data Controllers' Registry ("Registry") prior to processing data. The procedures and principles with regard to the registry have been stipulated under the Regulation on Data Controllers' Registry ("Regulation"). According to the Regulation, all transactions regarding the registry should be conducted by the data controllers through VERBIS, an online platform. Although the Regulation was published in 2017, VERBIS was not yet established, and it was not de facto possible to enroll to the Registry at the time.
VERBIS went live on October 1, 2018. Simultaneously, the DPA published a privacy notice and explained that the information provided by data controllers during their registration to VERBIS (e.g., name, tax number, representative's personal information, etc.) would only be used by the DPA in relation to the registration obligation, and that data subjects may apply to the DPA, which will be acting as the data controller in terms of such information, regarding the use of their data. In order to access VERBIS, data controllers are first required to sign up to the system by filling up a form. There are three different categories in VERBIS for data controllers: (i) real person or legal entity residing in Turkey, (ii) real person or legal entity residing abroad, and (iii) public institutions. The information and documents requested from the data controllers differ based on this tripartite categorization.
As for the deadline to register, the DP Law states that registration should be completed before commencing any data-processing activities. However, as VERBIS has only recently been launched, the Board issued a decision and provided various grace periods for the data controllers to complete their registrations. The Board determined and published the following time periods for data controllers' compliance with their registration obligations:
(i) between October 1,2018 and September 30,2019, for data controllers whose number of yearly employees exceeds fifty (50) or whose annual financial balance sum exceeds twenty-five million Turkish Lira (TL 25.000. 000),
(ii) between October 1,2018 and September 30, 2019, for data controllers who are resident/established abroad,
(iii) between January 1,2019 and March 31, 2020, for data controllers whose number of yearly employees is less than fifty (50) and whose yearly financial balance sum does not exceed twenty-five million Turkish Lira (TL 25.000. 000), but whose main business activity concerns the processing of special categories of personal data,
(iv) between April 1,2019 and June 30,2020, for data controllers who are public entities or public institutions.
There was also some uncertainty as to whether this registration obligation would be applicable to all real persons and legal entities processing personal data, as the DP Law indicated that, in some cases, the Board may provide exemptions to the obligation to enroll to the Registry. Recently, the Board issued an important decision (No. 2018/87) to clarify the scope of the registration obligation.
According to the Board's Decision No. 2018/87, data controllers whose number of yearly employees is less than fifty (50) and whose annual financial balance sum does not exceed twenty-five million Turkish Lira (TL
25,000,000) will be exempt from the registration obligation, as long as their main business activity does not involve the processing of special categories of personal data.
As we are still within the grace periods provided by the Board at the time of writing, we might hear further developments and clarifications from the DPA in the upcoming days as to the registration obligation, and data controllers might need to follow these developments closely in order to ensure full compliance with the Turkish data protection laws.
This article was first published in Legal Insights Quarterly by ELIG Gürkaynak Attorneys-at-Law in December 2018. A link to the full Legal Insight Quarterly may be found here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.