On April 28, 2019, certain amendments were made to the Communiqué on the Principles and the Procedures to be followed in the Fulfillment of the Obligation to Inform, the Regulation on Deletion, Destruction and Anonymization of Personal Data and the Regulation on Data Controllers' Registry.
The amendments in respect to the Communiqué are as follows:
- The amendment provided a brief and
shortened definition for the "Data Controller Registry
Information System" (VERBIS) as "the
registrar system where the personal data is registered following a
structuring in accordance with certain criteria", to
align it with the definition under the Law numbered 6698 on the
Protection of Personal Data.
- The sub paragraph (c) of Article (5), stipulating that in case the personal data is processed in different units of a data controller for different purposes, the obligation to inform must be performed at each unit of the data controller separately, was deleted.
The main changes regarding the Regulation on Data Controllers' Registry are as follows:
- Definitions with respect to the
"contact person" and the "personal data processing
inventory" were revised. In the previous version of the
Regulation, a "contact person" definition was used to
refer to the legal person data controllers whom will be notified to
the Registry of Data Controllers (the
"Registry") by the
representative of the data controller. The amendment provided that
(i) for the natural and legal person data controllers residing in
Turkey, the data controller itself will notify the details of their
contact person to the Registry and (ii) for the non-resident
natural and legal person data controllers, the representative of
the data controller will notify the details of their contact person
to the Registry.
- The scope of the "personal data processing inventory" definition was extended to cover "the legal grounds for personal data process and the maximum storage period for personal data process purposes", in addition to the personal data process activities, personal data process purposes, data categories, the recipient group, the personal data which will be transferred to abroad and the measures for data security. This amendment was also introduced in the Regulation on Deletion, Destruction and Anonymization of Personal Data published on the same date.
- Data controllers, required to register to the Registry, are obliged to prepare a personal data processing inventory.
- Information relating to the contact person are excluded from the list of relevant information that will be provided to the Registry. Therefore, the contact person information will no longer be disclosed to third persons and be publicly available.
- Under the previous version of the Regulation it was indicated that in case of any changes in the information provided to the Registry, such changes would be notified to the Board within 7 days. The amendment clarified that such period of 7 days will start from the date of the relevant change.
Further to the aforementioned amendments, on April 30, 2019 the Personal Data Protection Authority published a "Guideline for Preparing a Personal Data Processing Inventory" that provides relevant information to the data controllers in performance of their duty regarding the preparation of personal data processing inventory. This guideline refers to several topics such as persons who are obliged to prepare an inventory, content of inventory, stages of inventory preparation and also contains a sample inventory.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.