One of the main obligations of the data controllers under the Turkish Personal Data Protection Law ("PDPL") is to register with a publicly available Data Controllers' Registry through an online information system called "VERBIS". For certain data controllers, this obligation is due by 31 December 2019.
What is VERBIS?
VERBIS is an online system where the data processing activities notified by the data controllers will be made public. The purpose of VERBIS is to promote transparency in the controllers' processing of personal data.
Which controllers are required to register by 31 December 2019?
31 December 2019 is the final deadline for:
- The controllers who employ more than 50 employees annually or whose total yearly actives on the balance sheet is more than TRY 25,000,000 (ca. EUR 4,000,000);
- The controllers residing outside Turkey who are caught by the territorial scope of the PDPL. The thresholds do not apply in the case of the controllers residing abroad.
Are there any exemptions?
Yes, there are exemptions. However, these are very limited and mostly do not cover commercial enterprises. Some of the exempted controllers are notaries, political parties, lawyers, and public accountants.
What are the potential fines for non-compliance?
Non-compliance with the registration obligations may lead to administrative fines from TRY 29,000 (ca. EUR 4,500) up to TRY 1,470,000 (ca. EUR 230,000).
Particularly in terms of controllers residing in Turkey, the thresholds for registration are quite straightforward as the number of employees and the total yearly balance are both objective criteria. This means that the Turkish Personal Data Protection Authority ("DPA") can make use of a data-driven assessment once the deadline is passed and easily determine the controllers who should have registered. Indeed, the DPA declared in the "VERBIS Q&A" that it will actively identify the controllers who did not register in due time and that it will impose administrative fines accordingly.
What needs to be done?
Controllers are essentially required to (1) sign up with VERBIS, (2) appoint a "contact person" via VERBIS, and (3) have their contact person notify their processing activities to the DPA through VERBIS.
For the purposes of step (3), controllers will need to carry out factual due diligence to identify their processing activities. This is because the controllers are expected to submit their processing activities to VERBIS in detail, including:
- Identity and contact information of the "contact person" and/or "data controller representative";
- Types of personal data collected (e.g. identity, contact, location, financial);
- Processing purposes;
- Data subject types (e.g. employee, customer, vendor);
- Types of third parties to which personal data are transferred (e.g. public authorities, vendors, shareholders, affiliates);
- Cross-border transfers;
- Retention periods;
- Data security measures implemented by the data controller.
The above information will not be provided as a simple list but instead in the form of a table where this information will be connected to each other. We provide below a sample notification for a very simple data processing activity:
|Type of Data||Processing Purpose||Data Subject||Transfer to Third Parties||Cross-border Transfers||Retention Period|
|Identity data||To comply with legal obligations||Employee||Public authorities||No||10 years|
Finally, any controller residing outside Turkey who is caught by the territorial scope of the PDPL will first need to appoint a "data controller representative," who must be a legal entity residing in Turkey or a natural person who is a Turkish citizen. This representative will then be appointing the contact person on behalf of the controller.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.