On Dec, 27, 2019, the Turkish Data Protection Authority announced that the requirement for registration to VERBIS (Data Controllers' Registry) has been extended to 30.06.2020.
This is the second extension and the original deadline was September 30, 2019.
The DPA announced that the extension was made considering the large number of data controllers which were not able to prepare their data processing inventories in time.
Please note that VERBIS registration is only a procedural step towards compliance with the data protection legislation in Turkey.
The Law on Protection of Personal Data applies both Turkish Data Controllers (Controllers that are domiciled in Turkey) and to Foreign Controllers (Controllers that are not domiciled in Turkey but collect data from Turkey or process data collected from Turkey).
This extension must be seen as an opportunity for all controllers, both in Turkey and abroad, to conclude their compliance efforts with the data protection legislation.
Here are the steps that Foreign Controllers must take to avoid fines that are up to $ 300.000 and other sanctions such as restriction of data processing activities;
1- Appoint a data controller representative. Under the Regulation on Data Controllers' Registry, all foreign data controllers are required to appoint a Turkish Legal Entity or a Turkish Natural Person as their data controller representative in Turkey before commencing processing personal data.
2- Run Compliance Checks. Under Art. 12 of the Law on Protection of Personal Data ("DP Law"), it is required to run a compliance check/program to make sure that controller is compliant with the Turkish Data Protection Law. GDPR compliance is not sufficient as there are differences between the two legislation. Failure to comply may result in fines that are up to $ 300.000 which may be issued more than one time.
3- Prepare/revise privacy notices in line with Turkish DP Law. Notices based on GDPR is not compliant as there are differences in the legislation including data subject rights, legal basis' etc.
4- Prepare a Data Processing Inventory. All foreign controllers are required to prepare a data processing inventory. The inventory must identify the data subject categories, data categories, purposes, legal basis and technical and administrative measures that are taken.
5- Register with VERBIS. After appointment of the data controller representative, foreign controllers are required to register with VERBIS by June 30, 2020. Failure to do so may result in administrative fines that are up to $ 300.000 or restriction of data processing activities of the controller. Registration to VERBIS must be based on the Data Processing Inventory and the information in the Inventory must be entered into VERBIS system using the interface of VERBIS. Please note that registrant requires detailed preparation, therefore it is recommended to start the process as soon as possible.
6- Prepare Response Policies for Data Breaches. Data breach requirements are different in Turkey compared to the GDPR. Every breach must be notified to the DPA using a Data Breach Notification Form that can be found in DPA's website within 72 hours. Failure to do so may result in administrative fines.
Please see below the current deadlines for registration;
- Foreign Controllers - 30.06.2020
- Turkish Controllers with an annual employee count of 50 or more: 30.06.2020
- Turkish Controllers with an annual balance sheet of TRY 25.000.000 or more: 30.06.2020
- Turkish Controllers whose main business activity is based on processing sensitive personal data but with less than 50 employees and an annual balance sheet of less than TRY 25.000.000 - 30.09.2020
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.