The Turkish Data Protection Authority ("DPA") recently published its decision regarding registration obligations of the branches and liaison offices of foreign entities in Turkey in the Data Controllers' Registry ("VERBIS"). The decision was issued by the DPA on July 23, 2019, with number 2019/225, in response to an opinion request from the authority.
The DPA divides its decision into three sections and evaluates the registration obligation separately in terms of (i) legal entities residing abroad, (ii) the branches of such foreign legal entities located in Turkey, and (iii) the liaison offices of such foreign legal entities located in Turkey.
(i) Registration Obligations of Legal Entities Residing Abroad
The DPA refers to Article 3 of the Law No. 6698 on the Protection of Personal Data ("Law No 6698") and defines a data controller as "[t]he natural or legal person who determines the purposes and means of the processing of personal data, and who is responsible for the establishment and management of the filing system." Thus, data controllers can be real persons or legal entities, such as companies, associations or foundations.
According to the DPA, in order to identify a data controller, the following factors must be examined: Whether the natural or legal person is,
i. Identifying the purposes and means of processing personal data,
ii. Responsible for the establishment and management of the data registration system,
iii. Deciding on the legal basis for obtaining personal data, which personal data will be processed for which purposes, methods of obtaining personal data, types of personal data to be processed, whose personal data will be processed, whether the right to access and other rights of data subjects are used, whether personal data will be shared/transferred and, if so, to/with whom personal data will be transferred/shared, and the retention period of personal data.
In addition to the foregoing, the DPA states that any legal obligations imposed on the relevant entity separately from the headquarters/main office of the said entity, and existence of any terms and conditions of their own imposed on the data subjects, are also crucial for determining the data controller. The DPA declares that the scope of activities should be evaluated carefully when determining the establishment of a branch or liaison office.
(ii) Registration Obligations of the Branches of Legal Entities Located Abroad
As for the branches of the legal entities located abroad, the DPA refers to several legislations under Turkish Law (i.e., the Turkish Commercial Code, the Law on Chambers and Commodity Exchanges, the Banking Law) for "branch" definition and concludes that, for an entity to be considered as a branch, it is necessary to consider the following criteria:
Being dependent on the headquarters:
The branch and headquarters/main office must be owned by the same real person or legal entity. The branch cannot have a separate management policy; thus, the profit and loss of the branch should belong to the headquarters. According to the DPA, the rights and obligations arising from the activities of the branch should belong to the headquarters as well.
ii. Independence in external relations:
According to the DPA, independence in external relations means that the branch has the authority to conduct transactions with third parties on its own.
iii. Separation of place and management:
Separation of management means that the branch should have a separate management, which has the authority to conduct commercial transactions on its own.
The DPA further provides the relevant articles of the European Union's General Data Protection Regulation ("GDPR") regarding branches. The DPA states that, according to Article 3(1) of the GDPR, it does not matter whether the branch or liaison office located in the EU itself handles the personal data; a foreign entity is subject to the provisions of the GDPR, if its branch or liaison office in the EU processes personal data within the framework of its activities. The DPA also refers to Article 4 of the GDPR, which defines the data controller as "the natural or legal person, public authority, agency or other bodies which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law."
The DPA further indicates that, although it is necessary to be a legal entity or real person for the purposes of the registration obligation, and even if the Turkish branches of legal entities located abroad do not have a separate legal personality, they can be evaluated as data controllers, since they are independent from the headquarters in terms of processing personal data. This is based on Article 40 of the Turkish Commercial Code, which states that branches are registered as legal entities, and Article 4 of the GDPR, which does not require data controllers to be legal entities.
(iii) Registration Obligations of Liaison Offices of Legal Entities Residing Abroad
In this section, the DPA refers to the Foreign Direct Investment Law No. 4875, which allows entities residing abroad to establish liaison offices in Turkey, provided that such liaison offices do not carry out commercial activities in Turkey.
In light of the foregoing, the DPA concluded that:
- Those legal entities residing abroad which process personal data directly or through their branches in Turkey are obliged to be registered in VERBIS,
- The Turkish branches of foreign legal entities are also considered as data controllers, if (i) they identify the purposes and means of processing the personal data, (ii) they are responsible for the establishment and management of the data registration system, and (iii) they decide on the legal basis for obtaining personal data. In this regard, the decision on whether the branches are obliged to register in VERBIS will be evaluated with respect to the criteria of "annual number of employees" and "total balance of their annual financial statements," which are determined under the DPA's decisions numbered 2018/88191 and 2019/265.20.2
- Liaison offices of foreign legal entities residing abroad are not subject to the registration obligation, since they do not conduct commercial activities in Turkey, and since they are established only for the purposes of communication, feasibility research, conducting social and cultural studies, making preparations for mergers and acquisitions between companies, and for promotional purposes.
This article was first published in Legal Insights Quarterly by ELIG Gürkaynak Attorneys-at-Law in March 2020. A link to the full Legal Insight Quarterly may be found here