Turkey: Turkish Data Protection Authority Started Enforcement Against Foreign Controllers

Recently, the Turkish Data Protection Authority ("DPA") started sending information request letters dated August 15, 2022, to foreign controllers (data controllers located outside Turkey but collect/process personal data from Turkey) that did not register with the Data Controllers' Registry ("VERBIS") by the deadline.

For background, all foreign controllers that collect data from Turkey are required to; i) appoint a local representative in Turkey and ii) register with VERBIS. The deadline for this process was December 31, 2021.

As a result, foreign controllers that missed this deadline to register or failed to register at all are now being investigated by the DPA.

For this purpose, the DPA has sent information requests to multiple foreign controllers to calculate the administrative fines that will be applied to foreign controllers based on the Law on Misdemeanours w. no. 5326.

Pursuant to Art. 17/2 of the Law no. 5326, when an administrative fine is stipulated in the legislation by providing a range (minimum and maximum), the following must be taken into consideration to determine the applicable fine:

• Level of illegality,
• Level of negligence of the perpetrator, and
• Financial status of the perpetrator.

What information is being requested?

The DPA is requesting the following information from foreign controllers to determine the fine that will be applied:

• Is the foreign controller targeting the data subjects residing in Turkey,
• Does the foreign controller have an establishment in Turkey,
• Is the foreign controller monitoring behaviours of data subjects residing in Turkey,
• Is the foreign controller process sensitive personal data of data subjects residing in Turkey,
• What is the total number of users, members, customers, daily visits and number of application downloads from Turkey,
• Global annual turnover and employee number for 2020 and 2021.

What is the timeline to provide the information?

The foreign controllers are required to respond within 15 days as of receiving the letter. Having said that, requesting time extension from the DPA is possible. If the requested information is not provided by the foreign controller in time, the DPA may impose administrative sanctions based on publicly available information and resources.

What is the actual risk for non-compliance?

The administrative sanction that the DPA may apply is between TRY 53.572 – TRY 2.678.863 (approx. USD 2.880 – USD 144.000). In addition to the administrative fine, the DPA may instruct the foreign controller to register with VERBIS. If the foreign controller fails to comply with this instruction, an additional fine between TRY 66.965 – TRY 2.678.863 (approx. USD 3.600 – USD 144.000) may be imposed.

Lastly, although unlikely, the DPA may decide to restrict the data processing operations of the foreign controller pursuant to Art. 15/7 of the Law on Protection of Personal Data.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.