Under Turkish Data Protection Law all data controllers (both that are established in Turkey and abroad) are required to register with VERBIS (subject to certain exemptions) to comply with the Turkish Data Protection Law.
This requirement is stipulated in detail with a secondary legislation named the Regulation on Data Controllers' Registry (Regulation). Further, the DPA issued a decision regarding the relevant deadlines for the registration requirement.
Before going into the details, please note that this registration requirement applies to:
- Non-Turkish controllers (foreign controllers): This group of controllers can be defined as data controllers that are not established in Turkey but collect data from Turkey or process personal data collected from Turkey as a controller. Therefore all online gaming companies, airlines, booking providers, hotels or any other business that collect and process personal data from Turkey are within this category. Please note that this is not an exhaustive list and the scope is very broad.
- Turkish controllers: All controllers that are located within Turkey and has 50 or more employees or with an annual balance sheet of TRY 25,000,000 or more.
For purposes of this article we will focus on the requirement for foreign controllers.
The registration requirement has been in place since 1 October 2019, and the current deadline to register is 30 June 2020. It is possible that this deadline may be extended with another three months due to COVID-19 but there is no official statement on this yet. Therefore, controllers that are within this scope must accept the 30 June 2020 as the final deadline.
Please note that failing to register with the VERBOS registration requirement may lead to
- an administrative fine of up to TRY 1,802,000 (approx. EUR 240,000) for not registering in due time;
- a second administrative fine of up to TRY 1,802,000 (approx. EUR 240,000) for not complying with DPA's decisions; and
- restriction of the controller's data processing activities in Turkey by the DPA with a decision.
As the worst-case scenario is restriction of processing activities of the controller, registration is a must in order to operate legally in Turkey.
Please note that there are different requirements and steps for foreign controllers and Turkish controllers.
- Appointing a representative: Foreign controllers are required to appoint a data controller representative (representative) in Turkey first. This requirement follows the same logic found in Article 27 of the GDPR. The representative must be a Turkish legal (established in Turkey) or natural person. The Representative only can start and finish the registration process, therefore, it is not possible to start the registration process without a representative. Further foreign controllers are also required to maintain the data controller representative as long as the requirement to register exists. Most foreign companies appointed their external lawyers or law firms in Turkey as the representative, because this role requires a level of legal expertise and know-how.
- Initial registration: After the appointment letter is sent to the representative, the representative shall handle a validation in the notary and shall visit verbis.kvkk.gov.tr and register the foreign data controller as the representative by filling in the relevant form and providing the validated letter.
- Appointing a contact person: As a third step, the representative must appoint a contact person on behalf of the controller. The contact person must be a Turkish natural person. Please note that one person cannot be a contact person for multiple controllers.
- Final registration: As the last step, data processing inventory (similar to Article 30 of the GDPR on records of processing) will be entered into VERBIS by the representative. If a data processing inventory is not available, this must be prepared and must include, for each separate processing activity: details as to who the data subjects are, what categories of personal data are covered, retention periods, technical/organizational measures in place, whether there are any transfers within the country, and whether there are any transfers abroad.
Please note that this whole process usually takes around 10 business days. As such, foreign controllers must start the process no later than 17 June 2020 to comply with the requirement in time.
Please also not that foreign controllers must identify their representative in their privacy policies by mentioning the name, address and contact information of the representative.
The representative will act on behalf of the controller. This could include receiving DSARs and responding to such within 30 days as of receipt after coordination with the controller, notifying the Data Protection Authority and data subjects about data breaches, handling the communication with the Data Protection Authority for BCRs, investigations and other issues.
Therefore, appointing the representative is not only a legal obligation but also a practical need for foreign controllers that want to conduct business in Turkey or Target customers within Turkey.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.