Recent Development

The Turkish Personal Data Protection Authority ("DPA") published a summary of its decision issued in response to a request as to whether a foreign bank with a representative office in Turkey might be deemed a data controller within the scope of the Law No. 6698 on the Protection of Personal Data ("DPL"), and whether the bank might be obliged to register with the data controllers' registry (VERBIS). The DPA confirmed that the foreign bank would be a data controller under the Data Protection Law and would therefore be obliged to register with VERBIS.

The DPA's full announcement is available online here (in Turkish).

What Does the Decision Say?

The DPA referred to the prohibitions under Turkish laws preventing representative offices of foreign banks from providing banking services while indicating that representative offices are still allowed to conduct communication and marketing activities for the foreign banks. The DPA then provided the following points and arguments:

  • The foreign bank itself appears to be processing the personal data of individuals resident in Turkey as part of its financial services. The processing of personal data by the representative office cannot be separated from the activities of the relevant foreign bank as the processing benefits the activities of the relevant foreign bank.
  • In similar manner, the General Data Protection Regulation of the EU ("GDPR") also applies to entities outside the territorial scope of the GDPR, if these entities have an office within the GDPR territory and that office increases the revenues of the main entity.
  • Considering the permanent existence of the representative office in Turkey, it is not possible to accept that the DPL would not apply because the bank is established outside of Turkey and the processing takes place abroad, since this interpretation would contradict the purpose of the DPL.
  • The Regulation on the Data Controllers' Registry indicates that data controllers outside of Turkey (foreign data controllers) should register with VERBIS before processing personal data of individuals in Turkey.
  • The DPA's decision on the notification of data breaches also indicates that data controllers outside of Turkey should notify the DPA if the breach affects individuals resident in Turkey who benefit from the goods and services in Turkey.

Consequently, the DPA determined that the foreign bank is a data controller under the DPL and is obliged to register with VERBIS due to the bank's permanent existence in Turkey through its representative office.

Conclusion

The DPA confirmed once more that the application of the Turkish data privacy regulations and the requirements therein are not limited to the borders of Turkey; and that the DPL, its secondary legislation and the DPA's authority might have extraterritorial application if the processing relates to individuals in Turkey. The DPA also clarified that having a representative office in Turkey is a clear indication of the foreign entity's status under the DPL as a foreign data controller.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.