As per the Article 16 of the Data Protection Law, Data Controllers and natural or legal persons who process personal data are required to register to the Data Controllers Registry (“Registry”). The article also stipulates that conditions and procedures regarding Registry will be determined by a regulation. Accordingly, the new regulation on Data Controllers Registry is published in Official Gazette on December 30, 2017 and entered into force on January 1, 2018. You may find below our explanations on the steps to be taken by companies to comply with the Regulation on Data Controllers Registry including the exemptions recently announced by Personal Data Protection Board (“Board”) with the Resolution on Exemptions of Registration to the Data Controllers Registry.
I. LEGAL BACKGROUND
Data Protection Law numbered 6698 (published in the Official Gazette dated April 7, 2016 and numbered 29677) (the “Law”);
Regulation on Data Controllers Registry (published in the Official Gazette dated December 30, 2017 and numbered 30286) (the “Regulation”);
Board’s Resolution on Exemptions of Registration to the Data Controllers Registry (published on April 2, 2018 and numbered 2018/32) (the “Decision”).
II. DATA CONTROLLERS REGISTRY
According to the Regulation, Data Controller is a natural or legal person who determines the purposes and means of the processing of personal data, and who is responsible for the establishment and management of the filing system. Data Controllers and natural or legal persons who process personal data are required to register to the Registry. Therefore, Data Controllers Registry Information System (“VERBIS”) is the online electronic system of the Registry which will be established for the registration of the personal data and applications and registrations shall be made through this system. Under the supervision of the Board, Registry shall be kept in a publicly available manner. In case the activity which requires registration with the Registry, no longer exists, Data Controller shall make an application through VERBIS and the registry shall be deleted. According to the Law, registration and recording obligation of the Data Controllers shall start prior to commencing processing. However, VERBIS system has not been established yet. According to the provisional Article 1 of the Law, the registration obligation shall start when the Board announces and VERBIS becomes operational.
In the event the Data Controller fails to apply to the Registry due to an operational, technical or legal impossibility, he/she may request no longer than thirty-day extension period for the application to the Registry. Data Controller shall request such extension within seven days starting from the cause of impossibility has arisen.
Data Controllers shall also prepare and ensure enforcement of personal data retention and destruction policy in order to determine maximum period of time required for the purpose of data processing and to monitor conformity with the schedule.
The following information shall be provided to the Registry:
- Identity and address information of the Data Controller and (i) if the Data Controller is a legal entity located at Turkey information related to the contact person or (ii) if the Data Controller is non-resident in Turkey information related to the Data Controller Representative and notarized copy of the decision regarding appointment of the Data Controller Representative which must include the authority to receive and accept notifications and correspondences, to organize communication between the Board and the Data Controller, to receive and forward amendment applications and to conduct Registry transactions;
- Purposes of data processing;
- Data subject group(s) and data categories related to these people;
- Receiver or receiver groups that the personal data may be transferred;
- Personal data which is estimated to be transferred abroad;
- The maximum period of time required for the purpose of data processing data or set forth in relevant law.
Data Controllers are responsible from the information provided and announced by the Registry and ensure that the provided information is complete, accurate, up to date and in compliant with the law. In case of any change occurs in provided information, Data Controller is obliged to notify the Board within seven days.
III. OBLIGATIONS OF DATA CONTROLLER, DATA CONTROLLER REPRESENTATIVE & CONTACT PERSON
For legal entities, Data Controller shall be the legal entities itself. Obligations of the Data Controller shall be carried out by the body which has the authority to represent and bind the company or the person determined by law for the legal entities which are incorporated in Turkey and correspondences shall be made through the contact details provided to the Registry. These legal entities will register the details of the contact person during the registration. According to the Regulation a contact person is not authorized to represent Data Controller but shall only be responsible from providing communication support regarding requests raised against the Data Controller.
If the Data Controller resides abroad, a Data Controller Representative should be appointed.
As per the Article 15 of the Regulation, in case of one of the following situations exist Data Controller shall be exempted from registering to the Registry:
- If the processing personal data is necessary for a criminal investigation or in order to prevent a crime;
- If the personal data is made available to public by the data subject;
- In case of the personal data processing is required for governmental institutions and organizations in order to conduct audit and regulation activities, initiate disciplinary or legal proceedings; or
- In the event of personal data processing is necessary to protect interest in budget, tax and financial issues.
In addition, the Board may decide exemption to registration by considering criteria’s such as; nature of the personal data, number of personal data, purpose of processing personal data, operation area of the personal data, transfer of the data to third parties, data processing obligation arising from regulations, period of time to keep personal data, data subject group or data categories. Additional exemptions are recently announced by the Board and explained in detail below.
V. RECENTLY ANNOUNCED EXEMPTIONS
Board’s Resolution on Exemptions of Registration to the Data Controllers Registry (“Resolution”) is published on April 2, 2018. Pursuant to Article 16 of the Regulation exemption to registration shall be decided by the Board and announced at the Official Gazette and the Board’s official website.
According to the Resolution the following Data Controllers shall be exempt from registration requirement:
- Data Controllers which process data only manually on the condition that such processing is part of a data recording system;
- Notary Publics;
- Provided that they process data within scope of their regulations and purposes limited with their field of activity and the personal data is related to their employees, members and donators; (i) Associations established according to the Law on Associations dated October 4, 2004 and numbered 5253, (ii) Foundations established pursuant to the Law on Foundations dated February 20, 2008 and numbered 5737, (iii) Trade unions established in accordance with the Law of Trade Unions and Collective Labour Agreement dated September 18, 2012 and numbered 6356;
- Political parties established according to the Law on Political Parties dated April 22, 1983 and numbered 2820;
- Attorneys which performs duty according to the Attorney’s Law dated March 19, 1969 and numbered 1136;
- Certified public accountants and sworn-in certified public accountants which performs duties according to the Law on Certified Public Accountancy and Sworn-in Certified Public Accountancy dated June 1, 1989 and numbered 3568.
The information provided in this article is general and may not apply in a specific situation. Legal advice should always be sought before taking any legal action based on the information provided. The information is not intended create, nor does receipt of it constitute, an attorney-client relationship.
For any questions regarding the article, please contact us: