Regulation on Data Controllers Registry
On December 30, 2017 the Regulation on Data Controllers’ Registry (“Regulation”) is announced at the Public Gazette and became effective as of January 01, 2018.
This client alert aims to summarize the steps that must be taken by companies to comply with the Regulation and Data Protection Law (“Law”).
What is a Data Controllers Registry?
It is a platform that is open to public where data controllers’ are registered to and record the data processing they are engaged with. The Data Controllers Registry does not specifically contain any personal data but contains personal data groups/segmentations (i.e. employee data, customer data, patient data…etc).
Timeframe to get registered – Can our company be exempt from registration?
Although the Regulation is effective as of January 01, 2018, the companies do not need to apply to the Data Controllers’ Registry to be registered since the Law states that the Board will determine exemptions from being registered and the resolution is required to be announced by the Data Protection Board (“Board”). Once the resolution and the date of start of registration obligation is announced then the companies will determine themselves within exemption or not and then will proceed with registration if required.
The registration will take place electronically based on the Data Controllers Registry Information Technology (VERBİS).
How to Get Prepared For Registration?
- Prepare a data inventory: As per Article 4 of the Regulation, the inventory must include the purpose of data processing, data category, the data recipients, and the maximum time period required for the purpose of processing, data to be transferred abroad and measures to be taken for data security. The data inventory must be easy to understand and must reflect correct information.
- Appoint a contact person for companies residing in Turkey: Companies residing in Turkey must appoint a contact person responsible for liaising with the Board and information regarding contact person must be registered with the Data Controllers Registry.
- Appoint a data controller representative for companies not residing in Turkey: Companies not residing in Turkey must data controller representative who will be in communication with the Board and the Authority, answer the requests addressed to the data controller and do things related to the Registry on behalf of the data controller. Data controller representative must be either a Turkish legal entity or a real person having Turkish citizenship. The data controller must submit to the Registry a resolution taken by the authorized body of the controller appointing the data controller representative with the minimum required authorities to act on behalf of the data controller in Turkey for registration.
- Prepare data preservation and destruction policy: Data Controllers who are subject to the registration obligation as per the Regulation are also obliged to prepare a personal data preservation and destruction policy. Meaning that once the Board renders its resolution regarding exemptions of registration, then companies that will fall under registration obligation will be obliged to prepare personal data preservation and destruction policy.
Consequences of not Being Registered
The Law stated that data controllers who are duty of registration but not registered will be subject to administrative monetary fine in the amount of TRY 20, 000- 1,000,000.-. The Board will determine the fine as per the breach but the details on how to calculate the amount is not yet determined.