Board Decisions on the Obligation to Register to the Data Controllers Registry
With its recent decisions published on the Official Gazette dated August 18th 2018, the Data Protection Board, the regulatory authority on data protection in Turkey (“Board”), has announced additional data controller categories exempt from the obligation to register to the Data Controllers Registry and also set forth the starting dates and deadlines of the obligation to register to the Data Controllers Registry for different categories of data controllers that do not enjoy the exemption.
This client alert aims to outline conditions to exempt from registration obligation and the specified timeframes imposed by the Board for those who are obliged to get registered.
Companies Exempt from the Obligation to Register to the Data Controllers Registry
Pursuant to the Data Protection Law numbered 6698 and the Regulation on Data Controllers’ Registry, companies did not need to apply to the Data Controllers’ Registry to be registered until the Board determines and announces exemptions from being registered with a resolution.
With its prior resolution dated 2018/32, published on the Official Gazette dated May 15th 2018 and new resolutions numbered 2018/68, 2018/75 and 2018/87, which were published on the Official Gazette dated August 18th 2018, the Board announced that (i) data controllers which process personal data through non-automatic means provided that the processing is part of a data recording system; (ii) public notaries; (iii) foundations, associations and unions which only process personal data of their own employees, members and benefactors provided that the processing is limited by their field of operations and in line with their purposes and the relevant legislation; (iv) political parties; (v) attorneys; (vi) public accountants, (vii) sworn-in public accountants, (viii) customs brokers operating under the Customs Law numbered 4458 and authorized customs brokers, (ix) Mediators, and (x) data Controllers with less than 50 employees with an annual financial balance sheet less than TRY 25.000.000.- whose field of operations is not the processing of sensitive data are exempt from the obligation to register to the Data Controllers Registry
Timeframe to Get Registered
There are four different categories of data controllers that do not fall in the scope of exemption. In that regard, the categories of data controllers that are obliged to register to the Data Controllers Registry and the designated timeframes are provided below;
|Data Controller Categories subject to Registration||Starting Date||Deadline|
|Data Controllers with more than 50 employees with an annual financial balance sheet more than TRY 25.000.000.-||01.10.2018||30.09.2019|
|Data Controllers located out of Turkey||01.10.2018||30.09.2019|
|Data Controllers with less than 50 employees with an annual financial balance sheet less than TRY 25.000.000.- but whose field of operations is the processing of sensitive data||01.01.2019||31.03.2020|
|Public institutions and organizations||01.04.2019||30.06.2020|
How to Get Prepared for Registration?
The companies that are obliged to register to the Data Controllers Registry must prepare a data inventory which includes the purposes of data processing, data categories, the data recipients, and the maximum time periods required for the purposes of processing, data to be transferred abroad and measures to be taken for data security.
The companies residing in Turkey must appoint a contact person responsible for liaising with the Board;
The companies not residing in Turkey must appoint a data controller representative which is a legal entity or a real person having Turkish citizenship who will be in communication with the Board, answer the requests addressed to the data controller and do things related to the Data Controllers Registry on behalf of the data controller; and
All companies must prepare a data preservation and destruction policy.
Consequences of Not Being Registered
Pursuant to the Data Protection Law, data controllers who fail to register to the Data Controllers Registry within the specified timeframes will be subject to administrative monetary fines in the amount of TRY 20,000.- to TRY 1,000,000.-.