Pursuant to Article 16 of the Data Protection Law, an obligation to register in the Data Controllers Registry has been introduced for data controllers.
In 2018, the Board issued decisions granting exemptions from registration obligation to certain professional groups, associations and political parties. The Board also granted a general exemption to local data controllers that have less than 50 employees, and actively less than TRY 25 million on their balance sheets.
Data controllers residing abroad are also required to be registered with the Data Controllers’ Registry so long as they process personal data in Turkey.
The most important obligation regarding the Data Controllers’ Registry is that a data controller must prepare a personal data inventory before registering; in other words, a type of data mapping of the data controller.
Every data controller must make a thorough review of its activities, determine the purposes of the processing activity, category of personal data, the recipients, retention periods, international transfers, data security measures, and legal grounds for data processing, while preparing data inventory.
Data controllers residing in Turkey must appoint a contact person. It is important to note that the Turkish subsidiaries of foreign companies must also appoint a contact person if such subsidiaries process personal data (however minimal their workforce in Turkey is). This individual’s name and contact details will be published online, and they will be responsible for establishing the communication between the data subjects and the data controllers.
Furthermore, data controllers residing outside of Turkey must appoint an authorised representative. The representative may be either a legal entity or an individual. The appointment of the representative must be made with a resolution of the data controller, which needs to be notarised and apostilled (or otherwise legalised). The representative will act as a point of contact for the data controller in relation to its dealings with the Board, the DPA and the data subjects. If a legal entity is appointed as the representative, a real person must also be appointed by the foreign data controller as the contact person.
Data controllers who do not fulfil the obligation to register with the Data Controllers Registry will be sentenced with an administrative fine of between TRY 36,050 and TRY 1,802,640. (Based on the updated amounts of 2020.)
First published by Gün + Partners, in 18.09.2020