Pursuant to Article 16 of the Data Protection Law, an obligation to register in the Data Controllers Registry has been introduced for data controllers.
In 2018, the Board issued decisions granting exemptions from registration obligation to certain professional groups, associations, and political parties. The Board also granted a general exemption to local data controllers that have less than 50 employees, and actively less than TRY 25 million on their balance sheets.
Data controllers residing abroad are also required to be registered with the Data Controllers’ Registry, so long as they process personal data in Turkey.
The most important obligation regarding the Data Controllers’ Registry is that a data controller must prepare a personal data inventory before registering; in other words, a type of data mapping of the data controller.
Every data controller must make a thorough review of its activities, determine the purposes of the data processing activity, category of personal data, the recipients, retention periods, international transfers, data security measures, and legal grounds for data processing, while preparing data inventory.
Data controllers residing in Turkey and meeting the above-mentioned conditions for registration obligation to the Data Controllers' Registry must appoint a contact person. It is important to note that the Turkish subsidiaries of foreign companies meeting the above-mentioned required conditions for registration to the Data Controllers' Registry must also appoint a contact person if such subsidiaries process personal data. This individual’s name and contact details will be published online, and they will be responsible for establishing the communication between the data subjects and the data controllers.
On the other hand, data controllers residing outside of Turkey must appoint a data controller representative. The representative may be either a Turkish resident legal entity or a Turkish national individual. The appointment of the representative must be made with a resolution of the data controller, which needs to be notarised and apostilled (or otherwise legalised). The representative will act as a point of contact for the data controller in relation to its dealings with the Board, the DPA and the data subjects. If a legal entity is appointed as the representative, a real person must also be appointed by the foreign data controller as the contact person.
Data controllers who do not fulfil the obligation to register with the Data Controllers Registry will be sentenced with an administrative fine of between TRY 39,334 and TRY 1,966,857. (Based on the updated amounts for 2021.)