Data protection officer (“DPO”) is a concept regulated under the General Data Protection Regulation (“GDPR”), which came into force in May 2018 in the European Union. The purpose of regulation of the DPO is to appoint a person who will be responsible for monitoring compliance of data controllers with data protection legislation. The GDPR imposes an obligation to appoint a data protection officer on data controllers who meet a number of criteria as well as regulates the duties and obligations of the data protection officer in detail.
In Turkey, the Personal Data Protection Law No. 6698 (“PDPL”), which came into force in April 2016, does not regulate the appointment of a person who will be responsible for or assisting with the compliance of data controllers with the relevant legislation. On the other hand, the Regulation on the Registry of Data Controllers (“VERBIS Regulation”), published on 30 December 2017, stipulates that data controllers must appoint a data controller representative and/or a contact person in certain circumstances. In practice, some confusion and questions may arise as to whether these people are equivalent to the data protection officer under the GDPR.
The purpose of this article is to compare the concept of data protection officer within the scope of the GDPR and the data controller representative/contact person regulated by the secondary legislation of the PDPL and to reveal the differences between them.
Specialties, Duties and Powers of the Data Protection Officer within the scope of the GDPR
As mentioned above, GDPR obliges data controllers who meet certain conditions to appoint a data protection officer. Accordingly, a data controller has an obligation to appoint a data protection officer in case the main activities of the data controller, due to their nature, scope and/or purposes, consist of processing activities that require regular and systematic monitoring of the data subjects on a large scale, or the main activities of the data controller include the processing of large-scale sensitive personal data or data related to criminal convictions and crimes.
While the GDPR does not provide detailed regulations on what characteristics a data protection officer should have, it states that this person should have expert knowledge of data protection legislation and practices and should have the ability to fulfil the duties assigned to her/him under the GDPR.
A staff member of the data controller or a third-party service provider may be appointed as a data protection officer. The GDPR imposes important duties on and grants important authorities to the data protection officer. In this context, it is important for the data protection officer to act independently within the scope of the GDPR. According to the GDPR, the data controller has an obligation to provide the data protection officer with all the necessary resources for the data protection officer to perform his/her duties. The data protection officer should not receive any instructions from the data controller while performing his/her duties and should not be dismissed or penalised for performing his/her duties. The data protection officer is responsible for reporting directly to the highest management level.
Data protection officer has important tasks such as to inform the data controller and employees about the relevant legislation, to monitor compliance with data protection legislation, to carry out awareness-raising activities including training or to conduct audits to ensure compliance with data protection legislation, to express an opinion on data protection impact assessment, to cooperate with the supervisory authority; and be a point of contact. In addition, data subjects may contact the data protection officer regarding all issues related to the processing of their personal data and the exercise of their rights.
Specialties, Duties and Powers of the Data Controller Representative/Contact Person within the Scope of the PDPL
Pursuant to the VERBIS Regulation, data controllers are obliged to register with the Data Controllers Registry (“VERBIS”) prior to the start of data processing.
The VERBIS Regulation requires legal person data controllers not residing in Turkey, who are obliged to register with VERBIS, to appoint a data controller representative. Furthermore, the VERBIS Regulation requires that legal person data controllers residing in Turkey, who are obliged to register with VERBIS, as well as representatives of the foreign data controllers must appoint a contact person.
The VERBIS Regulation does not regulate the features that the data controller representative or contact person should have. The contact person may be an employee of the data controller legal entity or an external person. The representative of the data controller must be a legal person residing in Turkey or a natural person who is a citizen of the Republic of Turkey.
According to the VERBIS Regulation, the contact person ensures communication with the Personal Data Protection Authority (“Authority”) regarding the obligations of the data controller under the PDPL and secondary regulations to be issued based on the PDPL.
The VERBIS Regulation clearly states that the contact person is not authorized to represent the data controller in accordance with the provisions of the PDPL and the VERBIS Regulation. Accordingly, the obligations of legal person data controllers residing in Turkey within the scope of PDPL are fulfilled by the body authorized to represent and bind the legal entity in accordance with the provisions of the relevant legislation, or by the person or persons specified in the relevant legislation. The body authorized to represent the legal entity may assign one or more persons regarding the obligations to be fulfilled in terms of the implementation of the PDPL. However, such assignment does not remove the responsibility of the legal person data controller pursuant to the provisions of the PDPL.
As can be seen from the explanations above, the contact person to be appointed pursuant to the VERBIS Regulation is intended to be only a contact point, no other important duty or authority is given to the contact person.
As stated below, the duties and powers of the data controller representative, who is another person mentioned in the VERBIS Regulation, are more detailed than the contact person, but their duties and authorities are also quite limited compared to the data protection officer under the GDPR.
In accordance with the VERBIS Regulation, the data controller representative to be appointed by data controllers residing abroad during registration with VERBIS must have at least the following authorities:
- to receive or accept notifications and correspondence made by the Authority on behalf of the data controller,
- to transmit the demands made by the Authority to the data controller and to submit the responses of the data controller to the Authority,
- to receive and transmit requests to be made by data subjects on behalf of the data controller,
- to transmit the response of the data controller to the data subjects,
- to perform operations relating to the Registry on behalf of the data controller.
Comparison of Data Protection Officer and Data Controller Representative/Contact Person
As can be understood from the detailed explanations above, the data protection officer regulated under the GDPR is a person who is responsible for ensuring the compliance of the data controller with the personal data protection legislation, has important powers, acts independently from the data controller and reports directly to the senior management. On the other hand, the duties of the data controller representative/contact person regulated within the framework of the VERBIS Regulation consist of establishing a communication between the data controller and the Authority and/or the relevant persons. These persons do not have a duty to ensure the general compliance of the data controller with the data protection legislation. It is seen that these provisions brought by the VERBIS Regulation do not aim to establish a system similar to the data protection officer in the GDPR. Therefore, it should be noted that the data protection officer under the GDPR and the data controller representative/contact person under the VERBIS Regulation are completely different concepts. Data controllers should consider this difference when making such appointments in Turkey.
On the other hand, although the PDPL and its secondary legislation do not regulate the appointment of a data protection officer in Turkey, they do not contain a provision that prevents this either. Therefore, if they wish, data controllers can voluntarily appoint a data protection officer similar to the GDPR regarding their data processing activities in Turkey. In this context, the regulations within the scope of the GDPR can be taken as an example in terms of the authorities and responsibilities of the data protection officer, also data controllers will be able to regulate other duties and powers. Data controllers may appoint one of the company employees as a data protection officer that they will voluntarily appoint, or they may prefer an external person. The duties and powers to be given to this person and the responsibilities of the person concerned will need to be clearly stated within the framework of a document such as a contract/commitment to be drawn up between the data controller and relevant person. Alternatively, taking into account the independent character of the data protection officer in GDPR, the legal entity data controller may appoint this person as a board member/manager to the company with a decision to be taken by the competent body and consider giving him/her much broader authorities and responsibilities.
PDPL and its secondary legislation do not regulate the appointment of a person equivalent or similar to the data protection officer regulated under the GDPR. The VERBIS Regulation, which is the secondary legislation of the PDPL, only provides for the appointment of a data controller representative/contact person who will provide the necessary communication with the Authority and data subjects; however, these people do not have important duties and powers similar to the data protection officer under the GDPR. On the other hand, data controllers may consider voluntarily appointing a data protection officer similar to the GDPR in terms of their data processing activities in Turkey. In this context, the duties, powers and responsibilities of the data subject will need to be determined and regulated in detail by the data controller.
First published by Gün + Partners, in 04.07.2021