Turkey: Draft Regulation on Data Controllers’ Registry
On May 5th, 2017 the Turkish Data Protection Authority published the Draft Regulation on Data Controllers’ Registry (“Draft Regulation”) for comments to be submitted. The Draft Regulation is based on Article 16 of the Law on the Protection of Personal Data (“Law”) which came into force last year on April 7th, which states under the supervision of the Board of Protection of Personal Data (“Board”), Data Controllers Registry (“Registry”) will be kept by the Presidency of the Personal Data Protection Authority in a publicly available manner.
Who should register?
In line with the Law, the Draft Regulation brings a requirement for all data controllers to get registered in case they process personal data in Turkey. Both real and legal persons must register.
Data controllers that do not reside in Turkey are also obliged to register to the Registry through a data controller representative, before processing personal data. Data controller representative will only be determined by data controllers that do not reside in Turkey and will be notified at time of application to enroll to the Registry.
Duties of the representative of non-residing data controllers
Data controller representative will be authorized for the representation of the non-residing data controller regarding the duties set forth in Article 11/2 of the Draft Regulation. The representative will be in communication with the Board and the Authority, answer the requests addressed to the data controller and do things related to the Registry on behalf of the data controller. The representative’s authorities will be limited with those stated under the Draft Regulation.
Data controller representative must be either a Turkish legal entity or a real person having Turkish citizenship. The data controller must submit to the Registry a resolution taken by the authorized body of the controller appointing the data controller representative with the minimum required authorities to act on behalf of the data controller in Turkey during registration.
Contact person of a data controllers residing in Turkey
The legal entity data controllers residing in Turkey shall assign a contact person during the application to the Registry to be contacted for the communications to be made by the Board and the Authority regarding the obligations. The contact person is not authorized to represent the data controller. Contact person is appointed only for communication purposes.
The registration process
Data controllers shall first establish an inventory of personal data processing, through associating with their personal data processing activities related to their business processes, their purposes of processing personal data, data category, transferred recipient groups and data subject group. Data controllers then will apply to the Registry through an online system called VERBIS before they start processing data. This application for registration will be made according to the inventory prepared beforehand. Data controllers shall provide the following information through VERBIS;
• Identifying information and address of the data controller or it’s representative,
• Purpose of data processing,
• Data subject groups and data categories,
• Third parties which data may be transferred to,
• Personal data which may be transferred abroad,
• Safety and security measures taken,
• Maximum period that is necessary for the purpose of processing personal data.
In case of changes in the Registry information, data controllers will immediately inform the Authority.
Maximum period that is necessary for the purposes of processing of personal data
During the application of registration data controllers should also provide the maximum period of time which is necessary to process the personal data. The maximum period shall be designated regarding the general practice in the field of activity, the period of the legal responsibilities, the period the data will be up to date and the lapse of time to bring a claim.
Data controllers shall prepare and implement a Personal Data Retention and Destruction Policy to be the basis of determination of the maximum periods.
Deletion of Registry Record
Data Controllers may apply through VERBIS to delete the registration. The registration will also be deleted if the information which the registration is based on is partially or completely expired. Deleted records will be kept passively and accessible on demand, and no changes can be made on them.
The data controller is the legal entity itself in companies. The data controller’s obligations of the legal entities located in Turkey is performed through its organs which have the authority to represent and bind the company. The authorized organ may assign one or more people for its obligations to be performed. However, this assignment does not remove the responsibility of the organ. The liability of the authorized organ cannot be delegated as per the Draft Regulation. The provision regulating the liability is critized as being in contrary to general rules of the Turkish Commercial Code regulating liability of authorized bodies in a company, i.e. the board of directors. The Board of Directors must not have unlimited liability in terms of data privacy whereas in other issues, their liability is limited and they can assign duties and their only liability is to act as a prudent person and show necessary diligent and care while assigning duties and choosing the right person.
Exemption from Registration requirement
There are exemptions of registration requirements for data controllers which are set forth in Article 16 of the Draft Regulation. The below listed personal data can be processed without registration:
• personal data that is necessary for prevention of a crime or for crime investigation,
• personal data which is made public by the data subject,
• personal data that is necessary for the performance of supervisory or regulatory duties along with disciplinary investigation or prosecution by the assigned and authorized public institutions and agencies along with professional organizations carrying the nature of public institutions, based on the authorization of the law,
• personal data that is necessary for the protection of the State’s economic and financial interests with respect to the budget, tax and financial matters.
Board may bring an exemption to the enrollment obligation regarding processing of personal data activities which does not occur automatically either completely or partially, taking into account the criteria in Article 17.
However the Draft Regulation does not set forth exemption conditions. We think that these will be announced later on. However this will definitely effect the applicability of the Regulation and does not provide clear guidance for companies for the time being.
Non-compliance with the registration and information requirement is subject to an administrative fine of up to TRY 1,000,000 (approx. EUR 250,000.-).