Rules Introduced by Regulation on Data Controllers Registry
This Legal Alert aims at providing you with an overview on and highlights from the Regulation on Data Controllers Registry (the “New Regulation”) which was published in the Official Gazette numbered 30286 and dated December 30, 2017 and entered into force as of January 1, 2018.
Please note that this Legal Alert does not cover the entire provisions of the New Regulation but intended to be general information purposes only. No statement herein contains any opinion or professional legal advice.
I. GENERAL OVERVIEW
Before elaborating on the provisions of the New Regulation, we would like to briefly touch upon the general requirement as introduced under Article 16 of the Law on Personal Data Protection numbered 6698 and dated March 24, 2016 (the “Law”). As per Article 16 of the Law, the Data Protection Authority, under the supervision of the Data Protection Board, shall keep Data Controllers Registry to be publicly available. Data controllers are required to be registered with the Data Controllers Registry. However, the Data Protection Board can grant exemption from the registration requirement for certain data controllers.
The term “data controller” is defined as the real or legal person which determines purposes and means of processing of personal data and is responsible for the setup and management of the data recording system. Considering the broad nature of this definition, a significant majority of real and legal persons having business affairs in Turkey are very likely to qualify as data controllers within the context of the Law and accordingly will be required to register with the Data Controllers Registry, unless they fall under the scope of the exemptions to be introduced by Data Protection Board. For instance, companies which do not enjoy a legal presence in Turkey but are engaged in commercial activities involving processing of personal data in Turkey will also qualify as data controllers and will be subject to registration requirement.
Having noted the foregoing, even though the registration requirement has become effective as of October 7, 2016 as per the Law, introduction of the New Regulation and establishment of the Data Controllers Registry were pending for such requirement to become fully effective and enforceable in practice. Further, according to Provisional Article 1 of the Law, data controllers shall register with the Data Controllers Registry until the date determined and announced by the Data Protection Board. Although the New Regulation has been introduced and published on December 30, 2017, the date for registration has not been determined and announced by the Data Protection Board yet. Further, based on Provisional Article 1 of the Law, following introduction of the New Regulation, an announcement has been made on the official website of the Data Protection Authority (www.kvkk.gov.tr) stating the following:
- Information System of Data Controllers Registry (“VERBIS”) which will be accessible online is still under construction and the dates for the registration requirement and exemptions relating thereto are yet to be determined by the Board;
- The registration requirement will commence after VERBIS becomes operational and registration dates are determined by the Board. The relevant announcement will be made in this respect;
- Data controllers that are required to register with the Data Controllers Registry should prepare a “personal data processing inventory” and “personal data preservation and destruction policy”.
II. HIGHLIGHTS FROM THE NEW REGULATION
A. Registration
For the registration with the Data Controllers Registry, data controllers will be required to provide the information through VERBIS as set out under the New Regulation. The information to be disclosed to the Data Controllers Registry should be prepared based on the Personal Data Processing Inventory, an inventory compiled by the data controllers by associating their data processing activities related to their business processes with purposes of processing personal data, data category, recipient group to which such data are transferred and data subject group and in which are explained maximum period that is necessary for the purposes of processing of personal data, personal data contemplated to be transferred abroad and measures taken in respect of data security.
According to Article 9 of the New Regulation, registration application must include the following information which will be provided through VERBIS:
- Information required by the Board in the application form such as identity and address details of data controller, data controller representative (if any) and contact person.
- The purposes of processing personal data;
- Explanations on data subject groups and data categories;
- Recipients or recipient groups to which personal data may be transferred;
- Personal data which are contemplated to be transferred abroad;
- Measures taken to ensure data security as per Article 12 of the Law;
- Maximum preservation period as set out under the relevant legislation or that is necessary for the purposes of processing of personal data
As per Article 10 of the New Regulation, data controllers will be considered to fulfill the registration requirement by successfully completing and submitting the required information on VERBIS.
B. Data Controller Representative
According to Article 5 of the New Regulation, data controllers which are not resident in Turkey are required to register with the Data Controllers Registry through a “data controller representative” which must be a legal person resident in Turkey or a real person having Turkish citizenship, and which is appointed through a decision by the authorized person or body of the data controller. The representation authorities to be granted to data controller representative must include minimum required authorities listed under Article 11 of the New Regulation. Data controller representative appointed as such will mainly be tasked and authorized to act on behalf of the non-resident data controller relating to its data processing activities in Turkey. During registration with the Data Controllers Registry, a copy of the appointment decision is required to be submitted to the Data Protection Authority by non-resident data controllers in addition to information listed under Section A above.
C. Contact Person
During the registration, data controllers residing in Turkey and data controller representatives acting on behalf of non-resident data controllers must notify a contact person, a real person who will ensure communication with the Data Protection Authority concerning obligations of the data controller arising from the Law and secondary legislation. Unless specifically granted the representation authorities, contact persons do not become entitled to representation authority by operation of law.
D. Preservation Period of Personal Data
Please note that maximum period that is necessary for processing of personal data to be notified through VERBİS shall be taken as the basis for data controller’s obligation to delete, destroy or anonymize the processed data set out under Article 7 of the Law. In the determination of the maximum preservation period of personal data, data controllers must observe the criteria set out under Article 9 of the New Regulation.
E. Changes in the Registered Information
If data controller’s information registered before the Data Controllers Registry changes, data controller shall notify such change to the Data Protection Authority through VERBİS within seven (7) days as of occurrence of the same.
F. Exemptions
Pursuant to Article 15 of the New Regulation, the data controller is not obliged to register or notify the following activities of personal data processing:
- In the event that processing of personal data is necessary for prevention of a crime or investigation of a crime;
- Processing of personal data that has been made public by the subject person himself/herself;
- In the event that processing of personal data is necessary for disciplinary investigations or prosecutions or for performance of supervisory or regulatory duties of public institutions and organizations and public professional organizations based on their authorities arising from the law;
- In the event that the processing of personal data is necessary for protection of State’s economic and financial interests relating to budgeting, taxation and financial matters.
Additionally, the Data Protection Board is authorized to introduce new exemptions from the registration requirement in line with the following criteria:
- Qualifications of the personal data;
- Quantity of the personal data;
- Purpose of processing of personal data;
- Field of activity where the personal data is processed;
- Transfer of personal data to third parties;
- Processing of personal data by operation of law;
- Preservation period of the personal data;
- Data subject person group or data categories
G. Administrative Fine
As per Article 18 of the Law, an administrative fine in the range of TRY 20,000-1,000,000 shall be imposed on those data controllers who are in breach of registration and notification requirements.