News and developments
Understanding the Registration Obligation under Turkish Data Protection Law
I. Scope of the registration obligation under Turkish
legislation
Data controllers processing personal data in the Turkish jurisdiction
(including processing activities that are conducted abroad, but have an effect
in Turkey) are required to enroll to the Data Controllers' Registry
("Registry"). This requirement is regulated under Article 16/2 of the Data Protection
Law ("DP Law"), which expressly states that "real
persons or legal entities processing personal data are obliged to enroll to the
Data Controllers' Registry." Although the letter of the law seems applicable
to all data controllers, the Data Protection Board ("Board") has introduced certain
exemptions to this obligation, which will be explained in detail below.
According to the DP Law, a data controller will need to register prior
to commencing its data processing activities. However, the Board has provided
certain grace periods for the registration requirement in a recent decision (No.
2018/88), and it has established the applicable deadlines for the registration
of data controllers who are already in possession of and processing personal
data. Data controllers are obliged to provide certain information, such as (i) identity,
(ii) address, and (iii) purpose of the data processing activity, during the
registration process. Once a data controller is enrolled to the Registry, any
changes to the registered information will need to be notified to the Registry as
well.
Data controllers will register to the Registry through
an online information system known as "VERBIS." The information requested from the
data controllers will vary depending on which of the following three categories
a data controller belongs to: (i) real person or legal entity resident in
Turkey, (ii) real person or legal entity resident abroad, and (iii) public
institutions. If data controllers fail to comply with the registration obligation,
the Board may impose an administrative fine.
II. Turkey's registration obligation
compared to EU Directive 95/46/EC and the GDPR
The DP Law is mainly based on the EU Directive
95/46/EC ("Directive"), with certain relatively minor differences. Thus, the registration
obligation is quite similar to the requirements of the Directive. Similar to the
DP Law, the Directive stipulates that the data controller (or a representative)
must notify the supervisory authority before commencing or carrying out a data processing
activity. The Directive further indicates that the notification must specify
certain information, such as the name and address of the data controller and of
its representative, if any; the purpose or purposes of the processing; and a
description of the category or categories of the data subject, as well as a
description of the data or categories of data relating to them, among others. The
Directive requires the EU member states to take the necessary measures to
ensure that data processing activities are publicized.
On the other hand, the EU General Data Protection
Regulation ("GDPR") differs significantly from the European Council's approach
in the Directive. When the GDPR came into force on May 25, 2018, the regulation
regarding the requirement to provide notification to the supervisory authority has
changed. Data controllers are no longer obliged to register their personal data
processing activities to a registry system. Rather, the GDPR adopts a self-regulating
approach, and depends on the accountability of the data controllers.
Accordingly, the GDPR requires that data controllers shall maintain the relevant
records internally under their own care and responsibility, and make them
available to the supervisory authorities upon request.
III. Exemptions
Pursuant to Article 16/2 of the DP Law, the Board is
entitled to provide and specify certain exemptions to the registration
obligation. According to the Board's decision No. 2018/32, the following data
controllers are exempt from the obligation to register: (i) real persons and
legal entities that process personal data by non-automatic means, on the
condition that such data are part of a data-filing system, (ii) notaries operating
under the Notary Law No. 1512, (iii) associations founded under the Law No.
5253 on Associations, foundations established per the Law No. 5737 on
Foundations, and trade unions established under the Law No. 6356 on Trade
Unions and Collective Bargaining Agreements, who only process the personal data
of their own employees, enrollees, members and donors, in accordance with the applicable
legislation and its purposes and within the scope of their field of activity,
(iv) political parties founded in accordance with the Law No. 2820 on Political
Parties, (v) attorneys who are working under the Attorneyship Law No. 1136, and
(vi) certified public accountants and sworn-in public accountants operating
under the Law No. 3568 on Public Accountancy and Auditing.
The Board published another noteworthy decision recently
(No. 2018/87), which is applicable to all data controllers, wherein it announced
that data controllers who have fewer than fifty (50) yearly employees and whose
annual financial balance sum does not exceed the amount of twenty-five million
Turkish Liras (TL 25,000,000) will be exempt from the registration obligation, as
long as their main business activity does not concern processing special
categories of personal data (such as personal data relating to race, ethnic
origin, political opinion, philosophical belief, religion, sect or other
belief, clothing, membership in associations, foundations or trade-unions,
health, sexual life, convictions and security measures, as well as biometric
and genetic data).
IV. Registration procedure
The procedures and principles with regards to the registration
obligation have been regulated and stipulated under the Regulation on the Data
Controllers' Registry ("Regulation"). According to the Regulation, all
transactions regarding the registry should be conducted by the data controllers
through an information system called "VERBIS." VERBIS went live and became
operational on October 1, 2018. The Personal Data Protection Authority ("DPA")
published a privacy information notice, and according to this notice, the
information provided by data controllers during their registration to VERBIS (e.g., names, tax numbers,
representative's personal data, etc.) will only be used by the DPA in relation
to the registration obligation. Furthermore, data subjects may apply to the
DPA, which will be acting as the data controller in terms of such information,
regarding the use of their data. In order to access VERBIS, data controllers will
be required to first sign up to the system by filling out a form. The
information that will be requested from the data controllers during the
registration process are as follows:
1. For data controllers residing in Turkey: (i)
Identity number (for real persons) or tax identity number and registered tax
office information (for real person or legal entity data controllers), (ii) Corporate
electronic mail addresses, as the Regulation states that that all notifications
and communications regarding VERBIS will be conducted by using this e-mail
address, (iii) Landline phone numbers or mobile phone numbers, (iv) Address
number of the data controller (the 10-digit address number may be obtained
through the online system at https://adres.nvi.gov.tr/VatandasIslemleri/AdresSorgu), and (v) "Registered electronic mail (KEP)
address" for data controllers who have a registered electronic mail address (however,
this is not mandatory for data controllers who do not possess a registered
electronic mail address).
2. For data controllers residing outside of
Turkey: (i) Title, electronic mail address, telephone number, address
information, country of residence, date of the decision appointing the data
controller's representative ("Representative") and, if available, the number of
this decision. If the appointed Representative is a Turkish citizen, his/her
identity number ("TCKN"); if the Representative is a legal entity established
in Turkey, its tax identity number along with its registered tax office, (ii) Corporate
electronic mail address, (iii) Representative's address, and (iv)
Representative's registered electronic mail (KEP) address for data controllers
who have a registered mail address (however, this is not obligatory if the Representative
does not have a registered electronic mail address).
Data controllers may access the VERBIS system and
assign a Representative for themselves once the sign-up process is completed.
Thus, the Representative may also access VERBIS by using Turkey's digital platform
for its citizens (known as "e-devlet" and available at https://www.turkiye.gov.tr/), and the Representative will be asked to
provide information regarding the data controller's personal data processing activities
and may hereafter complete the data controller's registration process.
V. Registration Timetable
The Board has recently issued a decision (No. 2018/88),
which sets forth certain grace periods for data controllers to enroll to the
Registry. Data controllers are required to comply with their registration
obligations according to the following schedule, depending on their
categorization:
(i) Between October 1, 2018, and September 30, 2019,
for data controllers whose number of yearly employees exceeds fifty (50) or
whose annual financial balance sum exceeds twenty-five million Turkish Liras
(TL 25,000,000),
(ii) Between October 1, 2018, and September 30, 2019,
for data controllers who are resident or established abroad,
(iii) Between January 1, 2019, and March 31, 2020, for
data controllers whose number of yearly employees is less than fifty (50) and
whose annual financial balance sum does not exceed twenty-five million Turkish
Liras (TL 25,000,000), but whose main business activity concerns the processing
of special categories of personal data (as listed above),
(iv) Between April 1, 2019, and June 30, 2020, for
data controllers who are public entities or public institutions.
Since the Registry has only recently become operational, and since we
are still within the grace period(s) as of the date of this article, we may expect
certain practical issues and problems to arise during the registration process that
might require addressing. At this stage, data controllers should make use of the
aforementioned grace periods to finalize their internal preparations (such as the
identification and classification of their data processing activities) before
enrolling to the Registry, in order to ensure compliance with the registration
obligation in due time.
Authors: Gönenç Gürkaynak, Esq., İlay
Yılmaz and Burak Yeşilaltay of ELIG Gürkaynak Attorneys-at-Law
(First published by Mondaq on November 7, 2018)