I. Scope of the registration obligation under Turkish

legislation

Data controllers processing personal data in the Turkish jurisdiction

(including processing activities that are conducted abroad, but have an effect

in Turkey) are required to enroll to the Data Controllers' Registry

("Registry"). This requirement is regulated under Article 16/2 of the Data Protection

Law ("DP Law"), which expressly states that "real

persons or legal entities processing personal data are obliged to enroll to the

Data Controllers' Registry." Although the letter of the law seems applicable

to all data controllers, the Data Protection Board ("Board") has introduced certain

exemptions to this obligation, which will be explained in detail below.

According to the DP Law, a data controller will need to register prior

to commencing its data processing activities. However, the Board has provided

certain grace periods for the registration requirement in a recent decision (No.

2018/88), and it has established the applicable deadlines for the registration

of data controllers who are already in possession of and processing personal

data. Data controllers are obliged to provide certain information, such as (i) identity,

(ii) address, and (iii) purpose of the data processing activity, during the

registration process. Once a data controller is enrolled to the Registry, any

changes to the registered information will need to be notified to the Registry as

well.

Data controllers will register to the Registry through

an online information system known as "VERBIS." The information requested from the

data controllers will vary depending on which of the following three categories

a data controller belongs to: (i) real person or legal entity resident in

Turkey, (ii) real person or legal entity resident abroad, and (iii) public

institutions. If data controllers fail to comply with the registration obligation,

the Board may impose an administrative fine.

II. Turkey's registration obligation

compared to EU Directive 95/46/EC and the GDPR

The DP Law is mainly based on the EU Directive

95/46/EC ("Directive"), with certain relatively minor differences. Thus, the registration

obligation is quite similar to the requirements of the Directive. Similar to the

DP Law, the Directive stipulates that the data controller (or a representative)

must notify the supervisory authority before commencing or carrying out a data processing

activity. The Directive further indicates that the notification must specify

certain information, such as the name and address of the data controller and of

its representative, if any; the purpose or purposes of the processing; and a

description of the category or categories of the data subject, as well as a

description of the data or categories of data relating to them, among others. The

Directive requires the EU member states to take the necessary measures to

ensure that data processing activities are publicized.

On the other hand, the EU General Data Protection

Regulation ("GDPR") differs significantly from the European Council's approach

in the Directive. When the GDPR came into force on May 25, 2018, the regulation

regarding the requirement to provide notification to the supervisory authority has

changed. Data controllers are no longer obliged to register their personal data

processing activities to a registry system. Rather, the GDPR adopts a self-regulating

approach, and depends on the accountability of the data controllers.

Accordingly, the GDPR requires that data controllers shall maintain the relevant

records internally under their own care and responsibility, and make them

available to the supervisory authorities upon request.

III. Exemptions

Pursuant to Article 16/2 of the DP Law, the Board is

entitled to provide and specify certain exemptions to the registration

obligation. According to the Board's decision No. 2018/32, the following data

controllers are exempt from the obligation to register: (i) real persons and

legal entities that process personal data by non-automatic means, on the

condition that such data are part of a data-filing system, (ii) notaries operating

under the Notary Law No. 1512, (iii) associations founded under the Law No.

5253 on Associations, foundations established per the Law No. 5737 on

Foundations, and trade unions established under the Law No. 6356 on Trade

Unions and Collective Bargaining Agreements, who only process the personal data

of their own employees, enrollees, members and donors, in accordance with the applicable

legislation and its purposes and within the scope of their field of activity,

(iv) political parties founded in accordance with the Law No. 2820 on Political

Parties, (v) attorneys who are working under the Attorneyship Law No. 1136, and

(vi) certified public accountants and sworn-in public accountants operating

under the Law No. 3568 on Public Accountancy and Auditing.

The Board published another noteworthy decision recently

(No. 2018/87), which is applicable to all data controllers, wherein it announced

that data controllers who have fewer than fifty (50) yearly employees and whose

annual financial balance sum does not exceed the amount of twenty-five million

Turkish Liras (TL 25,000,000) will be exempt from the registration obligation, as

long as their main business activity does not concern processing special

categories of personal data (such as personal data relating to race, ethnic

origin, political opinion, philosophical belief, religion, sect or other

belief, clothing, membership in associations, foundations or trade-unions,

health, sexual life, convictions and security measures, as well as biometric

and genetic data).

IV. Registration procedure

The procedures and principles with regards to the registration

obligation have been regulated and stipulated under the Regulation on the Data

Controllers' Registry ("Regulation"). According to the Regulation, all

transactions regarding the registry should be conducted by the data controllers

through an information system called "VERBIS." VERBIS went live and became

operational on October 1, 2018. The Personal Data Protection Authority ("DPA")

published a privacy information notice, and according to this notice, the

information provided by data controllers during their registration to VERBIS (e.g., names, tax numbers,

representative's personal data, etc.) will only be used by the DPA in relation

to the registration obligation. Furthermore, data subjects may apply to the

DPA, which will be acting as the data controller in terms of such information,

regarding the use of their data. In order to access VERBIS, data controllers will

be required to first sign up to the system by filling out a form. The

information that will be requested from the data controllers during the

registration process are as follows:

1. For data controllers residing in Turkey: (i)

Identity number (for real persons) or tax identity number and registered tax

office information (for real person or legal entity data controllers), (ii) Corporate

electronic mail addresses, as the Regulation states that that all notifications

and communications regarding VERBIS will be conducted by using this e-mail

address, (iii) Landline phone numbers or mobile phone numbers, (iv) Address

number of the data controller (the 10-digit address number may be obtained

through the online system at https://adres.nvi.gov.tr/VatandasIslemleri/AdresSorgu), and (v) "Registered electronic mail (KEP)

address" for data controllers who have a registered electronic mail address (however,

this is not mandatory for data controllers who do not possess a registered

electronic mail address).

2. For data controllers residing outside of

Turkey: (i) Title, electronic mail address, telephone number, address

information, country of residence, date of the decision appointing the data

controller's representative ("Representative") and, if available, the number of

this decision. If the appointed Representative is a Turkish citizen, his/her

identity number ("TCKN"); if the Representative is a legal entity established

in Turkey, its tax identity number along with its registered tax office, (ii) Corporate

electronic mail address, (iii) Representative's address, and (iv)

Representative's registered electronic mail (KEP) address for data controllers

who have a registered mail address (however, this is not obligatory if the Representative

does not have a registered electronic mail address).

Data controllers may access the VERBIS system and

assign a Representative for themselves once the sign-up process is completed.

Thus, the Representative may also access VERBIS by using Turkey's digital platform

for its citizens (known as "e-devlet" and available at https://www.turkiye.gov.tr/), and the Representative will be asked to

provide information regarding the data controller's personal data processing activities

and may hereafter complete the data controller's registration process.

V. Registration Timetable

The Board has recently issued a decision (No. 2018/88),

which sets forth certain grace periods for data controllers to enroll to the

Registry. Data controllers are required to comply with their registration

obligations according to the following schedule, depending on their

categorization:

(i) Between October 1, 2018, and September 30, 2019,

for data controllers whose number of yearly employees exceeds fifty (50) or

whose annual financial balance sum exceeds twenty-five million Turkish Liras

(TL 25,000,000),

(ii) Between October 1, 2018, and September 30, 2019,

for data controllers who are resident or established abroad,

(iii) Between January 1, 2019, and March 31, 2020, for

data controllers whose number of yearly employees is less than fifty (50) and

whose annual financial balance sum does not exceed twenty-five million Turkish

Liras (TL 25,000,000), but whose main business activity concerns the processing

of special categories of personal data (as listed above),

(iv) Between April 1, 2019, and June 30, 2020, for

data controllers who are public entities or public institutions.

Since the Registry has only recently become operational, and since we

are still within the grace period(s) as of the date of this article, we may expect

certain practical issues and problems to arise during the registration process that

might require addressing. At this stage, data controllers should make use of the

aforementioned grace periods to finalize their internal preparations (such as the

identification and classification of their data processing activities) before

enrolling to the Registry, in order to ensure compliance with the registration

obligation in due time.

Authors: Gönenç Gürkaynak, Esq., İlay

Yılmaz and Burak Yeşilaltay of ELIG Gürkaynak Attorneys-at-Law

(First published by Mondaq on November 7, 2018)