News
Draft Regulation on Data Controllers’ Registry
On May 5th, 2017 the Turkish Data Protection Authority published the Draft Regulation on Data Controllers’ Registry (“Draft Regulation”) for comments to be submitted. The Draft Regulation is based on Article 16 of the Law on the Protection of Personal Data (“Law”) which came into force last year on April 7th, which states under the supervision of the Board of Protection of Personal Data (“Board”), Data Controllers Registry (“Registry”) will be kept by the Presidency of the Personal Data Protection Authority in a publicly available manner.
Who should register?
In line with the Law, the Draft Regulation brings a requirement for all data controllers to get registered in case they process personal data in Turkey. Both real and legal persons must register.
Data controllers that do not reside in Turkey are also obliged to register to the Registry through a data controller representative, before processing personal data. Data controller representative will only be determined by data controllers that do not reside in Turkey and will be notified at time of application to enroll to the Registry.
Duties of the representative of non-residing data controllers
Data controller representative will be authorized for the representation of the non-residing data controller regarding the duties set forth in Article 11/2 of the Draft Regulation. The representative will be in communication with the Board and the Authority, answer the requests addressed to the data controller and do things related to the Registry on behalf of the data controller. The representative’s authorities will be limited with those stated under the Draft Regulation.
Data controller representative must be either a Turkish legal entity or a real person having Turkish citizenship. The data controller must submit to the Registry a resolution taken by the authorized body of the controller appointing the data controller representative with the minimum required authorities to act on behalf of the data controller in Turkey during registration.
Contact person of a data controllers residing in Turkey
The legal entity data controllers residing in Turkey shall assign a contact person during the application to the Registry to be contacted for the communications to be made by the Board and the Authority regarding the obligations. The contact person is not authorized to represent the data controller. Contact person is appointed only for communication purposes.
The registration process
Data controllers shall first establish an inventory of personal data processing, through associating with their personal data processing activities related to their business processes, their purposes of processing personal data, data category, transferred recipient groups and data subject group. Data controllers then will apply to the Registry through an online system called VERBIS before they start processing data. This application for registration will be made according to the inventory prepared beforehand. Data controllers shall provide the following information through VERBIS;
- Identifying information and address of the data controller or it's representative,
- Purpose of data processing,
- Data subject groups and data categories,
- Third parties which data may be transferred to,
- Personal data which may be transferred abroad,
- Safety and security measures taken,
- Maximum period that is necessary for the purpose of processing personal data.
In case of changes in the Registry information, data controllers will immediately inform the Authority.
Maximum period that is necessary for the purposes of processing of personal data
During the application of registration data controllers should also provide the maximum period of time which is necessary to process the personal data. The maximum period shall be designated regarding the general practice in the field of activity, the period of the legal responsibilities, the period the data will be up to date and the lapse of time to bring a claim.
Data controllers shall prepare and implement a Personal Data Retention and Destruction Policy to be the basis of determination of the maximum periods.
Deletion of Registry Record
Data Controllers may apply through VERBIS to delete the registration. The registration will also be deleted if the information which the registration is based on is partially or completely expired. Deleted records will be kept passively and accessible on demand, and no changes can be made on them.
Liability
The data controller is the legal entity itself in companies. The data controller’s obligations of the legal entities located in Turkey is performed through its organs which have the authority to represent and bind the company. The authorized organ may assign one or more people for its obligations to be performed. However, this assignment does not remove the responsibility of the organ. The liability of the authorized organ cannot be delegated as per the Draft Regulation. The provision regulating the liability is critized as being in contrary to general rules of the Turkish Commercial Code regulating liability of authorized bodies in a company, i.e. the board of directors. The Board of Directors must not have unlimited liability in terms of data privacy whereas in other issues, their liability is limited and they can assign duties and their only liability is to act as a prudent person and show necessary diligent and care while assigning duties and choosing the right person.
Exemption from Registration requirement
There are exemptions of registration requirements for data controllers which are set forth in Article 16 of the Draft Regulation. The below listed personal data can be processed without registration:
- personal data that is necessary for prevention of a crime or for crime investigation,
- personal data which is made public by the data subject,
- personal data that is necessary for the performance of supervisory or regulatory duties along with disciplinary investigation or prosecution by the assigned and authorized public institutions and agencies along with professional organizations carrying the nature of public institutions, based on the authorization of the law,
- personal data that is necessary for the protection of the State’s economic and financial interests with respect to the budget, tax and financial matters.
Board may bring an exemption to the enrollment obligation regarding processing of personal data activities which does not occur automatically either completely or partially, taking into account the criteria in Article 17.
However the Draft Regulation does not set forth exemption conditions. We think that these will be announced later on. However this will definitely effect the applicability of the Regulation and does not provide clear guidance for companies for the time being.
Administrative Fines
Non-compliance with the registration and information requirement is subject to an administrative fine of up to TRY 1,000,000 (approx. EUR 250,000.-).
Article published by: Begüm Yavuzdoğan Okumuş, Managing Associate, Gun+Partners
Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project
CPC project office: Dr. Tobias Höllwarth, tobias.hoellwarth@eurocloud.at
News Archiv
- Alle zeigen
- April 2024
- März 2024
- Februar 2024
- Jänner 2024
- Dezember 2023
- November 2023
- Oktober 2023
- September 2023
- August 2023
- Juli 2023
- Juni 2023
- Mai 2023
- April 2023
- März 2023
- Februar 2023
- Jänner 2023
- Dezember 2022
- November 2022
- Oktober 2022
- September 2022
- August 2022
- Juli 2022
- Mai 2022
- April 2022
- März 2022
- Februar 2022
- November 2021
- September 2021
- Juli 2021
- Mai 2021
- April 2021
- Dezember 2020
- November 2020
- Oktober 2020
- Juni 2020
- März 2020
- Dezember 2019
- Oktober 2019
- September 2019
- August 2019
- Juli 2019
- Juni 2019
- Mai 2019
- April 2019
- März 2019
- Februar 2019
- Jänner 2019
- Dezember 2018
- November 2018
- Oktober 2018
- September 2018
- August 2018
- Juli 2018
- Juni 2018
- Mai 2018
- April 2018
- März 2018
- Februar 2018
- Dezember 2017
- November 2017
- Oktober 2017
- September 2017
- August 2017
- Juli 2017
- Juni 2017
- Mai 2017
- April 2017
- März 2017
- Februar 2017
- November 2016
- Oktober 2016
- September 2016
- Juli 2016
- Juni 2016
- Mai 2016
- April 2016
- März 2016
- Februar 2016
- Jänner 2016
- Dezember 2015
- November 2015
- Oktober 2015
- September 2015
- August 2015
- Juli 2015
- Juni 2015
- Mai 2015
- April 2015
- März 2015
- Februar 2015
- Jänner 2015
- Dezember 2014
- November 2014
- Oktober 2014
- September 2014
- August 2014
- Juli 2014
- Juni 2014
- Mai 2014
- April 2014
- März 2014
- Februar 2014
- Jänner 2014
- Dezember 2013
- November 2013
- Oktober 2013
- September 2013
- August 2013
- Juli 2013
- Juni 2013
- Mai 2013
- April 2013
- März 2013
- Februar 2013
- Jänner 2013
- Dezember 2012
- November 2012
- Oktober 2012
- September 2012
- August 2012
- Juli 2012
- Juni 2012
- Mai 2012
- April 2012
- März 2012
- Februar 2012
- Jänner 2012
- Dezember 2011
- November 2011
- Oktober 2011
- September 2011
- Juli 2011
- Juni 2011
- Mai 2011
- April 2011
- März 2011
- Februar 2011
- Jänner 2011
- November 2010
- Oktober 2010
- September 2010
- Juli 2010