I. Scope of the registration obligation under Turkish legislation
Data controllers processing personal data in the Turkish jurisdiction (including processing activities that are conducted abroad, but have an effect in Turkey) are required to enroll to the Data Controllers’ Registry (“Registry”). This requirement is regulated under Article 16/2 of the Data Protection Law (“DP Law”), which expressly states that “real persons or legal entities processing personal data are obliged to enroll to the Data Controllers’ Registry.” Although the letter of the law seems applicable to all data controllers, the Data Protection Board (“Board”) has introduced certain exemptions to this obligation, which will be explained in detail below.
According to the DP Law, a data controller will need to register prior to commencing its data processing activities. However, the Board has provided certain grace periods for the registration requirement in a recent decision (No. 2018/88), and it has established the applicable deadlines for the registration of data controllers who are already in possession of and processing personal data. Data controllers are obliged to provide certain information, such as (i) identity, (ii) address, and (iii) purpose of the data processing activity, during the registration process. Once a data controller is enrolled to the Registry, any changes to the registered information will need to be notified to the Registry as well.
Data controllers will register to the Registry through an online information system known as “VERBIS.” The information requested from the data controllers will vary depending on which of the following three categories a data controller belongs to: (i) real person or legal entity resident in Turkey, (ii) real person or legal entity resident abroad, and (iii) public institutions. If data controllers fail to comply with the registration obligation, the Board may impose an administrative fine.
II. Turkey’s registration obligation compared to EU Directive 95/46/EC and the GDPR
The DP Law is mainly based on the EU Directive 95/46/EC (“Directive”), with certain relatively minor differences. Thus, the registration obligation is quite similar to the requirements of the Directive. Similar to the DP Law, the Directive stipulates that the data controller (or a representative) must notify the supervisory authority before commencing or carrying out a data processing activity. The Directive further indicates that the notification must specify certain information, such as the name and address of the data controller and of its representative, if any; the purpose or purposes of the processing; and a description of the category or categories of the data subject, as well as a description of the data or categories of data relating to them, among others. The Directive requires the EU member states to take the necessary measures to ensure that data processing activities are publicized.
On the other hand, the EU General Data Protection Regulation (“GDPR”) differs significantly from the European Council’s approach in the Directive. When the GDPR came into force on May 25, 2018, the regulation regarding the requirement to provide notification to the supervisory authority has changed. Data controllers are no longer obliged to register their personal data processing activities to a registry system. Rather, the GDPR adopts a self-regulating approach, and depends on the accountability of the data controllers. Accordingly, the GDPR requires that data controllers shall maintain the relevant records internally under their own care and responsibility, and make them available to the supervisory authorities upon request.
Pursuant to Article 16/2 of the DP Law, the Board is entitled to provide and specify certain exemptions to the registration obligation. According to the Board’s decision No. 2018/32, the following data controllers are exempt from the obligation to register: (i) real persons and legal entities that process personal data by non-automatic means, on the condition that such data are part of a data-filing system, (ii) notaries operating under the Notary Law No. 1512, (iii) associations founded under the Law No. 5253 on Associations, foundations established per the Law No. 5737 on Foundations, and trade unions established under the Law No. 6356 on Trade Unions and Collective Bargaining Agreements, who only process the personal data of their own employees, enrollees, members and donors, in accordance with the applicable legislation and its purposes and within the scope of their field of activity, (iv) political parties founded in accordance with the Law No. 2820 on Political Parties, (v) attorneys who are working under the Attorneyship Law No. 1136, and (vi) certified public accountants and sworn-in public accountants operating under the Law No. 3568 on Public Accountancy and Auditing.
The Board published another noteworthy decision recently (No. 2018/87), which is applicable to all data controllers, wherein it announced that data controllers who have fewer than fifty (50) yearly employees and whose annual financial balance sum does not exceed the amount of twenty-five million Turkish Liras (TL 25,000,000) will be exempt from the registration obligation, as long as their main business activity does not concern processing special categories of personal data (such as personal data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership in associations, foundations or trade-unions, health, sexual life, convictions and security measures, as well as biometric and genetic data).
IV. Registration procedure
The procedures and principles with regards to the registration obligation have been regulated and stipulated under the Regulation on the Data Controllers’ Registry (“Regulation”). According to the Regulation, all transactions regarding the registry should be conducted by the data controllers through an information system called “VERBIS.” VERBIS went live and became operational on October 1, 2018. The Personal Data Protection Authority (“DPA”) published a privacy information notice, and according to this notice, the information provided by data controllers during their registration to VERBIS (e.g., names, tax numbers, representative’s personal data, etc.) will only be used by the DPA in relation to the registration obligation. Furthermore, data subjects may apply to the DPA, which will be acting as the data controller in terms of such information, regarding the use of their data. In order to access VERBIS, data controllers will be required to first sign up to the system by filling out a form. The information that will be requested from the data controllers during the registration process are as follows:
1. For data controllers residing in Turkey: (i) Identity number (for real persons) or tax identity number and registered tax office information (for real person or legal entity data controllers), (ii) Corporate electronic mail addresses, as the Regulation states that that all notifications and communications regarding VERBIS will be conducted by using this e-mail address, (iii) Landline phone numbers or mobile phone numbers, (iv) Address number of the data controller (the 10-digit address number may be obtained through the online system at https://adres.nvi.gov.tr/VatandasIslemleri/AdresSorgu), and (v) “Registered electronic mail (KEP) address” for data controllers who have a registered electronic mail address (however, this is not mandatory for data controllers who do not possess a registered electronic mail address).
2. For data controllers residing outside of Turkey: (i) Title, electronic mail address, telephone number, address information, country of residence, date of the decision appointing the data controller’s representative (“Representative”) and, if available, the number of this decision. If the appointed Representative is a Turkish citizen, his/her identity number (“TCKN”); if the Representative is a legal entity established in Turkey, its tax identity number along with its registered tax office, (ii) Corporate electronic mail address, (iii) Representative’s address, and (iv) Representative’s registered electronic mail (KEP) address for data controllers who have a registered mail address (however, this is not obligatory if the Representative does not have a registered electronic mail address).
Data controllers may access the VERBIS system and assign a Representative for themselves once the sign-up process is completed. Thus, the Representative may also access VERBIS by using Turkey’s digital platform for its citizens (known as “e-devlet” and available at https://www.turkiye.gov.tr/), and the Representative will be asked to provide information regarding the data controller’s personal data processing activities and may hereafter complete the data controller’s registration process.
V. Registration Timetable
The Board has recently issued a decision (No. 2018/88), which sets forth certain grace periods for data controllers to enroll to the Registry. Data controllers are required to comply with their registration obligations according to the following schedule, depending on their categorization:
- Between October 1, 2018, and September 30, 2019, for data controllers whose number of yearly employees exceeds fifty (50) or whose annual financial balance sum exceeds twenty-five million Turkish Liras (TL 25,000,000),
- Between October 1, 2018, and September 30, 2019, for data controllers who are resident or established abroad,
- Between January 1, 2019, and March 31, 2020, for data controllers whose number of yearly employees is less than fifty (50) and whose annual financial balance sum does not exceed twenty-five million Turkish Liras (TL 25,000,000), but whose main business activity concerns the processing of special categories of personal data (as listed above),
- Between April 1, 2019, and June 30, 2020, for data controllers who are public entities or public institutions.
Since the Registry has only recently become operational, and since we are still within the grace period(s) as of the date of this article, we may expect certain practical issues and problems to arise during the registration process that might require addressing. At this stage, data controllers should make use of the aforementioned grace periods to finalize their internal preparations (such as the identification and classification of their data processing activities) before enrolling to the Registry, in order to ensure compliance with the registration obligation in due time.
(First published by Mondaq on November 7, 2018)
By Gonenc Gurkaynak, Partner, Ilay Yılmaz, Partner, and Burak Yesilaltay, Associate, ELIG Gürkaynak Attorneys-at-Law