TURKEY: THE DEADLINE FOR COMPLYING WITH THE DATA CONTROLLERS’ REGISTRY REQUIREMENT IS DECEMBER 31, 2019.
- On 13 December 2019
Under the Law on Protection of Personal Data no. 6698 (“DPL”), there are certain obligations which are similar to those contained in the GDPR, and which are relatively easy to comply with. On the other hand, some DPL obligations will likely be foreign to data controllers in the EU and overseas.
One such requirement is the requirement to register with the Data Controllers’ Registry (“VERBIS”). This requirement is stipulated within the DPL and a piece of secondary legislation called the Regulation on Data Controllers’ Registry. (“Regulation”) Further, the Turkish Data Protection Authority (“DPA”) issued a decision setting the relevant deadlines for the registration requirement.
Pursuant to the Law, Regulation and DPA decisions, all data controllers that collect data from Turkey, or process data collected from Turkey, are required to register. Therefore;
- All controllers that are not located within Turkey but collect/process personal data from Turkey (“Foreign Controllers”) and,
- All controllers with 50 or more employees or with an annual balance sheet of TRY 25.000.000 or more (“Turkish Controllers”)
are required to register.
Please note that this definition covers a very large group of data controllers including companies which are not resident in Turkey. A few examples of companies which would trigger the requirement for registration register are;
- An e-commerce company located abroad which provides services to residents in Turkey,
- An online gaming company located abroad which provides MMORPG gaming services to users in Turkey.
- A multinational company with a branch office in Turkey, where the HQ collects/processes personal data of employees of the branch office in Turkey.
The list of examples goes on, but as can be seen from the examples above, the scope of this requirement is very broad. Nonetheless, a large number of multinational companies appear to be unaware of this requirement.
The registration requirement has been in place since October 1, 2019, and the current deadline to register is December 31, 2019.
As of December 10, 2019, around 24000 data controllers have registered with VERBIS. Given the proximity of the deadline, this number is increasing very rapidly. We believe that we will witness an increased number of registrations, not least because the consequences of failing to register can be very harsh. For example;
- An administrative fine of up to TRY 1.803.000 (€ 280.000) for not registering in due time,
- A second administrative fine of up to TRY 1.803.000 (€ 280.000) for not complying with DPA’s decisions and,
- Restriction of the controller’s data processing activities in Turkey by the DPA with a decision.
Since the worst-case scenario may result in a restriction on processing activities of a controller in Turkey, registration is essential in order to operate legally in Turkey, or process data collected from Turkey.
Please refer to the necessary registration steps below:
- Foreign controllers are required to appoint a data controller representative (“representative”) in Turkey. The representative must be a Turkish legal or natural person. For foreign controllers, only the representative can start and finish the registration process. The foreign controller is also required to maintain the data controller representative as long as the requirement to register exists. Most companies prefer to appoint their external lawyers or law firms in Turkey as the representative, since the role requires a level of legal expertise and know-how. The appointment decision is subject to a validation procedure.
- After the appointment decision is sent to the representative, the representative will visit verbis.kvkk.gov.tr and register as a data controller by filling in the relevant form.
- Appoint a contact person on behalf of the controller. The contact person must be a Turkish natural person; therefore, it is advisable to appoint an employee of the representative in Turkey as being this contact person.
- Input the data processing inventory into VERBIS. If a data processing inventory is not available, this must be prepared and must include, for each separate processing activity: details as to who the data subjects are, what categories of data are covered, the relevant retention periods, the relevant technical/organizational measures in place, whether there are any transfers within the country, and whether there are any transfers abroad.
Please note that this process usually takes around 10 business days. As such, foreign controllers must start the process no later than December 20, 2019, in order to comply with the requirement in time.
Unlike foreign controllers, Turkish controllers can handle their own registration procedure, as there is no requirement to appoint a representative. The steps for Turkish Controllers are;
- Visit verbis.kvkk.gov.tr and register as a data controller by filling in the relevant form.
- Appoint a contact person. The contact person must be a Turkish natural person. This person can be an employee of the controller.
- Input the data processing inventory into VERBIS using the interface. If a data processing inventory is not available, this must be prepared and must include, for each separate processing activity: details as to who the data subjects are, what categories of data are covered, the relevant retention periods, the relevant technical/organizational measures in place, whether there are any transfers within the country, and whether there are any transfers abroad.
The procedure for Turkish controllers usually takes 2 business days, but please consider that with the deadline being very close, these procedures may take longer due to the volume of registrations being processed.
Burak Ozdagistanli and Hatice Ekici Tağa, OZDAGISTANLIEKICI