MA | Gazette

Public Consultation in Turkey Regarding Regulation Which Establishes Data Controller Register

Turkey’s Data Protection Authority (“Authority”) recently held a two week public consultation period on the details of draft legislation which establishes the Data Controller Registry (“Registry”), ending on 20 May 2017. Stakeholders could submit opinions and suggestions to the Authority.

The Data Protection Law introduced numerous obligations for natural and legal persons who process personal data in Turkey (“Data Controller”). Data Controllers must register with the Registry before they begin to actively process personal data (Article 16 of the Law).

Key points under the Draft Data Controller Registry Regulation (“Draft Regulation”) include:

  • Data Controllers must register with the Registry before they begin to actively process data and persons or entities which later become under the scope of the proposed legislation will have 30 days to register.
  • The Authority can determine registration exemptions, depending on criteria such as quality and quantity of processed personal data, as well as the purpose of processing.
  •  An online system (“VERBIS”) will be established for registering and carrying out actions on the Registry.
  • Administrative fines between TRY 20,000 and TRY 1,000,000 will apply for failure to comply with the provisions of the Draft Regulation.
  • Legal entities with headquarters in Turkey must fulfil their obligations under the Law through the bodies or persons that are entitled to represent the legal entity.
  • Data Controllers residing abroad must appoint a legal entity residing in Turkey or a real person who is a Turkish citizen as their representative (a “Data Controller Representative”) and register with the Registry.
  • Data Controller Representatives will be entitled to:
  • Respond to requests by the Authority and third parties
  • Receive notices on behalf of the Data Controller.
  • Data Controller Representatives must appoint a contact person for communications with the Authority regarding the data controller’s obligations.
  • Data Controllers must prepare a “data protection retention and erasure policy” to meet the legislative retention periods.

Under the new regime, Data Controllers must prepare a “personal data processing inventory” outlining information about the Data Controller’s:

  • Personal data processing activities.
  • The purpose of data processing.
  • Data categories.
  • Transferees.
  • Data subjects.

The Draft Regulation clearly states the information to be disclosed to the Registry depends on the Data Controller’s personal data inventory. That is, Data Controllers must disclose the information they note in their data inventory to the Registry.

Please see this link for the full text of the Draft Regulation, announced on 5 May 2017 (only available in Turkish).

Subscribe

Within the scope of the Privacy Notice, which sets out the details regarding the processing of my personal data, I give my explicit consent to receive invitations and informational communications regarding events, conferences, seminars, and meetings organized by or attended by Moroğlu Arseven.

Get In Touch

You can contact us via our contact information or fill out the form below.

Privacy Notice
Approve