Turkey’s Data Protection Authority (“Authority”) recently held a two week public consultation period on the details of draft legislation which establishes the Data Controller Registry (“Registry”), ending on 20 May 2017. Stakeholders could submit opinions and suggestions to the Authority.

The Data Protection Law introduced numerous obligations for natural and legal persons who process personal data in Turkey (“Data Controller”). Data Controllers must register with the Registry before they begin to actively process personal data (Article 16 of the Law).

Key points under the Draft Data Controller Registry Regulation (“Draft Regulation”) include:

  • Data Controllers must register with the Registry before they begin to actively process data and persons or entities which later become under the scope of the proposed legislation will have 30 days to register.
  • The Authority can determine registration exemptions, depending on criteria such as quality and quantity of processed personal data, as well as the purpose of processing.
  •  An online system (“VERBIS”) will be established for registering and carrying out actions on the Registry.
  • Administrative fines between TRY 20,000 and TRY 1,000,000 will apply for failure to comply with the provisions of the Draft Regulation.
  • Legal entities with headquarters in Turkey must fulfil their obligations under the Law through the bodies or persons that are entitled to represent the legal entity.
  • Data Controllers residing abroad must appoint a legal entity residing in Turkey or a real person who is a Turkish citizen as their representative (a “Data Controller Representative”) and register with the Registry.
  • Data Controller Representatives will be entitled to:
  • Respond to requests by the Authority and third parties
  • Receive notices on behalf of the Data Controller.
  • Data Controller Representatives must appoint a contact person for communications with the Authority regarding the data controller’s obligations.
  • Data Controllers must prepare a “data protection retention and erasure policy” to meet the legislative retention periods.

Under the new regime, Data Controllers must prepare a “personal data processing inventory” outlining information about the Data Controller’s:

  • Personal data processing activities.
  • The purpose of data processing.
  • Data categories.
  • Transferees.
  • Data subjects.

The Draft Regulation clearly states the information to be disclosed to the Registry depends on the Data Controller’s personal data inventory. That is, Data Controllers must disclose the information they note in their data inventory to the Registry.

Please see this link for the full text of the Draft Regulation, announced on 5 May 2017 (only available in Turkish).