On 28 April 2019, Turkish Data Protection Authority (“Authority”) has amended:
- Regulation on Deletion, Destruction or Anonymization of Personal Data,
- Regulation on the Data Controllers’ Registry,
- Communiqué on the Procedures and Principles on Implementation of the Duty to Inform.
Significant amendments can be summarized as follows:
- The definition of “Personal Data Processing Inventory” has been changed to include the requirement to contain the legal basis for the personal data processing. Further, the Authority clarified that “maximum periods of time required for the purposes of data processing” refers to the “maximum periods of time for the retention of personal data.”
- The definition of the “Contact Person” has been amended. The Authority has also explained that real persons residing in Turkey and abroad are required to identify and notify a contact person to communicate with the Authority.
- It has been expressly stated that solely data controllers who are obligated to register to the Data Controllers’ Registry (“VERBIS”) are under the obligation to prepare a data processing inventory.
- The definition of “Data Registry System” has been extended to enclose all kinds of registry systems where data is processed by being structured in accordance with certain criteria.
- In case the personal data is processed for different purposes by different units of the data controller, the requirement to fulfill the obligation to separately inform each unit has been abolished.
- The Authority clarified that 7 (seven) days period for notification of any change made with regards to the information registered within VERBIS, will commence as of the date of occurrence of the change.
- Details of the contact person has been excluded from the scope of information provided in VERBIS and to be disclosed to public.
- Contact person’s duty to respond to requests conveyed by the data subjects has been excluded from the Regulation on the Data Controllers’ Registry.
- Data controllers’ annual number of employees or the total of the annual financial statements has been included as a criterion to evaluate the obligation to register to VERBIS.
- Data controllers are now obliged to disclose their methods of deletion, destruction and anonymization of personal data in their respective policies and procedures.
In addition to the above, the Authority has prepared and published the Guide on Preparing Data Processing Inventories to determine the details of the preparation of the data inventory.
Please see the links below for the full texts of the regulations published in Official Gazette numbered 30758 on 28 April 2019 and the guide published by the Authority on 30 April 2019 (Only available in Turkish):
(i) Regulation Amending the Regulation on Deletion, Destruction or Anonymization of Personal Data,
(ii) Regulation Amending the Regulation on the Data Controllers’ Registry
(iii) Communiqué Amending the Communiqué on the Procedures and Principles on Implementation of the Duty to Inform