The registration obligation of second group data controllers to Data Controllers Registry (“Registry”) is announced by Data Protection Authority (“Authority”) through its decision dated 2 January 2019 (“Decision”).

Turkey’s Data Protection Board (“Board”) has extended the scope of data controllers which are exempt from registering with the Registry, as well as the registration dates which data controllers must comply with. This matter was previously discussed in our newsletter, as well.

The new Decision introducing additional declaration regarding the second group data controllers’ registration obligation included the following information:

  • The Data Controller Registry must be kept in a publicly available manner, under the Board’s supervision (Article 16 of the Law on Personal Data Protection number 6698). To this respect, data controllers must register with the Registry before processing personal data and within the term announced by the Board.
  • The registration obligation for data controllers whose annual employee number or annual net balance is above the limits determined by the Authority and all data controllers located abroad had already started on 1 October 2018.
  • The Decision announces that the registration obligation for data controllers determined as the second group who mainly process qualified personal data and whose annual net balances are below the thresholds determined by the Authority has started beginning from 1 January 2019. The registration obligation for the abovementioned data controllers must be complied with until 31 March 2020 at the latest.

Please see this link for the full text of the Decision dated 2 January 2019 (only available in Turkish).