REGISTRATION WITH THE DATA CONTROLLERS REGISTRY

The Regulation on the Data Controllers Registry (the “Registry Regulation“) had come into force on 1 January 2018 pursuant to the Law on the Protection of Personal Data Numbered 6698 (the “Data Protection Law“). The Registry Regulation requires data controllers (in Turkish, “veri sorumlusu”) to be registered with the official Data Controllers Registry (the “Registry“, in Turkish, “veri sorumluları sicili”).

The registry information system of data controllers (in Turkish, “VERBİS”) is going to be used by the data controllers to be registered with the Registry. The application of registration shall include the below information:

1. Identification, address and other information to be required by the Personal Data Protection Board (the “Board”) regarding the Data Controller, the representative of the Data Controller, if any and the contact person,
2. Purposes of processing the personal data,
3. Explanations about the data subject group(s) and the data categories belonging to these data subjects,
4. Receivers or receiver groups to whom the personal data may be transferred,
5. Personal data that may be transferred abroad,
6. The precautions to be taken as per the criteria determined by the Board in accordance with article 12 of the Data Protection Law,
7. Maximum storing term of the personal data required by law or necessary for achieving the purposes of processing.

Hardcopy or any other ways of application not using VERBIS will not be accepted.

For legal entities, the data controller is the legal entity itself. The body authorized to represent the legal entity may appoint one or more person(s) to fulfill the obligations arising from the Data Protection Law. However, such an appointment does not release the liability of the legal entity.

Data controllers residing abroad are also obliged to be registered with the Registry by a

way of a representative.

Some groups of data controllers have been exempted from the obligation of registration through the various decisions of the Board adopted this year e.g. (i) attorneys, (ii) associations, foundations and unions that process only the personal data of their employees, members and benefactors limited with their field of operation and for the purposes governed/ allowed in the relevant legislation, (iii) data controllers having less than 50 (fifty) employees or with an annual balance sheet less than TRY 25,000,000 (twenty five million Turkish Liras) provided that their major area of activity is not the processing of sensitive data, (iv) customs brokers, (v) mediators etc.

Data controllers should notify the Data Protection Authority (in Turkish, “Kişisel Verileri Koruma Kurumu”)  within  7 (seven) days through VERBIS of any changes in  the information they have registered with the registry.

If the data controllers who are exempted from the registration requirement later fall under the scope of the requirement, they should be registered with the Registry within 30 (thirty) days beginning as of the commencement of their obligation.

As per the decision of the Board numbered 2018/88 and dated 19 July 2018, the time frame set forth for completing the registration requirement for different groups of data controllers are as follows:

• For the real or legal person data controllers whose annual number of employees is more than 50 (fifty) or the annual financial balance sheet is more than TRY 25,000,000 (twenty five million Turkish Liras), the obligation to register with the Registry begins on 1 October 2018 and ends on 30 September 2019.
• For the real or legal person data controllers residing abroad, the obligation to register with the Registry begins on 1 October 2018 and ends on 30 September 2019.
• For the real or legal person data controllers having less than 50 (fifty) employees annually and an annual financial balance sheet less than TRY 25,000,000 (twenty five million Turkish liras) but whose major area of activity is processing sensitive data, the obligation to register with the Registry begins on 1 October 2019 and ends on 31 March 2020.
• For the data controllers of public institutions and organizations, the obligation to register with the Registry begins on 1 April 2019 and ends on 30 June 2020.

As per article 17/1 of the Registry Regulation, data controllers who fail to register with the Registry or fail to comply with the contents/ requirements of the Registry Regulation may be imposed to an administrative fine beginning from TRY 20,000 (twenty thousand Turkish Liras) up to TRY 1,000,000 (one million Turkish Liras) at the Board’s discretion.

Our Law Firm remains at your disposal for any further information you may need.