Registering With Data Controllers’ Registry and Its Exemptions

Turkish Competition Authority to Shape the Future of Multi-Play Services in Telecommunication Industry [TTNET]

  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Pursuant to the Turkish Data Protection Law which aims to provide data security, it has set some rights and obligations to specific subjects. Those subjects fall into three categories: data subject, data processor and data controller. Data subject expresses a real person whose data is processed; data controller is defined as the real or legal person that determines the objectives and tools of processing of the personal data, and is responsible for the establishment and management of a data recording system; data processor is defined as the real or legal entity that processes the personal data, with the authority bestowed by the data controller, and in the name of the data controller. Data Protection Law sets forth essential responsibilities for data controllers, as follows:

  • Obligation to inform - Data safety obligations 
  • Data Controllers’ Registry (“Registry”) 
  • Data inventory
  • Appointing either a contact person or an authorised representative based on whether the data controller is based inside or outside of Turkey to be able to reply applications made by data subjects 
  • To ensure applying decisions of the Personal Data Protection Board (“Board”) 

This memo aims to purport the responsibility of registering with Data Controllers’ Registry and its exemptions. 

Data controllers are obliged to register with the Registry through an online information system called "VERBIS". On the other hand, exemptions from registering with the Data Controller Registry have published under Board’s ruling on Official Gazzette in 2018. 

Pursuant to the Personal Data Protection Law, a fine ranging from 20,000 and 1,000,000 Turkish Liras is applied for failures to comply with registering with Registry obligation. The amount of fines are determined objectively by the Board due to importance of violation and data controller’s category. 

Data controllers are required to comply with their registration obligations according to the following schedule, depending on their categorization: 

  1. For data controllers whose number of yearly employees exceeds fifty or whose annual financial balance sum exceeds twenty-five million Turkish Liras; 01.10.2018 - 30.09.2019 
  2. For data controllers who are resident or established abroad; 01.10.2018 - 30.09.2019 
  3. For data controllers whose number of yearly employees is less than fifty and whose annual financial balance sum does not exceed twenty-five million Turkish Liras, but whose main business activity concerns the processing of special categories of personal data; 01.01.2019 - 31.02.2020 
  4. For data controllers who are public entities or public institutions; 01.04.2019 - 30.06.2020 

According to the Board's decisions in 2018, the following data controllers are exempt from the obligation to register: (i) real persons and legal entities that process personal data by nonautomatic means, on the condition that such data are part of a data-filing system, (ii) notaries operating under the Notary Law No. 1512, (iii) associations founded under the Law No. 5253 on Associations, foundations established per the Law No. 5737 on Foundations, and trade unions established under the Law No. 6356 on Trade Unions and Collective Bargaining Agreements, who only process the personal data of their own employees, enrollees, members and donors, in accordance with the applicable legislation and its purposes and within the scope of their field of activity, (iv) political parties founded in accordance with the Law No. 2820 on Political Parties, (v) attorneys who are working under the Attorneyship Law No. 1136, and (vi) certified public accountants and sworn-in public accountants operating under the Law No. 3568 on Public Accountancy and Auditing, (vii) data controllers employing less than 50 employees and with less than 25 million Turkish Liras annual balance sheet total (unless the data controller’s main business activity is processing sensitive personal data).

By Nazlı Sezer, Attorney Sezer & Utkaner Law Firm