From June this year data controllers established outside of Turkey are required to be registered with the Turkish Data Protection Authorities if they process Turkish residents’ personal data. This for instance applies if an online-shop is offering goods or services to residents in Turkey. Our colleague Sidika Baysal of B+B Legal in Istanbul has put together FAQ on the new registration requirement.
If you have questions regarding this new registration obligation, do not hesitate to contact us or directly speak to Sidika: phone +90 212 219 1630; email: sbaysal@bb-legal.com
1. Where does this requirement come from?
Pursuant to the Turkish Law on the Protection of Personal Data no.6698 (the “Law”), the Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu) (the “Board”) has issued the Regulation on Data Controller’s Registry (the “Regulation”) to be entered into force as of January 1st, 2018.
The Law and the Regulation require data controllers to be registered to a public platform, namely Verbis (Data Controllers Registry System), where they will record their personal data processing activities (i.e. category of persons whose data are processed by them, which personal data they process, for which purpose they are processed, legal basis of processing activity, to whom data are transferred either in Turkey or abroad, for how long the processed data be stored by the data controller, and technical and organizational measures for providing appropriate level of security in order to prevent unlawful processing of the personal data, prevent unlawful access to the personal data and safeguard the personal data) before they commence to process personal data.
According to the Regulation, data controllers established outside of Turkey are also required to be registered on Verbis if they process Turkish residents’ personal data (i.e. offering goods or services to Turkish residents).
2. Is there any exemption for this requirement?
Although there are exemptions for registry in favor of Turkish data controllers which smaller businesses and for certain processing activities, no exemptions are provided for data controllers established outside of Turkey, which means; any data controller out of Turkey processing Turkish residents’ personal data falls under this requirement.
3. How can we register?
Verbis is an online platform where data controllers may register on the following address: https://verbis.kvkk.gov.tr/ The platform is provided only in Turkish.
In order to be able to register on Verbis; data controllers established outside of Turkey must first assign a ‘data controller representative’ who is either a Turkish person residing in Turkey or a Turkish resident legal entity, through a notarized and apostilled corporate document to be issued duly by their relevant corporate units (a board resolution or a shareholders resolution whichever is authorized under your jurisdiction). Such data controller representative will also assign a ‘contact person’ who must be a Turkish citizen, residing in Turkey. Note that data controller representative and contact person can be the same person and they do not have to be a person employed by the registering company or by the data controller representative.
4. What is recorded on Verbis? Is it a one-off registration?
The record on Verbis must reflect the data inventory of the company. Thus, before registering on Verbis, companies need to prepare a data inventory which will include, basically, category of persons whose data are processed, which personal data are processed, for which purpose they are processed, legal basis of processing activity, to whom data are transferred either in Turkey or abroad, for how long the processed data will be stored, and technical and organizational measures for providing appropriate level of security in order to prevent unlawful processing or access to the personal data.
Based on the oral information obtained, the Authority expects data that need to be recorded on Verbis to include only the data that are owned by Turkish residents. Thus, you will need to refer to a limited inventory which covers the data only belonging to Turkish residents processed.
Entries on Verbis must be accurate, reflect the actual data processing activities and in case of any changes, the record on Verbis must be updated within seven days.
5. Is there a deadline to register?
This registry requirement for data controllers established outside of Turkey was supposed to be fulfilled by the end of 2019, however the Authority has extended such deadline up to 30 June 2020.
6. What happens if we do not register?
The Law envisages administrative penalty at an amount from 36,050 Turkish Liras to 1,802,640 Turkish Liras in case of failure to register on Verbis. The ranges of such sanctions are determined widely so that it may be applied at different levels by taking into consideration the weight of breach.
Yonetici Ortak | Managing Partner at B + B Legal; http://www.bb-legal.com/en
If you have questions regarding this new registration obligation, do not hesitate to contact us or directly speak to Sidika: phone +90 212 219 1630; email: sbaysal@bb-legal.com