Introduction
What is a foreign controller?
Which foreign controllers must comply with the representative appointment and registration requirements?
Who can be a representative in Turkey?
What authority does the representative have?
How should a representative be appointed in Turkey?
Are there any other requirements?
What does the registration procedure involve?
What is the deadline to complete registration?
What are the risks of failing to comply with the requirements?
Natural or legal persons who process personal data under the Law on Personal Data Protection (No. 6698) (DPL) must register with the Data Controllers Registry Information System (VERBIS) before starting to process data. Data controllers that currently process personal data under the DPL must also register with VERBIS before 31 December 2021.
VERBIS registration is mandatory for:
- data controllers that are located outside Turkey, but that collect and process personal data (foreign controllers);
- data controllers that are located in Turkey and that have:
- 50 or more employees; and
- an annual turnover of more than ₺25,000,000 (approximately $2,500,000); and
- data controllers that are located in Turkey and whose core business involves the processing of sensitive personal data (eg, hospitals, doctors and insurance companies).
Certain exemptions apply to some entities (eg, attorneys and notary publics), meaning that they are not required to register regardless of their turnover and number of employees.
This article answers FAQs about the representative appointment and registration requirements of foreign controllers.
A "foreign controller" is a data controller (ie, a legal or real person who determines the purposes for which and the means by which personal data is processed) that is not located within Turkey.
Which foreign controllers must comply with the representative appointment and registration requirements?
Foreign controllers that collect personal data from Turkey and those that process personal data collected from Turkey are within the scope of the representative appointment and registration requirements.
Who can be a representative in Turkey?
Any Turkish legal or real person residing in Turkey can be appointed as a representative to represent a foreign controller in Turkey. This requirement is similar to article 27 of the EU General Data Protection Regulation.
What authority does the representative have?
The representative will be the contact point for the controller for any communication between the Turkish Data Protection Authority (the authority) and the controller. The representative will also be the contact point for data subject requests.
The representative must have the authority to:
- receive and accept, on behalf of the data controller, all types of correspondence and notifications sent by the authority;
- convey requests sent from the authority to the data controller and convey responses from the data controller to the authority;
- receive data subject requests and applications that are directed to the data controller and convey such requests and applications to the data controller;
- convey the data controller's responses to data subjects; and
- conduct all works and transactions on behalf of the data controller regarding VERBIS.
How should a representative be appointed in Turkey?
The representative can be appointed with an appointment letter or decision executed abroad. The appointment letter or decision must contain:
- the legal name and address of the controller;
- the legal name and address of the representative;
- the authorities provided to the representative; and
- the date of the appointment letter or decision.
The appointment letter must be signed by the authorised persons of the controller. The signed appointment letter must be notarised in the place of signing. Further, the notarised document must be apostilled in line with the Hague Convention.
The representative will further legalise the document once the original notarised and apostilled document is received.
Are there any other requirements?
The privacy policy or notice must contain information about the identity of the controller as well as the representative. Therefore, the name and contact details of the representative must be provided in the privacy notice.
What does the registration procedure involve?
Foreign controllers can only register after appointing a representative.
Once the representative is appointed, the representative will enter their information and that of the foreign controller on VERBIS.
After filling in the initial information (eg, address and contact information) the registration must be completed by filing the processing records on VERBIS. Information about the following must be provided using the VERBIS interface:
- data categories;
- data subject categories;
- purposes of processing;
- recipient groups;
- international transfers;
- retention time;
- technical and administrative measures; and
- information regarding international transfers.
What is the deadline to complete registration?
The deadline is 31 December 2021.
What are the risks of failing to comply with the requirements?
An administrative fine of up to ₺1,966,862 (approximately $193,000) may be imposed. This fine amount will be subject to an increase in 2022 depending on the revaluation percentage, which is expected to be around 36%, making the administrative fine approximately $262,000.
The authority may also decide to restrict the controller's data processing operations.
For further information on this topic please contact Burak Özdağıstanli, Sümeyye Uçar or Bensu Özdemir at Özdağıstanli Ekici Attorney Partnership by telephone (+90 216 230 07 48) or email ([email protected], [email protected] or [email protected]). The Özdağıstanli Ekici Attorney Partnership website can be accessed at www.ozdagistanliekici.com/