The Law on Personal Data Protection No. 6698 (DPL) sets out obligations, principles and procedures that will be binding on natural or legal persons who process personal data.
Controllers that are not established in Turkey but process personal data of subjects in Turkey ("foreign controllers") must appoint a data controller representative ("representative") under the DPL and the Regulation on Data Controllers' Registry – a similar provision to the one in article 27 of the EU General Data Protection Regulation.
The representative must be located in Turkey and must be either a legal entity or a Turkish citizen. The representative must be vested with the powers below, as a minimum. They must have the authority to:
- receive or accept (on behalf of the data controller) notifications and correspondences made by the Data Protection Authority (DPA);
- transmit the demands made by the DPA to the data controller and submit the responses of the data controller to the DPA;
- receive data subjects' requests on behalf of the data controller and transmit the requests to the data controller in cases where no other principle has been determined by the DPA;
- transmit the data controller's response to the data subjects in cases where no other principle has been determined by the DPA; and
- perform operations relating to the Data Controllers Registry Information System (VERBIS) on behalf of the data controller.
The representative must be appointed with an appointment decision by the foreign controller. The appointment letter must contain the powers of the representative, as well as the full name and address of both the foreign controller and the representative. Lastly, the appointment letter must be notarised and apostilled, and sent to the representative.
There is no deadline under the legislation specific to the appointment of a representative. However, since the initial step that the representative will take would be to register the foreign controller with VERBIS, the deadline to register with VERBIS (31 December 2021) is also treated as the deadline to appoint a representative in Turkey.
It should be noted that since controllers have an obligation to receive, respond to and conclude data subject access requests (DSARs) and other requests relating to personal data in a timely and effective manner, many foreign controllers have been appointing representatives since 2020. Therefore, foreign controllers that process personal data collected from Turkey must appoint their representative without delay to prevent risks.
It should also be noted that there is no fine under the DPL for not appointing a representative. However, if the foreign controller cannot satisfy its obligation to receive, respond to and conclude DSARs and other requests relating to personal data in a timely and effective manner due to the missing representative, this may lead to complaints by data subjects to the DPA, which may result in administrative fines of up to 1,966,862 Turkish lira (approximately $218,338.40).
Further, if foreign controllers fail to appoint a representative and register with VERBIS by 31 December 2021, an administrative fine of up to 1,966,862 Turkish lira (approximately $218,338.40) may be imposed. It is also possible for the DPA to decide to restrict the data processing operations of the controller.
For further information on this topic please contact Burak Özdağıstanli, Sümeyye Uçar or Bensu Özdemir at Özdağıstanli Ekici Attorney Partnership by telephone (+90 216 230 07 48) or email ([email protected], [email protected] or [email protected]). The Özdağıstanli Ekici Attorney Partnership website can be accessed at www.ozdagistanliekici.com/