The Regulation on Data Controllers Registry (the “Regulation”), prepared by the Data Protection Authority (the “Authority”), was published on December 30, 2017. The Regulation entered into force on January 1, 2018.
The Regulation establishes the obligation to register with the Data Controllers Registry (the “Registry”) provided in Article 16 of the Law on the Protection of Personal Data (the “Law”), which will be supervised by the Personal Data Protection Board (the “Board”) and open to public access.
What the Regulation Says
In principle, all data controllers must register with the Registry prior to initiating activities that involve processing of personal data. The Authority may introduce exemptions to the registration obligation, taking into account the exemption criteria provided in Article 16 of the Regulation.
The data controllers must register with the Registry by submitting the required information on the Data Controllers Registry information system (Tr. VERBİS), accessible through the Internet, and to be established by Data Management Chamber Presidency.
The data controllers must prepare and implement a personal data processing inventory and personal data retention and deletion policy, constituting the basis of the submitted information to VERBİS.
Data controllers residing in Turkey must assign a contact person who will be responsible for the provision and management of communication between the Authority and the data controller, and notify the contact person's contact details during registration. Non-resident data controllers, on the other hand, must assign a data controller representative, who will be authorized to represent the data controller on the matters provided in Article 11 of the Regulation, and must register the pertinent information with the Registry.
Actions to Consider
Particularly for companies that have not commenced any compliance projects with regard to the Law, the Regulation introduces rather onerous requirements for data controllers, complete implementation of which may require allocation of workload and budget.
The data controllers in general must:
- prepare and implement a personal data processing inventory;
- prepare and implement a personal data retention policy; and
- assign a contact person- in case of non-resident data controllers, assign a data controller representative; and
- register with the Registry upon establishment of VERBİS.
Noncompliance with the registration and notice requirements with the Registry may result in an administrative fine from TRY 20,000 to TRY 1,000,000.