Turkey has announced procedures and principles for registering with the Data Controllers Registry (“Registry”) by real persons and legal entities responsible for establishing and managing data recording systems (“Data Controller”). It has also outlined processing methods for personal data, along with details about applications and information which must be filed with the Registry.

The Regulation on Data Controller Registry (“Regulation”) was published in Official Gazette number 30286 on 30 December 2017. A draft version of the Regulation was previously published on the Data Protection Authority’s (“Authority”) website and is discussed here.

The Data Controller Registry must be kept in a publicly available manner, under the Data Protection Board’s (“Board”) supervision (Article 16 of the Law on Personal Data Protection number 6698; “Law”).

Data Controllers must register with the Registry before processing personal data and within the term announced by the Board. Parties which later fall within the Regulation’s scope must register within 30 days.

Data Controllers will be required to register online by uploading the required information to the Data Controllers Information System (“VERBIS”). VERBIS will be established and governed by the Data Management Office and used for registration, as well as conducting Registry actions.

The Authority recently announced that the registration obligation will apply once VERBIS becomes operational and a commencement date has been declared. Despite this, Data Controllers must still fulfill all other obligations under the Law and the related regulations, even though they are not yet required to register.

The Board can determine exceptions to the registration requirement, considering the criteria outlined in Article 16 of the Regulation. These criteria include the quality and quantity of processed personal data, as well as the processing duration.

Legal entities located in Turkey must appoint a contact person responsible for communicating with the Authority and must notify this person’s identity and address during registration.

Data Controllers residing abroad must appoint a data controller representative, who is authorized for matters determined under Article 11 and will notify necessary information during registration.

The information disclosed to the Registry will be based on the Data Controller’s personal data processing inventory. The personal data inventory must include:

  • Purposes of personal data processing.
  • Data category.
  • Recipient group.
  • Data subject group.
  • Maximum time required for the purposes for which the personal data are processed.
  • Personal data foreseen to be transferred to foreign countries.
  • Measures taken regarding data security.

The Regulation requires Data Controllers to also prepare and implement personal data retention policy. 

Failure to comply with the Regulation could result in administrative fines between 20,000 and 1,000,000 Turkish Liras.

Please see this link for the full text of the Registry Regulation (only available in Turkish).

Information first published in the MA | Gazette, a fortnightly legal update newsletter produced by Moroğlu Arseven.