Turkey’s Data Protection Board (“Board”) has extended the scope of data controllers which are exempt from registering with the Data Controllers Registry (“Registry”), as well as the dates which data controllers must register. The Board has also published new rulings which shed light on some important matters regarding personal data processing.

Additional criteria extending the scope of data controllers who will be exempt from registration to the Registry 

In addition to the data controllers exempt from registration, data controllers which employ less than 50 employees and with an annual balance sheet total less than 25 million Turkish Liras turnover are also exempt from the requirement to register with the Registry (unless the data controller’s main business activity is processing sensitive personal data). Customs brokers and mediators are also released from such obligation previously. The Board’s ruling number 2018/87 was made on 19 July 2018.

Earlier exemptions are outlined in the following Board decisions:

  • 2018/32 on 2 April 2018 (more).
  • 2018/68 on 28 June 2018.
  • 2018/75 on 5 July 2018.

Accordingly, the Board has exempted the following categories of data controllers from registering with the Registry to date:

  • Data controllers employing less than 50 employees and with less than 25 million Turkish Liras annual balance sheet total (unless the data controller’s main business activity is processing sensitive personal data).
  • Data controllers which process personal data through non-automatic means, provided the processing is part of a data filing system.
  • Public notaries.
  • Associations.
  • Foundations.
  • Unions.
  • Political parties.
  • Lawyers.
  • Public accountants and sworn-in public accountants.
  • Customs brokers and authorized customs brokers.
  • Mediators.

Registration deadlines announced

The Board has announced the dates when data controllers’ must register with the Registry. Failures to comply with these dates risks a fine ranging from 20,000 and 1,000,000 Turkish Liras.

  • 1 October 2018 to 30 September 2019:
    • Data controllers which employ 50 or more employees.
    • Data controllers with annual balance sheet total of 25 million Turkish Liras or more.
    • Data controllers located abroad.
  • 1 January 2019 to 31 March 2020: Data controllers which employ less than 50 employees and with annual balance sheet total below 25 million Turkish Liras and their main business activity is to process sensitive personal data.
  • 1 April 2019 to 30 June 2020: Public authorities which are data controllers.

Recent Board Rulings

The Board has announced three new rulings regarding processing personal data. Notable points from the rulings include:

  • The Board has refused a data subject’s request to remove his/her name from a column in a journal, on the basis that freedom of press overrides their right to privacy.
  • The Board imposed fines on:
    •  A hospital which could not provide an adequate level of protection for patients’ personal data.
    • A career platform which shared an applicant’s personal data with other applicants without any legal basis.
    • A company which shared an applicant’s CV with the other group companies, without the applicant’s consent.

Please see this link for full text of the Board’s ruling on the recent exemption and registration deadlines. Please see this link for the full text of the Board’s rulings regarding personal data processing (both links are only available in Turkish).

Information first published in the MA | Gazette, a fortnightly legal update newsletter produced by Moroğlu Arseven.

Article co-authored by Ülkü Solak