The Personal Data Protection Authority recently declared that the Data Controller Registry (VERBIS) will be active from 1 October 2018. Accordingly, the authority has announced, among other things, that data controllers which employ fewer than 50 employees, have an annual turnover of less than TRY25 million and process no special categories of personal data as their main field of activity will be exempt from the obligation to register with VERBIS. This article examines the impact that this may have on pharmaceutical companies.
On 19 July 2018 the Personal Data Protection Authority announced the following details of VERBIS registry obligations and corresponding deadlines:
- Registration with VERBIS for real person and legal entity data controllers which annually employ more than 50 employees or have an annual turnover exceeding TRY25 million will start on 1 October 2018 and must be completed by 30 September 2019.
- Registration with VERBIS for real person or legal entity data processors based outside Turkey will start on 1 October 2018 and must be completed by 30 September 2019.
- Registration with VERBIS for real person and legal entity data controllers which annually employ fewer than 50 employees or have an annual turnover under TRY25 million, but process special categories of data as their main fields of activity, will start on 1 October 2018 and must be completed by 30 September 2019.
- Registration with VERBIS for public institutions and organisations will start on 1 April 2019 and must be completed 30 June 2020.
Real person or legal entity data controllers which employ fewer than 50 employees, have an annual turnover of less than TRY25 million and do not process special categories of data as their main fields of activity are exempt from the obligation to register with VERBIS. Despite this exemption, these data controllers are not exempt from their obligations under Turkish data protection legislation.
The VERBIS registration guidelines do not clarify how it will be determined whether a data controller's main field of activity is processing special categories of personal data. This will be important in determining whether pharmaceutical companies that employ fewer than 50 employees and whose annual turnover is less than TRY25 million will be exempted from registering with VERBIS.
The Personal Data Protection Law provides no clarity in this regard. However, comparing the EU General Data Protection Regulation (GDPR) and its secondary legislation with Turkish legislation may be useful. Articles 37(1)(b) and (c) of the GDPR refer to "core activities". Where the core activities of a data controller or processor consist of processing operations which – by virtue of their nature, scope or purpose – require the regular and systematic monitoring of data subjects on a large scale or where the core activities of a controller or processor consist of the large-scale processing of special categories of data pursuant to Article 9 of the GDPR or personal data relating to criminal convictions and offences referred to in Article 10 of the GDPR, such controllers or processors must designate a data protection officer.
'Core activity' is defined under the Article 29 Working Party guidelines as "key operations necessary to achieve the main objectives of the relevant business", such as the processing of health data by hospitals. A core activity is inextricably linked to a data controller's main objective. While there has been no explanation as to what a company's 'main field of activity' is intended to mean, it is possible that it is similar to 'core activities' as defined in the GDPR.
On another note, the personnel files of employees that include special categories of personal data (eg, an individual's health information or details of their criminal background) are regarded as 'ancillary' data.
In order to understand how a company's 'main field of activities' can be interpreted, the meaning of 'special categories of data' as set out in the GDPR and the Personal Data Protection Law should be considered. Under Article 9 of the GDPR, 'special categories of data' includes:
Racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
Although the processing of such data is prohibited by default, there are several exceptions. Notably for pharmaceutical companies, "data concerning health" is included as a special data category.
Similarly, Article 6 of the Personal Data Protection Law lists 'special categories of data' as:
Racial or ethnic origins, political opinions, philosophical beliefs, religion, membership to a religious sect or other beliefs, clothing, association, foundation or worker union membership, health, sexual life, criminal conviction or criminal safety measures, biometric or genetic data of a person.
As with the GDPR, the Turkish regulation also refers to health information as a special data category.
It remains to be seen whether the processing of special categories of data or "sensitive data" by pharmaceutical companies, especially due to pharmacovigilance requirements, will be interpreted as their main fields of activity by the authority, and how this will affect their obligations for registering with VERBIS.
For further information on this topic please contact E Sevi Firat or Ata Umur Kalender at Firat Izgi Attorney Partnership by telephone (+90 212 235 25 25) or email (firstname.lastname@example.org or email@example.com). The Firat Izgi Attorney Partnership website can be accessed at www.firatizgi.com.
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.