The last day of the obligation to register in the Data Controllers' Registry is extended to 31.12.2019 for the real and legal person data controllers who have more than 50 employees annually or the total annual financial balance of more than 25 million TRY, and for all real and legal person data officers residing abroad. Failure to fulfil this obligation may result in an administrative fine of 20,000 Turkish Liras to 1,000,000 Turkish Liras for data controllers.

Who is the Data Controller?

According to the Law No. 6698 on the Protection of Personal Data, the data controller is the natural or legal person who determines the purposes of processing personal data and necessary procedures to store personal data. The data controller is also responsible for establishing and managing the data registry system. All natural and legal persons residing abroad are data controllers if they are processing the data of citizens of the Republic of Turkey since the Law on the Protection of Personal Data is extraterritorial.

What is the Data Controllers' Registry, Who is Required to Register?

The Data Controllers' Registry is controlled and managed by the Presidency of the Turkish Data Protection Authority under the supervision of the Personal Data Protection Board. According to the Law on the Protection of Personal Data, data controllers are required to register with the Data Controllers' Registry.

The Personal Data Protection Board has made an exemption to the requirement to register in the Data Controllers' Registry for real and legal person data controllers whose annual number of employees is less than 50 and whose total annual financial balance is less than 25 million TRY. This exemption does not apply to data controllers residing abroad.

What Happens if the Obligation to Register in the Data Controllers' Registry is Not Complied?

According to Article 18 of the Law on the Protection of Personal Data, the Board may impose an administrative fine of 20,000 Turkish Liras to 1,000,000 Turkish Liras for those who do not fulfil the obligation to register and notify the Data Controllers' Registry.

When is the Last Day to Register in the Data Controllers' Registry?

According to the decision of the Personal Data Protection Board dated 19.07.2018 and numbered 2018/88;

  • The last day to register with the Data Controllers' Registry, for real and legal person who are controlling data who have more than 50 employees or an annual balance sheet total of more than 25 million TRY was 30.09.2019.
  • The last day to register for real and legal persons who are controlling data and who are residing abroad was 30.09.2019.
  • The last day to register for real and legal persons who are controlling and processing sensitive (special categories of) data but having less than 50 employees and an annual balance sheet total of less than 25 million TRY was 31.03.2020.

How long has the Deadline been Extended for Registration to the Data Controllers' Registry?

According to the recent decision of the Personal Data Protection Board dated 03.09.2019 and numbered 2019/265, to register with the Data Controllers' Registry;

  • Real and legal person who are controlling data and who have more than 50 employees annually or an annual balance sheet total of more than 25 million TRY must register until 31.12.2019.
  • Real and legal persons who are controlling data and who are residing abroad must register until 31.12.2019.

The last day to register for real and legal persons who are controlling and processing sensitive (special categories of) data but having less than 50 employees and an annual balance sheet total of less than 25 million TRY remained as 31.03.2020.

How are Annual Employee Numbers Calculated?

In order to calculate the annual number of employees, reports named "Withholding and Bonus Service Declaration" which are submitted to Social Security Institution on a monthly basis by the data controllers in each of at least 7 of 12 months in a completed year must be taken into account. Furthermore, it is not obligatory for these 7 months to be consecutive within the year.

According to this, a data controller is obliged to register if the number of employees declared on the Withholding and Bonus Service Declarations is more than 50 on at least 7 out of the 12 reports.

How is the Annual Financial Balance Sheet Calculated?

In calculating the total annual financial balance sheet, firstly there should be a completed year and the financial balance sheet information given in the financial statements enclosed to 'income or corporate tax declarations' given to the authorized public institution by the data controller in such completed year must be taken into consideration. Accordingly, the total figure in the "assets" and "liabilities" section of the balance sheet annexed to the declaration of the data controller should be taken as a basis. Annual turnover or net sales / gross sales revenue information should not be considered.

What should be notified in the application for registration with the Data Controllers' Registry?

In the application for registration with the Data Controllers' Registry the following information shall be reported;

a) Identifying information (including the address) of the data controller or its representative,

b) The purpose of the data processing,

c) The data subject groups and explanations on such data categories,

d) Recipient or recipient groups to which the data may be transferred,

e) Any personal data which may be transferred abroad,

f) The data security measures taken,

g) The maximum time for processing personal data (which must be in accordance with the purpose of the data processing),

h) In case of any change in the information listed above, such change shall be notified to the Authority immediately.

This information should be based on the Personal Data Processing Inventory.

What is the Personal Data Processing Inventory?

Personal Data Processing Inventory is defined as the inventory in which data controllers explain in detail the personal data processing activities in connection with their business processes, personal data processing purposes, data categories, the recipient group to which the data is transferred, data subject group and the maximum amount of time required for the purposes of processing personal data, personal data foreseen to be transferred to foreign countries and data security measures taken. Data storage and destruction policies should be prepared with the inventory.

What happens if the Personal Data Processing Inventory is not Prepared?

In the guidance on technical and administrative measures published by the Board, preparation of the inventory is considered among the administrative measures to be taken. Therefore, if the inventory is not prepared, the measures related to the data security mentioned in the Article 12 of the Law on the Protection of Personal Data will be considered as not being performed. Therefore, administrative fines of 15,000 Turkish lira to 1,000,000 Turkish lira may be imposed by the Board.

How to Register with the Data Controllers' Registry?

Registration with the Data Controllers' Registry can be made via VERBIS which can be reached through the Board's website. A representative who is a natural person and has a Turkish citizenship or legal entity in Turkey should be appointed by a data controller who is not resident in Turkey in order to communicate with the Personal Data Protection Board and to perform transactions related to the Data Controllers' Registry on behalf of the data controller.

For the data controllers, a contact person should be assigned via VERBIS to carry out the registration procedures to Registry. The contact person should be a real person as he/she performs his/her duties of ensuring communication between the data controller and the board and carrying out the registration procedures. The real person data controller himself/herself or their representative, or a member of the board of directors of the company or any third party may be appointed as a contact person. The Board recommends that the contact person be selected from persons who are familiar with the personal data processed in the company.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.