The Official Gazette dated April 28, 2019 introduced amendments concerning i) "Regulation on Data Controllers' Registry", ii) "Regulation on the Erasure, Destruction or Anonymisation of Personal Data"1 and iii) "Communique on the Principles and Procedures to be Followed in the Fulfilment of the Obligation to Inform".

In addition to the legislative changes, on the same date the Turkish Personal Data Protection Authority ("The Authority") also published a "Guideline on Preparation of Personal Data Processing Inventory". You can find a short explanation with regards to this guideline in our article.

I. Amendments to the Regulation on Data Controllers' Registry ("Registry")

  • As a consequence of the amendments affecting the definitions clause of the regulation, certain additions were made to contact person and personal data processing inventory definitions. Following these additions, it is stated that;
    • The contact person who will communicate with the Board pursuant to its legal obligations shall be;
      1. The data controller for natural and legal persons resident in Turkey;
      2. notified by the representative of the data controller at the time of registration to the Registry, for natural and legal persons non-resident in Turkey;
    • Personal Data Processing Inventory shall include;
      • The legal ground for processing personal data and the maximum storage period required for the purpose of processing data in addition to personal data processing activities, personal data processing purposes, data categories, the recipient group to whom the data is transferred, data transfers abroad and precautions taken for data security.2
  • Preparation of a Personal Data Processing Inventory became a legal obligation for data controllers who are obliged to register to the Registry.
  • Details about the contact person are excluded from the scope of information provided in the Registry and information to be disclosed to public.
  • The regulation states that any change in the information provided in the Registry shall be notified to the Board within 7 (seven) days, starting from the date the change has occurred.
  • Being in line with its previous decisions, The Personal Data Protection Board ("the Board") included the annual employee number of the data controller and the sum of annual financial statements as criteria to be evaluated while considering any exemptions to registration obligation to the Registry exists.

II. Amendments to the Communique on the Principles and Procedures to be Followed in the Fulfilment of the Obligation to Inform

  • In respect of the personal data processed for different purposes in different units of the data controller, the relevant clause which regulates the requirement to separately fulfil the information obligation for each unit has been abolished.
  • Before the amendment, the Data Registration System was defined as "Any kind of environment where personal data is processed by whether fully or partially automated means or by non-automated means as part of any data recording system" while along with the amendment it is defined as "The registration system where personal data is processed by configuring according to certain criteria".

III. Guideline on Preparation of Personal Data Processing Inventory

In the published guideline it is stated that the data controllers who are obliged to register at Registry, are obliged to prepare a Personal Data Processing Inventory which shall include:

  • Personal data processing activities,
  • Personal data processing purposes and legal ground for processing personal data,
  • Personal data categories,
  • The recipient group to whom the data is transferred,
  • The maximum storage period required for the purpose of processing data,
  • Data transfers abroad and
  • The technical and administrative precautions taken for data security.

In addition, it is also stated that the VERBİS and Personal Data Processing Inventory are different concepts but the Personal Data Processing Inventory will be used as a resource during the registration to VERBİS.

Conclusion

With all being said, we would like to emphasize once more the importance of following the changes in the legislation and accordingly revisiting relevant procedures and policies as data controller firms.

Footnotes

1. The changes made in the Regulation on the Erasure, Destruction or Anonymisation of Personal Data are only formal changes which will not be changing the principles of implementation of the legislation.

2. Pursuant to this amendment to the definition of Personal Data Processing Inventory, all relevant legislation have adopted the new definition.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.