Amendments have been published in the Official Gazette of April 28,2019 concerning three different pieces of data protection legislation. The amendments are regarding (i) the Regulation on Erasure, Destruction or Anonymization of Personal Data, (ii) the Regulation on Data Controllers' Registry, and

(iii) the Communiqué on Procedures and Principles for Compliance with the Obligation to Provide Information.

- Amendment to the Regulation on Erasure, Destruction or Anonymization of Personal Data

Amendment to the Regulation on Erasure, Destruction or Anonymization of Personal Data[1] ("Amendment to Erasure Regulation") introduces three changes. The first amendment is in the definition of "personal data processing inventory". The definition of "personal data processing inventory" has been amended and now reads as: "The inventory that is established by the data controllers through the association of their personal data processing activities related to their business processes with the purposes of processing personal data and legal reason, data category, transferred recipient groups and data subject group and that is detailed by data controllers by explaining the minimum retention period required to process personal data, personal data intended for transfer abroad and the measures taken to ensure data security".

The previous definition did not include the "legal reason" and "retention period' among items that should be detailed in the data processing inventory.

The second amendment pertains to Article 7/4 of the Erasure Regulation. The amendment slightly changes the wording in this article as "data controller is obliged to disclose the method it applies in relation to the erasure, destruction or anonymization of personal data, in its policies and procedures". This amendment only added the term "or" between "destruction" and "anonymization".

The last amendment is regards to references in Article 12 of the Erasure Regulation. Previously, Article 12 of the Erasure Regulation set out the data controllers' obligations relating to the erasure and destruction periods and referred to Article 13 of the Law No. 6698 on Protection of Personal Data ("DP Law"), which regulates the procedure for application to the data controller. With this new amendment to the Erasure Regulation, Article 12 also includes reference to Article 11 of the DP Law, which gives data subjects the right to request erasure or destruction of their data. Therefore, the first sentence of Article 12 of the Erasure Regulation is amended as "when the data subject applies to the data controller for the erasure or destruction of the personal data that belongs to him/her as per Article 11 and Article 13 of the Law".

- Amendment to the Regulation on Data Controllers' Registry

The amendment to the Regulation on Data Controllers' Registry[2] includes six changes. The first amendment is on the definitions of "contact person", "personal data processing inventory" and "data controller representative". The change in the definition of "personal data processing inventory" is identical with the change made in the Amendment to the Erasure Regulation, as previously explained.

The new definition of "contact person" states that the contact person is "the real person who is notified to the Data Protection Authority ("Authority") during registration to the Data Controllers Registry ("Registry") by the data controllers (for the real or legal persons residing in Turkey), or by the data controller's representative (for the real and legal persons residing outside of Turkey) to ensure the communications to be made by the Authority regarding the obligations of the legal entities within the scope of the DP Law and secondary legislations based on the DP Law". In light of this definition, the Amendment to the Regulation on Data Controllers' Registry clarifies the persons who will notify the Authority on the contact person, according to the residency of the data controller.

The definition of "data controller's representative" is also amended. The amendment merely changes the reference previously made to Article 11/2 of the Regulation on the Data Controllers' Registry to Article 11/3 of the same regulation, which sets out the contents of the representative appointment decisions.

The second amendment is on Article 5 of the Regulation on Data Controllers' Registry and covers principles and procedures. The amendment adds a provision to Article 5/1/ç stating that "data controllers, who are obliged to register to the Data Controllers Registry, are obliged to prepare a Personal Data Processing Inventory".

Amendment to the Regulation on Data Controllers' Registry also amends the Article 5/1/g by revising the term "maximum period" as "maximum retention period". The amended provision is as follows: "The maximum retention period necessary for the purposes of processing personal data presented to the Registry by the data controllers and published in the Registry shall be taken into account during the performance of the data controllers' obligation to erase, destroy or anonymize, per Article 7 of the Law."

The third amendment pertains to Article 7 of the Regulation on Data Controllers' Registry. The amendment removes "contact person's name and address" which was previously information that should be declared to public in the Registry under Article 7/2.

The fourth amendment is on Article 11 of the Regulation on Data Controllers' Registry. Amendment to the Regulation on Data Controllers' Registry amends Article 11/4 by adding a sentence that clarifies the person who will enter their contact person information to the Registry by stating that "Data controllers residing in Turkey and data controller representatives on behalf of data controllers not residing in Turkey shall enter their contact person information to the Registry during the registration." The Amendment to the Regulation on Data Controllers' Registry also removes a sentence set forth under the same provision which previously stated that "contact person ensures the communication with regards to answering requests directed at data controllers by the data subjects."

Amendment to Article 11 also introduced the terms "who will ensure the coordination" for specifying the senior manager that will appoint contact person of public institutions or agencies. The current provision is now as follows: "contact person of public institutions or agencies is the head of department or its superior manager who is designated by senior manager who will ensure the coordination for communication with the Authority and registered before the Registry."

Another amendment made to the Regulation on Data Controllers' Registry pertains to Article 13 and it clarifies the starting date of the time period designated for notification of the changes in the enrollment information. Accordingly, in case of changes in the Registry enrollment information, data controllers will inform the Authority within seven (7) days as of the date of the change, through VERBIS.

The last amendment made through the Amendment to the Regulation on Data Controllers' Registry is in the Article 16 and adds "information on number of yearly employees or yearly financial balance sum" as one of the criteria that will be considered for the exemptions to the enrollment obligation by the Board.

- Amendment to the Communiqué on Procedures and Principles for Compliance with the Obligation to Provide Information

The amendment to the Communiqué on Procedures and Principles for Compliance with the Obligation to Provide Information[3] ("Amendment Communiqué") includes two changes.

Amendment Communiqué introduces a new and shorter definition of data registration system as "the registration system wherein personal data is processed and registered in accordance with certain criteria".

The definition of "data controller's representative" has also been amended. The amendment merely changes the reference previously made to Article 11/2 of the Regulation on the Data Controllers' Registry to Article 11/3 of the same regulation which sets out the contents of the representative appointment decisions, as in the Amendment to the Regulation on Data Controllers' Registry.

Amendment Communiqué also removes Article 5/1 (c) of the Communiqué on Procedures and Principles for Compliance with the Obligation to Provide Information. The removed Article 5/1 (c) read as the following: "If personal data is processed in different departments of the data controller for different purposes, obligation to provide information should be complied with separately for each department."

In conclusion, the amendments made to the data protection legislation do not introduce substantial or significant changes to the requirements that are already in place. The amendments are apparently made for the purpose of preventing possible controversies in the interpretation of the law and clarifying certain ambiguous points which may have practical consequences.

This article was first published in Legal Insights Quarterly by ELIG Gürkaynak Attorneys-at-Law in June 2019. A link to the full Legal Insight Quarterly may be found here


[1] The Official Gazette dated April 28, 2019 http://www.resmigazete.gov.tr/eskiler/2019/04/2019 0428-1.htm (last access date May 9, 2019).

[2] The Official Gazette dated April 28, 2019 http://www.resmigazete.gov.tr/eskiler/2019/04/20190428-2.htm (last access date May 9,2019).

[3] The Official Gazette dated April 28, 2019 http://www.resmigazete.gov.tr/eskiler/2019/04/20190428-9.htm (last access date May 9, 2019).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.