Turkish Law Blog

The Registry of Data Controllers in 15 Questions

Zeynep Tuncer Zeynep Tuncer/ University of Fribourg
10 April, 2019
790

It is specified under the Law No. 6698 on the Protection of Personal Data (the “Law”) that the Registry of Data Controllers (the “Registry”) shall be kept by the Board of Protection of Personal Data (the “Board”).

Pursuant to Article 16 of the Law titled “Data Controllers’ Registry”, data controllers are under the obligation of registration with the Registry before commencing to process personal data. However, the Board may based on its objective criteria such as the characteristics and number of data to be processed, whether or not data processing is based on any law, or whether data will be transferred to third parties, set forth exemptions to the obligation to register with the Data Controllers Registry. The scope of application of the said exemptions has been determined in the Board’s decisions, which have been successively published in the Official Gazette No. 30422 dated 15th of May 2018 and in the Official Gazette No. 30513 dated 18th of August 2018. In the said decisions, the dates between which the first registrations will be made have also been determined.

Following the publication of these decisions, various companies have started their preparations for the registration with the Registry and thus, numerous questions have arisen as to the nature of the Registry and the procedure of registration with the Registry.

Within this scope, it is important to determine what is the Registry, the persons who are under the obligation to be registered with the Registry, the persons who are exempted from such obligation, how the registration needs to be made, what are all the other obligations imposed on those who are under the obligation of registration, what are the consequences of not being registered with the Registry, which kind of information shall be registered and how the deregistration will be effected.

In this article, it was attempted to answer the questions straining the companies’ mind.

Question 1: What is the Registry of Data Controllers?

The “Registry of Data Controllers” is an information platform/system, which has been set up by the Law and detailed in the “Regulation on the Data Controllers’ Registry” (the “Regulation”) published in the Official Gazette No. 30286 dated 30.12.2017. Accordingly, the Registry is an information platform/system, which is publicly and electronically kept by the Presidency of the Board of Protection of Personal Data under the supervision of the Board within the Data Controllers Information System named “VERBIS”, and which contains the information stated in the legislation.

All real persons and legal entities deemed as “data controllers” are obliged to register with the Registry before commencing to process personal data. However, the Board may based on objective criteria it determines, set forth exemptions to the obligation to register with the Data Controllers Registry. The persons falling within the scope of the exemptions have recently been announced by the Board.

Question 2: Who is the Data Controller and How Should it be Identified?

As per the definition of “data controller” given in the legislation, the data controller is a “real person or legal entity who determines the purposes and means of the processing of personal data, and who is responsible for establishment and management of the filing system”. Therefore, the data controller is the person determining “why” and “how” personal data will be processed. It should be noted that legal entities are broadly interpreted and therefore, provided that they fulfill the conditions of being a data controller, private and public legal entities, associations and foundations can also be deemed as data controllers.

In order to identify the data controller, the decision maker of the essential issues, such as the method and purpose of collecting personal data and the storage of this data, should be determined. In other words, not all persons collecting and processing personal data are data controllers. Indeed, persons who collect and process personal data under another person’s instructions are not deemed as data controllers, but as data processors. That is, in order to be deemed as a data controller, it should be a decision maker who determines the essential issues.

Another important issue to be noted is that, in legal entities, the real persons collecting and processing personal data are not data controllers. Indeed, the collection and process of personal data are made through competent bodies or persons authorized to represent and bind the legal entities. Thus, in case the legal entity would be under the obligation of registration with the Registry, (solely) the legal entity shall be registered and the information of the legal entity shall be taken into account in evaluating the registration criteria.

Question 3: Who is Exempted from Registration with the Registry?

As per the Board’s decision no. 2018/32 dated 02.04.2018, which was published in the Official Gazette no. 30422 dated 15.05.2018, the following persons are exempted from the obligation of registration with the Registry:

  • Those who process personal data only through non-automatic means forming part of any data filing system,
  • Notaries public practicing as per the Notary Public Law no. 1512 dated 18.01.1072,
  • In respect of the associations established under the Law on Association no. 5253 dated 04.11.2004, the foundations established under the Law on Foundations no. 5737 dated 20.02.2008 and the trade unions established under the Trade Unions and Collective Bargaining Agreements no. 6356 dated 18.10.2012; those processing personal data only in compliance with the relevant legislation and their purposes, with limitation to their scope of activity, and only for their own employees, members and participants and grantors,
  • Political parties established under the Law on Political Parties no. 2820 dated 22.04.1983,
  • Attorneys practicing under the Attorneys’ Act no. 1136 dated 19.03.1969, and
  • Certified public accountants and sworn-in certified public accountants practicing under the Law on Certified Public Accountants and Sworn-In Certified Public Accountants.

As per the Board decisions published in the Official Gazette no. 30513 dated 18.08.2018, the following persons are also exempted from the obligation of registration with the Registry:

  • Customs consultants and authorized customs consultants practicing as per the Customs Law no. 4458 (Board’s decision no. 2018/68 dated 28.06.2018),
  • Mediators (Board’s decision no. 2018/75 dated 05.07.2018), and
  • Natural and legal persons whose annual number of employees is less than fifty and whose total annual financial statement is less than TL 20 million.

Question 4: Who is under the Obligation of Registration with the Registry?

As per the Board decision No. 2018/88 dated 10.07.2018, which has been published in the Official Gazette No. 30513 dated 18.08.2018, the following persons are under the obligation of registration with the Registry:

  • The real person and legal entity data controllers whose annual number of employees is more than 50 and whose total annual financial statement is more than TL 20 million,
  • The real person and legal entity data controllers whose annual number of employees is less than 50 and whose total annual financial statement is less than TL 20 million, but having as a principal activity the process of special personal data.

Question 5: Is the Registration Obligation an Absolute Obligation?

Data controllers, who are not covered by the exemptions set forth in the Board’s decisions referred above, are under the obligation of registration with the Registry. However, in the Regulation, it is stated that, under certain circumstances, data controllers are exempted from the obligation of registration with the Registry. Thus, in the below cases, data controllers are not obliged to register with the Registry:

  • Processing of personal data is necessary for the prevention of a crime or investigation of a crime;
  • Processing of personal data is revealed to the public by the data subject herself/himself;
  • Processing of personal data is necessary due to the performance of supervision or regulatory duties, or disciplinary investigation or prosecution by the assigned and authorized public institutions and organizations and professional organizations with public institution status;
  • Processing of personal data is necessary for the protection of economic and financial interests of the state related to budget, tax, and financial matters;

As it may be noted, on condition of being within the scope of the exemptions stated above, the obligation of registration with the Registry is not an absolute obligation.

Question 6: Is it Possible to Voluntarily Register with the Registry?

There is no provision in the legislation prohibiting the voluntary registration with the Registry. Consequently, even if this is a subject which will gain clarity with the practice, we believe that, from a legal point of view, data controllers who are not under the obligation of registration with the Registry, can voluntarily register themselves with the Registry. However, in such a case, they will also be obliged to fulfil the obligations arising out of the registration with the Registry[1].

Question 7: Does being Exempted from the Obligation of Registration Mean being Exempted from All Other Obligations?

Being exempted from the obligation of registration with the Registry does not mean being exempted from the other obligations. Persons who are exempted from the obligation of registration with the Registry are only exempted from the consequences arising out of the non-registration with the Registry and the obligation to prepare personal data retention and destruction policy. Except those, they are obliged to comply with all other obligations arising out of the Law and the secondary legislation.

Question 8: What are the Registration Periods?

Data controllers are under the obligation of registration with the Registry before commencing to process personal data. The data controllers who were not obliged to register at the beginning but become subject to such obligation later, are under the obligation of registration with the Registry within thirty days as of the date they become subject to such an obligation.

In case data controllers cannot perform their obligation of registration due to any de facto, technical or legal reason, they can request an extension period for the registration with the Registry by making a written application specifying the grounds of the impossibility to the Personal Data Protection Authority (the “Authority”) within seven days as of the occurrence of the impossibility. The Authority may, for once only, grant an extension, not exceeding thirty days.

The periods between which the data controllers should be registered with the Registry are specified in the Board’s decision no. 2018/88 dated 19.07.2018 published in the Official Gazette no. 30513 dated 18.08.2018. As per this decision, the registration periods are as follows:

Data Controller

Commencement Date of the Registration

Final Date of the Registration

Real person and legal entity data controllers whose annual number of employees is more than 50 and whose total annual financial statements is more than TL 20 million

01.10.2018

30.09.2018

Real person and legal entity data controllers established abroad

01.10.2018

30.09.2019

Data controllers having as principal activity the processing of special personal data

01.01.2019

31.03.2020

State institutions and organizations

01.04.2019

30.06.2019

Question 9: How to be Registered with the Registry?

Registration is made through the official website of the Authority by the data controllers on a free of charge basis.

  • In case the data controller to be registered with VERBIS is a legal entity resident in Turkey, the registration shall be made by a real person entitled to represent and bind the legal entity.
  • In case the data controller to be registered with VERBIS is a legal entity established abroad, the registration shall be made through a representative empowered by the said legal entity.

The duly certified resolution related to the appointment of the representative by the relevant foreign legal entity data controller shall be submitted to the Registry within the registration procedure[2]. The following issues should be indicated in the resolution:

  • Taking delivery of the notifications and correspondences sent by the Authority on behalf of the data controller
  • Conveying the requests addressed by the Authority to the data controller and conveying the data controller’s answers to the Authority
  • Taking delivery of the applications to be made by the data subjects on behalf of the data controller and conveying them to the data controller
  • Conveying the data controller’s answers to the data subjects
  • Carrying out all acts and actions related to the Registry on behalf of the data controller

Furthermore, the legal entity data controller established in Turkey or abroad is also under the obligation to nominate a “contact person”, and to enter to the Registry the details of this contact person during the registration. The said contact person will be responsible for the contact between the data controller and the data subject or the Authority, and will not have any representation power. The contact person does not need to be appointed amongst the company’s senior executives or employees and a third person can also be appointed, provided that such third persons know the operational structure of the company[3].

The contact person of state institutions and organizations shall be the head of the department or his/her superior, who will be determined by the senior executive of the said institution or organization to ensure the collaboration with the Authority.

During the registration process, the following documents shall be submitted to the Registry:

  • Information stated in the application form to be determined by the Authority with respect to the identity and address information of the data controller, the representative, if any, and the contact person
  • The purposes for which personal data will be processed
  • The group or groups of persons subject to the data, and explanations regarding the categories of data belonging to these persons
  • The recipient or groups of recipients to whom personal data may be transferred
  • The personal data which is envisaged to be transferred abroad
  • The measures are taken for the security of personal data
  • The maximum period of time necessitated by the purposes for which personal data are processed
  • If the data controller is a foreign legal entity data controller, its certified resolution related to the appointment of a representative

Question 10: What are the Consequences of the Non-registration with the Registry?

The Law stipulates that a fine from TL 20,000 up to TL 1,000,000 will be imposed on data controllers, which are not registered with the Registry whereas they are under the obligation of registration with the Registry. The amount of the fine will be objectively determined by the Board as per the characteristics of the data controller.

In case of non-compliance with the registration obligation within public institutions and organizations or professional organizations with public institution status; upon notification of the Board, disciplinary action shall be taken for the officers and other public officials who serve under the relevant public institution or organization and the ones who serve under the professional organizations with public institution status, and the result shall be reported to the Board.

Question 11: Which Information Shall be Stated in the Registry?

The following information shall be entered to the Registry in a publicly available manner:

  • The identity and address information of the data controller, the representative, if any, and the contact person as well as the Registered Electronic Mail, if already obtained
  • The purposes for which personal data will be processed
  • The group or groups of persons subject to the data, and explanations regarding the categories of data belonging to these persons
  • The recipient or groups of recipients to whom personal data may be transferred
  • The personal data which is envisaged to be transferred abroad
  • The measures taken for the security of personal data
  • The maximum period of time necessitated by the purposes for which personal data are processed

The said information shall be prepared based on the Personal Data Processing Inventory. Accordingly, data controllers are also under the obligation to prepare a Personal Data Processing Inventory.

The Personal Data Processing Inventory is defined in the Regulation as “an inventory in which data controllers explain and give details on the personal data processing activities, the purposes of personal data processing, the personal data categories, the personal data recipients, the categories of data subjects, the maximum periods for the purposes of personal data processing activities, the personal data which may be transferred abroad and the implemented data security measures, based on their personal data processing activities arising out of their business processes”.

Data controllers, who are under the obligation of registration with the Registry shall, in addition to and in line with the Personal Data Processing Inventory, prepare a personal data retention and destruction policy. However, it should be noted that the preparation of such a policy does not mean that the personal data are retained, erased, destructed or made anonymous in compliance with the provisions of the Law and the Regulation.

The Personal Data Processing Inventory as well as the personal data retention and destruction policy is accepted as organizational/managerial measures. For this reason, in case the said documents are not prepared in line with the relevant legislation, an administrative fine from TL 15,000 up to TL 1,000,000 may be imposed on the data controllers.

Question 12: Are “Personal Data” Included in the Registry?

The Registry is open to general public; however, no personal data should be indicated in the Registry. Indeed, as also explained above, the Registry contains information under headings related to categories of personal data and the purposes for which personal data is processed, the maximum period of time necessitated by the purposes for which personal data are processed and personal data which is envisaged to be transferred abroad. Thus, no “personal data” take place in the Registry and are open to public. Furthermore, it should be stated that, considering that the purpose of the legislation is to protect the personal data of real persons, the “inclusion of the personal data in the Registry” constitutes an express contradiction to the spirit of the legislation.

Question 13: What are the Consequences of Registering Incomplete, Inaccurate, not up to date and Unlawful Data with the Registry?

The data controllers shall ensure that the information submitted to the Registry and published therein are compete, accurate, up to date and lawful. However, the penalties laid down in the Regulation do not directly refer to the violation of such obligation. Indeed, it is stated in the Regulation that fines will be imposed in case of violation of the obligations of registration and notification. However, we believe that this provision can be broadly interpreted and that an administrative fine from TL 20,000 up to TL 1,000,000 can be imposed on the data controllers who do not comply with the obligation to keep complete, accurate, up to date and lawful information in the Registry.

Question 14: How the Information Stated in the Registry can be Amended or Updated?

In case any information entered to the Registry is amended or updated, the data controllers shall notify such amendments or updates within seven days to the Authority through VERBIS. If the notification is not made on time, the above-stated penalties can be applied.

Question 15: How and When a Deregistration can be Made?

A data controller can be deregistered from the Registry in case the reasons necessitating its registration, such as the termination of its activities related to the processing of personal data or its exemption from registration with the Registry via decision of the Board, cease to exist. In such a case, the data controller shall make an application to the Authority for its deregistration from the Registry through VERBIS. If its application is accepted, the data controller will be deregistered from the Registry. As to the information stated in the Registry, they will be kept in a manner preventing any change on them, but will be accessible.

It should be noted that the deregistration of a data controller from the Registry does not eliminate its obligations to which it was subject during its registration period.


[1]        The said information has been verbally confirmed with the Authority on the date of 17.09.2018.

[2]        Information stated in the Regulation with regard to the contact person is not very clear. Indeed, as per the definition given under Article 4(ç) titled “Definitions” of the Regulation, the contact person is notified both by the legal entity data controller established in Turkey and by the representative of the legal entity data controller established abroad. However, under Article 11(4) titled “The obligations of the data controller, the data controller representative and the contact person”, it is stated that the legal entity data controller established in Turkey shall register and upload the contact person to the Registry during the registration process. Pursuant to the information held verbally from the Authority on 17.09.2018, both legal entity data controllers established in Turkey and representatives of legal entity data controllers established above shall appoint a contact person and upload his/her information to the Registry during the registration process.

[3]        The said information has been verbally obtained from the Authority on 17.09.2018.

Leave a comment

Please login or register to comment

Comments