Turkish Law Blog
Data Protection Authority Announced the Starting Dates to Register with the Data Controllers Registry
The Data Protection Authority announced the starting dates for the obligation to register with the Data Controllers Registry ("VERBIS"). You may find below explanations regarding the framework of the data controllers’ obligation for registration to the VERBIS.
Based on the Turkish Data Protection Law no. 6698, natural or legal persons (i.e. companies) who process personal data shall register with VERBIS prior to commencing processing such personal data. However, considering objective criteria that shall be designated by the Board such as the characteristics and the number of data to be processed, whether or not data processing is based on any law, or whether data will be transferred to third parties, the Board may set forth exemptions to the obligation to register with VERBIS.
Registry application to the VERBIS shall be made with a notification including the following matters:
- Identity and address information of the data controller and of the representative thereof.
- The purposes for which personal data will be processed.
- The group or groups of persons subject to the data and explanations regarding data categories belonging to these persons.
- Recipient or groups of recipients to whom personal data may be transferred.
- Personal data which is envisaged to be transferred abroad.
- Measures taken for the security of personal data.
- The maximum period necessitated by the purposes for which personal data are processed.
Also changes to the information provided shall be immediately reported to the Board.
Data Controller’s Obligation to Inform
Data controller or the person it authorized is obligated to inform the data subjects while collecting the personal data with regard to i) the identity of the data controller and if any, its representative, ii) the purposes for which personal data will be processed, iii) the persons to whom processed personal data might be transferred and the purposes for the same, iv) the method and legal cause of collection of personal data, v) the rights of data subject.
Rights of Data Subject
Everyone, in connection with herself/himself, has the right to learn whether or not her/his personal data have been processed; request information as to processing if her/his data have been processed; learn the purpose of processing of the personal data and whether data are used in accordance with their purpose; know the third parties in the country or abroad to whom personal data have been transferred; request rectification in case personal data are processed incompletely or inaccurately; request deletion or destruction of personal data within the legal framework; request notification of the operations made to third parties to whom personal data have been transferred; object to occurrence of any result that is to her/his detriment by means of analysis of personal data exclusively through automated systems; request compensation for the damages in case the person incurs damages due to unlawful processing of personal data by applying to the data controller.
Obligations Regarding Data Security
Data controller must take all necessary technical and organizational measures for providing an appropriate level of security to i) prevent unlawful processing of personal data, ii) prevent unlawful access to personal data, iii) safeguard personal data.
In case personal data are processed on behalf of the data controller by another natural or legal person, the data controller shall be jointly liable with such persons with regard to taking the measures set forth in the first paragraph. Therefore, companies must take necessary precautions to make sure their contracted third parties, which are processing data on behalf of it (such as employee data, customer data etc.), comply with the relevant legislation.
To the ones who do not fulfil:
i) Obligation to inform (the data subject whose personal data collected), an administrative fine of 5,000 Turkish liras to 100,000 Turkish liras;
ii) Obligations regarding data security, an administrative fine of 15,000 Turkish liras to 1,000,000 Turkish liras;
iii) Decisions of the Board, an administrative fine of 25,000 Turkish liras to 1,000,000 Turkish liras;
iv) Obligation to register with VERBIS, an administrative fine of 20,000 Turkish liras to 1,000,000 Turkish liras
shall be imposed in addition to the criminal sanctions mentioned under the Turkish Criminal Code with respect to crimes relating to personal data.
Pursuant to the Authority\'s Decision no. 2018/88,
- Data controllers that employ more than 50 employees and whose annual financial statement exceeds TRY 25 million must register with VERBIS between October 1, 2018 and September 30, 2019;
- Data controllers established outside of Turkey must register with VERBIS between October 1, 2018 and September 30, 2019;
- Data controllers that employ less than 50 employees and whose annual financial statement does not exceed TRY 25 million, but whose core business includes the processing of sensitive personal data must register with VERBIS between January 1, 2019 and March 31, 2020; and
- Public institutions and organizations that act as data controllers must register with VERBIS between April 1, 2019 and June 30, 2020.
Data controllers should complete their internal processes, fulfil technical and legal requirements and must register with VERBIS before the above stated time periods.