Countdown For Compliance with Turkish Data Protection Law
Authors: Burak Özdagıstanli, Sümeyye Uçar, Bensu Özdemir
Natural or legal persons who process personal data under the Law on Personal Data Protection with no. 6698 (“DPL”) must register to the Data Controllers’ Registry (“VERBIS”) prior to start of data processing. Data controllers that currently process personal data under the DPL, must also register to VERBIS before 31 December 2021.
VERBIS registration is mandatory for:
· Data controllers located out of Turkey, but collets and processes personal data (Foreign Controllers),
· Data controllers located in Turkey with 50 or more employees and an annual turnover of more than TRY 25.000.000 (approximately USD 2.500.000), or
· Data controllers located in Turkey with the core business of processing sensitive personal data (such as hospitals, doctors, insurance companies) *(certain exemptions apply to attorneys, notary publics etc. and they are not required to register regardless of the turnover and employee number)
This article is formed as a Q&A and focuses on the Representative Appointment and Registration Requirement of Foreign Controllers.
1- What is a foreign controller?
A data controller (a legal or real person which determines the purposes for which and the means by which personal data is processed) that is not located within the borders of the Republic of Turkey.
2- Which foreign controllers are within the scope of the Representative Appointment and Registration requirements?
Foreign controllers that collect personal from Turkey or process personal data collected from Turkey are within the scope of the requirements which will be detailed below.
3- Who can be a Representative in Turkey?
Any Turkish legal person or Turkish real person residing in Turkey can be appointed as the Representative to represent the Foreign Controller in Turkey. This requirement is similar to Art. 27 of the GDPR.
4- What are the authorities of the Representative?
The Representative will be the contact point for the Controller for any communication between the Authority and the Controller. Further, the Representative will also be the contact point for the data subject requests.
The representative must be vested with the authorities below;
· Receive and accept, on behalf of the Data Controller all types of correspondence and notifications sent by the Authority,
· Convey the requests sent from the Authority to the Data Controller and to convey the response from Data Controller to the Authority,
· Receive requests and applications by data subjects that is directed to Data Controller
and convey such requests and applications to Data Controller,
· Convey the response of Data Controller to data subjects,
· Conduct all works and transactions on behalf of Data Controller regarding the Data Controllers’ Registry (VERBIS)
5- How to appoint a Representative in Turkey
The Representative can be appointed with an Appointment Letter/Decision that is executed abroad. The Appointment Letter/Decision must contain the following;
· Legal name and the address of the Controller,
· Legal name and the address of the Representative,
· Authorities provide to the Representative,
· Date of the Appointment Letter/Decision,
Further, please be informed that the Appointment Letter must be signed by the authorized persons of the Controller. The signed Appointment Letter must be notarized in the place of signing. Further, the notarized document must be apostilled as well in line with the Hague Convention.
The Representative will further legalize the document once the original notarized and apostilled document is received.
6- Are there any other requirements?
7- What is the procedure regarding registration requirement?
Foreign controllers can only register after appointing a Representative.
Once the Representative is appointed, the Representative will enter the information of the Foreign Controller and the Representative on Data Controllers Registry (VERBIS - verbis.kvkk.gov.tr)
After filling in the initial information such as address, contact information, the registration must be completed by filing the Records of Processing into VERBIS.
Therefore, the following information will be provided in the VERBIS using the VERBIS interface;
· Data Categories,
· Data Subject Categories,
· Purposes of Processing,
· Recipient Groups,
· International Transfers,
· Retention Time,
· Technical and Administrative Measures,
· Information regarding international transfers.
8- What is the deadline to complete the steps above?
31 December 2021
9- What is the risk of failing to comply with the requirements above?
An administrative fine of up to TRY 1.966.862 (approx. USD 193.000) may be imposed. This fine amount will be subject to an increase in 2022 depending on the revaluation percentage which is expected to be around %36, making the administrative fine up to USD 262.000.
Further, please note that it is also possible for the DPA to decide to restrict the data processing operations of the controller.