As you may know Europe is moving towards its new legislation on personal data; The GDPR.
The GDPR sets out certain requirements to ensure effective management of personal data within businesses and mandatory Data Protection Officer ("DPO" - an individual to oversee the data protection responsibilities within the organisation and ensure compliance) requirement is among those requirements.
Article 37 of the GDPR stipulates that organizations must appoint a DPO if the core activities require "regular and systematic monitoring of data subjects on a large scale"or "special categories of data".
Do Your Organization Need A DPO in Turkey?
The Law in Turkey (The Law on Protection of Personal Data w. no 6698) on the other hand do not describe the term DPO and do not stipulate a DPO appointment requirement. Therefore data controllers and data processors in Turkey are not under any legal obligation to appoint a DPO at this stage.
Having said that, in all our data protection compliance projects we recommend data controllers and data processors in Turkey to either appoint a DPO or to designate an individual within the company to oversee the data protection responsibilities.
The reasons behind our recommendation are;
1- Data Protection and personal data are new concepts for most of the organizations in Turkey and without a specific person to oversee compliance, many obligations may be overlooked,
2- Data protection and protection of personal data are all about corporate culture. If these concepts do not take roots in the culture of an organization, compliance will be a very difficult and time consuming process.
3- Having a DPO in the company will help you handle personal data more securely.
We understand that having a separate DPO position may seem as an extra cost as there is no legal requirement however a DPO within your organization may save you from administrative fines of up to TRY 1.000.000 (€ 250.000) and imprisonment.