Turkish Personal Data Protection Authority Decision w. no. 2020/47
On 23 June 2020, The Turkish Personal Data Protection Authority (“the DPA”) published a summary of decision w. no. 2020/471 to respond a request of a foreign bank that has a representative office in Turkey. DPA made the following explanations regarding whether a foreign bank that has a representative office in Turkey can be considered as a data controller according to the Law on the Protection of Personal Data (“the Law”). DPA published its evaluation on whether this foreign bank is obliged to register with the data controllers’ registry (“VERBIS”). Pursuant to Article 4 of the Communique on Procedures and Principles Related to Operations of the Representatives in Turkey (“Communique”), representatives can perform a promotional activity in Turkey related to affiliated bank’s services, and it can transfer the information obtained to the affiliated bank. These activities of the representative contribute to the services of the foreign bank. In this context, the activities of the representative in Turkey, cannot be considered separate from the personal data processing activities made for the banking activities. For this reason, it has to been accepted that there is a close connection between the representative’s activities and the bank’s activities related to the processing of personal data. In this respect, Guidelines 3/2018 on the territorial scope of the European Unity General Data Protection Regulation (“GDPR”) specifies this example. If an establishment has an office in the EU and this office’s activities increase the revenue, the absence of an establishment in the Union does not necessarily mean that processing activities by a data controller or processor established in a third country will be excluded from the scope of the GDPR. Due to the fact that bank located within a foreign country and establishment has an existence in our country through a representative, accepting that processing of personal data activities does not fall within the scope of the Law does not comply with the intent of the Law. The purpose of these registrations with the VERBIS and notification obligation set forth in Article 16 of the Law is providing the highest control over data subjects’ personal data. According to this, bank residing in abroad is obliged to register in VERBIS related to personal data processing activities. Also, Article 5(1-b) of the Regulation on Data Controllers Registry regulates that “Data controllers not established in Turkey are obliged to register with the Registry by their representatives prior to the start of data processing.” Similarly, the DPA’s decision w. no. 2019/10 of 24.01.2019 about Procedures and Principles of Personal Data Breach Notification clarifies that “If data breach occurs in the presence of data controller established abroad, in case this breach affects data subject residing in Turkey and Data Subjects benefit from the products and services provided within Turkey, data controller shall notify the Board within the same principles.” In parallel with these explanations, the DPA adopted the following decisions; Everyone has the right to request the protection of his/her personal data according to Article 20 of the Constitution of The Republic of Turkey. In determining the territorial scope of the Law, an approach that provides the highest and the broadest protection to the data subjects has to be adopted. The foreign bank has a continued existence in Turkey through its representative. As a consequence, the Law will apply to the above-mentioned bank, and the bank has to be deemed a data controller. Also, the bank is obliged to register with the VERBIS.
Our Evaluation of the Decision This decision of the DPA must be interpreted together with the decision regarding branch offices and liaison offices of foreign entities w. no. 2019/225. In that decision, the DPA decided that liaison offices are not required to register with VERBIS and are not data controllers. Liaison offices and foreign banks' branch offices are very similar in the eye of the Turkish Law. Both cannot engage in commercial activity, the sole purpose of both is to market the foreign entity, and both liaison offices and foreign banks do not have legal personality. For this purpose, liaison offices and branches of foreign banks are not data controllers under Turkish Law. Having said that, since these organizations collect and process personal data on behalf of the foreign entity, the foreign entity is the controller.
Liaison offices of foreign entities and branch offices of foreign banks are not required to register with VERBIS.
Foreign entities with liaison offices and foreign banks with branch offices in Turkey are data controllers and are required to register.
This decision does not affect the position of branches of foreign entities. Branches of foreign entities remain to be data controllers.