As our readers will recall from our coverage of the new Turkish “Data Protection Law”, one of the main obligations of the data controllers is to register with a publicly available Data Controllers’ Registry (“Registry”), non-compliance of which may lead to an administrative fine up to €250,000.
The Turkish Data Protection Authority (“Authority”) has announced via its website that it is still working on the secondary legislation concerning the Registry and the technical infrastructure to be utilised for the registration procedures, adding “Therefore, the commencement date of the registrations shall be declared via our website later on.”
Draft Regulation on Data Controllers’ Registry
The Authority has also published a draft version of the Regulation on Data Controllers’ Registry (“Draft Regulation”) on its website and indicated that it will be open to public consultation until May 20th, 2017.
Additionally, the Authority has published a short guidance on the Draft Regulation (“Guidance”) and elaborated on the provisions of the Draft Regulation.
The Draft Regulation and the Guidance confirms that the Registry will be an online database and the applications thereto shall be accepted over the internet. The same was also confirmed verbally by the members of the Data Protection Board (“Board”), the decision-making body of the Authority.
Below is a brief summary of the major revelations under the Draft Regulation.
Representative of a Data Controller Residing Abroad
The Draft Regulation provides that the data controllers who do not reside in Turkey shall appoint and duly authorise a representative who is either (i) a legal entity resident in Turkey or (ii) a natural person who is a Turkish citizen. The identity information of this representative shall be notified to the Authority within the registration application to the Registry.
According to the Draft Regulation and the Guidance, the liability of the data controller’s representative shall be limited to the powers listed in the Draft Regulation, and the representative shall not be held liable on behalf of the data controller.
Personal Data Processing Inventory
The Draft Regulation refers to a Personal Data Processing Inventory (“Inventory”) on several occasions and defines it as an inventory prepared and detailed by the data controllers by way of associating their personal data processing activities with their processing purposes, data categories, recipient groups, and data subject groups. The Guidance explicitly states that “data controllers subject to the registration obligation shall prepare a data processing inventory.”
Although this is the first time a “Personal Data Processing Inventory” was mentioned in the data protection legislation of Turkey (i.e. the Data Protection Law does not make any reference to this term), the obligation to prepare an Inventory had already been inferred from the Data Protection Law’s provisions relating to the Registry. Accordingly, applications to the Registry shall be made with a notification including the following information, which will require the data controllers to document their data processing activities to a certain extent:
- Identity and address information of the data controller and of the representative thereof, if any;
- The purposes for which personal data will be processed;
- The group or groups of persons subject to the data and explanations regarding data categories belonging to these persons;
- Recipient or groups of recipients to whom personal data may be transferred;
- Personal data which is envisaged to be transferred abroad;
- Measures taken for the security of personal data;
- The maximum period of time necessitated by the purposes for which personal data are processed.
Policy on Personal Data Retention and Destruction
The Draft Regulation requires the data controllers to prepare a “Policy on Personal Data Storage and Destruction” and ensure that this policy is properly implemented within their organisations. The Draft Regulation also provides guidance as to the criteria that are to be taken into account when determining the maximum term for storing personal data.
The requirement to prepare a data retention policy also derives from the obligation to register with the Registry. The last item of the above list of information that is to be notified to the Authority is particularly relevant in this respect.
Other Obligations of Data Controllers
The Data Protection Law imposes many obligations on data controllers, some of which are, in summary, the following:
- To legitimise the processing of personal data as per the Data Protection Law or other laws, non-compliance of which is punishable by imprisonment pursuant to the Turkish Criminal Code;
- To inform data subjects with regard to the data controller’s identity, purpose, method, and legal ground of the processing, transfer of data to third parties, and the rights of the data subjects, non-compliance of which may lead to an administrative fine up to €25,000;
- To ensure the security of the collected data, and to notify the Board and the data subject of data breaches, non-compliance of which may lead to an administrative fine up to €250,000;
- To delete or anonymize outdated data, non-compliance of which is punishable by imprisonment pursuant to Turkish Criminal Code;
- To abide by the rights of the data subject and reply to their applications in 30 days;
- To comply with the decisions of the Board, non-compliance of which may lead to an administrative fine up to €250,000.
ErsoyBilgehan helps its clients achieve sustainable compliance by building a data protection program that creates firm procedures as well as a proactive corporate culture in order to enable the business to respond effectively to privacy-related matters.
We offer a number of solutions for compliance with the Data Protection Law, which are fine-tuned to the unique needs and characteristics of our clients. For further information, please contact us via email at email@example.com or by calling us at +90 212 213 23 00.