The Regulation on Data Controller Registry (“Regulation”) was published in the Official Gazette on 30 December 2017 and entered into force on 1 January 2018, pursuant to Article 19. Please click here to access the full version of the Regulation.
The Regulation is only available in Turkish.
The purpose of the Regulation is to carry out the intent given in Article 16 of the Law on Data Protection No. 6698 (“Data Protection Law”). According to the referenced article of the Dara Protection Law real persons or legal entities processing personal data shall be obliged to enroll to the Data Controllers’ Registry before they start processing data. The Regulation was prepared based on a draft regulation (“Draft”). Please click here to access our review on the Draft.
Deviations from the Draft
The Status of Public Authorities:
In comparison to the Draft, the rules of conduct for public authorities have been stipulated in detail within the Regulation.
The public body which has been authorized to establish and manage the registry is the Directorate of Data Management Department (Veri Yönetimi Dairesi Başkanlığı).
Access to Registry:
The scope of the registered information which will be publicly available has also been amended. According to the amendment, the contact person’s name, address and registered e-mail address will also be published, along with the name and address of the data controller and its representative.
Moreover, the measures which shall be taken for the protection of personal data and the maximum time necessary for the processing purpose will also be publicly available, quelling concerns on transparency and clarity.
The Regulatory Powers of the Personal Data Protection Board (“The Board”):
The Board has discretionary power on the determination of “publicity” and its exemptions, however, how such discretion is practiced shall be in line with the general principle on “publicity of registries“.
The General Principle on Legal Entities:
According to Article 11 of the Regulation, the data controller can be a legal entity as well. If this is the case, the legal entity may not avoid its liability by assigning natural persons to fulfil its legal obligations under these laws and regulations.
The Status of the Representative of Data Controller:
The Draft enabled the data controller’s representative to act as a proxy of the data controller (which shall mean the real person or legal entity which sets the objectives and means of processing personal data and who is in charge of establishment and management of data filing system) by allowing it to answer any communications from the Authority. However, the
Regulation has abolished such powers of the Representative.
According to the Regulation, the Representative will now act as a mere medium between the Authority and the Data Controller, and is only responsible for the transmission communications.
By putting this regulation into force, the Turkish Personal Data Protection Authority intends to establish a transparent and accessible data control mechanism. However, as the data protection practice is not fully established, further detailed regulatory action is considered to be necessary.
Moreover, the date for the launch of Data Controllers Registry Information System (VERBIS) (link) and the beginning of the registration procedures will be announced soon by the Authority.