Turkey: Data Controllers Registry Now Open!

Turkey

Obligation to register with the Data Controllers Registry and Applicable Exemptions

The Turkish Data Protection Law (the “Law”) stipulates that all data controllers must register with the Data Controllers Registry (“Registry”) unless they are exempt from doing so.

The Turkish Data Protection Board (“DPB”) had already announced those exempt from having to register with the Registry in its decision of 2 April 2018. Please see our E-Alert where further information can be found.

Timelines for Registration with the Registry

The DPB was then expected to announce the start date and timeline for those entities it had not exempted to register with the Registry.

As expected, on 19 July 2018, the DPB announced its decisions about when the period for registration would begin and the ensuing timeline.

Various dates and timelines applicable in this regard. These differ, for example, according to the number of employees or the annual turnover of the data controller in question.

Further details about the timeline are outlined below:   

 

Type of Data Controller

Starting Date

Applicable

Period

Deadline

Natural persons and legal entities who employ more than 50 employees annually or who have an annual balance-sheet total exceeding 25,000,000 Turkish Liras (approximately 3,300,000 Euros)

01.10.2018

12 months

30.09.2019

Natural persons and legal entities residing abroad

01.10.2018

12 months

30.09.2019

Natural persons and legal entities who employ fewer than 50 employees annually and who have an annual balance-sheet total of less than 25,000,000 Turkish Liras (approximately 3,300,000 Euros) but whose principle activities involve processing sensitive data (“özel nitelikli veri”)

01.01.2019

15 months

31.03.2020

Public institutions and organizations determined to be data controllers


01.04.2019


15 months


31.03.2020

 

Conclusion:

The DPB has granted a rather lengthy period for the various types of data controller to register with the Registry. As a result, the data controllers covered by the decision have ample time to register with the Registry and avoid breaking the Law.

On the other hand, the wording of the decision implies that the DPB has not yet determined deadlines for the types of data controller not specified in this decision. For instance, entities that employ fewer than 50 employees annually and have an annual balance-sheet total of less than 25,000,000 Turkish Liras (approximately 3,300,000 Euros) but which do not process any sensitive personal data are not covered by this decision and so a specific deadline is not available for them.

For this reason, we expect the DPB to continue to announce further decisions about the registration deadlines for the remaining data controllers and provide further clarification.