The Data Protection Law in Turkey numbered 6698

The Law on Personal Data Protection No. 6698 (“DP Law”) sets out obligations, principles and procedures that will be binding on natural or legal persons who process personal data.  Natural and legal persons residing outside of Turkey must be compatible with the DP Law in terms of processing personal data directly or indirectly in Turkey. Many obligations have been imposed on data controllers by the law. One of them is the obligation to register to VERBIS.

VERBİS and Obligation to Registration

VERBİS is the central registration system in which natural and legal persons, who are deemed “data controller” according to the Law, must register and declare information about their data processing activities. It is mandatory for the data controllers to register with VERBIS, which is held by the Authority under the supervision of the Board. So, with this method, it is aimed to be explained to the public who the data controllers are and to make the right to protect personal data more practicable.

A non-resident Company, will be processing data as long as it receives, saves, changes, stores and even deletes these data within the scope of data transferred from its branches or representatives in Turkey. In cases where the activities of the branches or representatives are in close connection with the activities of the non-resident company and these activities contribute to the said company, the company will be considered as the data controller thus, obligated to register to VERBİS.

The Board decided in one of its decision that it is also expressed in the Guidelines 3/2018 of the European Data Protection Board that for example, in the case that an office of a company located in the third country engaged in promotion and market research within the Union and if the activities of this office increases the income of the data controller located in a third country, the GDPR provisions will be applied to the personal data processing activities of the data controller residing abroad.  For this reason, non-resident natural or legal persons who process data are obliged to comply with the registration procedures.

Data Controller Representative

According to the Regulation, non-resident data controllers are obliged to be registered into the Registry through a data controller representative. Therefore, Controllers that are not established in Turkey must appoint a data controller representative under the DP Law and the Regulation on Data Controllers’ Registry which is a similar provision to the one in Art. 27 of the GDPR. The data controller’s representative must be a Turkey-based legal person or a Turkish citizen. The data controller’s representative should appoint a contact person to communicate with the Authority. Identity and address information of the contact person must be reported in the registration process.

 Deadline

Although, there is no deadline under the legislation specific to the appointment of a representative, since the initial step that the representative will take would be to register the foreign controller with VERBIS, the deadline to register with VERBIS (31 December 2021) is also treated as the deadline to appoint a representative in Turkey. Therefore, foreign controllers that process personal data collected from Turkey must appoint their representative without delay to prevent risks.

Sanctions

Although there is no specific fine under the DP Law for not appointing a representative, if the foreign controller cannot satisfy its obligation to receive, respond to and conclude DSARs and other requests relating to personal data in a timely and effective manner due to the missing representative, this may lead to complaints by data subjects to the Authority, which may result in administrative fines of up to 1,966,862 Turkish lira (approximately $218,338.40).

Further, if foreign controllers fail to appoint a representative and register with VERBIS by 31 December 2021, an administrative fine of up to 1,966,862 Turkish lira (approximately $218,338.40) may be imposed. It is also possible for the DPA to decide to restrict the data processing operations of the controller.”

Requirements to be the Representative and Appointment

The representative must be vested with the powers below, as a minimum. They must have the authority to:

• receive or accept (on behalf of the data controller) notifications and correspondences made by the Data Protection Authority (DPA);
• transmit the demands made by the DPA to the data controller and submit the responses of the data controller to the DPA;
• receive data subjects’ requests on behalf of the data controller and transmit the requests to the data controller in cases where no other principle has been determined by the DPA;
• transmit the data controller’s response to the data subjects in cases where no other principle has been determined by the DPA; and
• perform operations relating to the Data Controllers Registry Information System (VERBIS) on behalf of the data controller.

The representative must be appointed with an appointment decision by the foreign controller. The appointment letter must contain the powers of the representative, as well as the full name and address of both the foreign controller and the representative. This appointment should be made by a decision taken by the competent authority of the relevant data controller and the wet signed version of the relevant decision should be submitted to the Board with the approval of apostille or notary.