Selin OZBEK CITTONE
Attorney at Law / Managing Partner
10 October 2019
The Data Protection Board (“Board”) published its decision on 7 October 2019 regarding possible registration obligation of branches and liaison offices of foreign companies in Turkey with the Data Controllers’ Registry (The newly published decision was actually taken by the Board on 23 July 2019 with a decision number 2019/225 upon an opinion request directed to it earlier on.). You can read the Decision, only available in Turkish, here.
The Board’s decision includes a detailed explanation and assessment of the Turkish legislation on branches formed by foreign companies in Turkey; as well as the Turkish Data Protection Law and the GDPR. As a result of its evaluation, the Board notes that both the foreign entity and its branch in Turkey would be data controllers for purposes of their data processing activities. The Board acknowledges that these branches lack “legal persona”, thus they do not qualify as “legal entity”; but considers that the branches established in Turkey by foreign companies must register with the relevant trade registries in Turkey and they act vis-a-vis third parties in Turkey. When interpreting the definition of the “data controller” in the Turkish Data Protection Law, the Board refers to article 3 (1) of the GDPR (territorial scope) and definition of data controller in article 4 of the GDPR and considers that having an establishment in Turkey should be sufficient to become a controller even if such establishment is not formed as a legal entity, e.g. company, association, etc. This way, the Board interprets broadly the definition of the controller in the Turkish Data Protection Law based on the definition of the controller in the GDPR.
In relation to the liaison offices however, the Board decides that they will not be required to register with the Data Controllers’ Registry as they cannot engage in commercial activities in Turkey and have limited operations related to marketing, market search, and analysis, etc. for and on behalf of the parent company residing outside of Turkey.
We note that the registration deadline for data controllers has been extended and foreign company controllers and their respective branches established in Turkey must register with the Data Controllers’ Registry by 31 December 2019.