Selin OZBEK CITTONE
Attorney at Law / Managing Partner, Dual qualified lawyer (Turkey and England & Wales)
12 September 2018
As you might recall, the Regulation on Data Protection Registry was published by the Data Protection Board (“DPA”) literally on the last days of 2017 and entered into force as of 1 January 2018. This was the main piece of legislation regarding the registry system applicable for data controllers. The online registration system is called VERBIS and is expected to be live and running as of October 2018.
On August 18, 2018, just before the Bayram Holidays (Eid), the DPA announced the registration dates for four different data controller groups and as well as the additional list of exemptions from the registration.
Accordingly, the registration obligation will first start as of October 2018 for (i) the companies with more than 50 employees or annual balance sheet total of at least 25 million TL and (ii) foreign data controllers.
Who is exempt?
The DPA first announced the list of exemptions for registry on 15 May 2018. That list included
On 18 August 2018, the following was added to this list:
What does this mean?
It means that if you are not exempt, you must register with the Data Controllers Registry before the deadlines:
Type of Data Controller
Data controllers having more than 50 employees or annual balance sheet total of more than 25 million TL
1 October 2018
30 September 2019
Data controllers residing abroad
Data controllers having less than 50 employees and annual balance sheet total of less than 25 million TL but their main field of operation is processing of sensitive (special categories of) data.
1 January 2019
31 March 2020
Data controllers that are governmental institutions and organizations
1 April 2019
30 June 2020
What is needed to register?
Get ready & find your rep!
You should have prepared already your data inventory, data processing policy and your retention and neutralization policy. If you didn’t do so until to date, you should include these to the top of your to-do list for Q4.
If you are not a Turkish company but doing business in Turkey and processing personal information you need to appoint a representative to liaise your relations with the DPA. Don’t forget, if you fail to do it, you may be fined up to TRY 1,000,000.