Selin OZBEK CITTONE
Attorney at Law / Managing Partner
07 February 2018
There is no doubt that 2017 was full of hard work for many of us who have been actively working on data protection compliance projects.
Now that the Turkish Data Protection Authority (“DPA”) is fully functional and Data Protection Board (“Board”) is working really hard to prepare certain secondary legislation and guide us in the data privacy practice, it is time to take this seriously!
We thought giving you an update on what happened in 2017 could be a good starting point. 2018 will be the year we will all be talking and working about data privacy as the April 2018 deadline is approaching and GDPR is happening!
WHAT HAPPENED IN 2017?
We need to register with VERBIS!
The Regulation on Data Protection Registry was published by the DPA literally on the last days of 2017 and came into force as of January 1, 2018. To cut it short, this is the main piece of legislation regarding the registry system that will be applicable for data controllers. The online registry system is called VERBIS and is expected to be live and running in a very short time. We know that the infrastructure is ready, and tests are to be completed soon.
What does this mean?
It means that if you are a data controller you must register with VERBIS. There may be few exemptions, but the Board did not announce them yet. So hurry!
What is needed for registration?
Time for decluttering!
The Regulation on Deletion, Destruction and Anonymization was published earlier in October 28, 2017 and came into force as of January 1, 2018.
It means that it is time for Spring Cleaning!
There is no doubt that deletion, destruction and/or anonymization are all very technical and administrative. Plus, all of these are very new concepts for Turkish data controllers. But there is a lot to be done to comply with the laws.
Those data controllers, who are required to be registered with VERBIS must determine their retention periods and prepare a retention & neutralization policy.
The neutralization is not only applicable to those who are required to be registered with VERBIS. Other data controllers who may be exempt from registration must also comply with the regulations but they are exempt from preparing a retention and neutralization policy. All data controllers must examine which data they can keep in compliance with the laws and delete/destroy/anonymize the others.
What is needed for preparing a policy?
You must prepare your policy in light of your personal data inventory.
You must include in your policy, among others,
WHAT IS ON THE HORIZON IN 2018?
We are expecting the Board to issue the WHITE LISTED COUNTRIES in the first quarter of 2018 or even the criteria for such. Transfer of data outside of Turkey (which may simply include using cloud computing services or apps having their own cloud servers) or simply sharing a database with the parent company outside of Turkey is currently very problematic if you do not obtain the consent of the data subjects. We hope this will soon be clarified by the Board. We expect that global companies or global service providers (like Microsoft, Salesforce, Oracle etc.) will be able to solve the problem to transfer of data to abroad by applying to the DPA for permission.
Although not explicitly regulated in the Turkish legislation, we are expecting that assessment requirements may be imposed similar to data PRIVACY IMPACT ASSESSMENTS in the EU.
Use of CLOUD systems is currently problematic, but we expect the Board to also clarify this point very soon.
The DPA is working hard to raise AWARENESS of data subjects regarding their data privacy. Thus Data Controllers must be ready to handle requests of data subjects in 2018 and neutralize the data subject’s data if requested or respond accordingly. This is especially very important for telecommunication companies, retail businesses, e-commerce companies, and any B2C companies.
April 7, 2018 may be beginning for a new era. We must get ready!
DON’T BE FOOLED ON APRIL FOOLS’ DAY!
Don’t forget the DEADLINE for compliance of any data obtained prior to April 7, 2016 is expiring on APRIL 7, 2018.
What should we have done? What do we need to do?
 See http://www.ozbek.av.tr/data-privacy-blog/deletion-destruction-or-anonymization-of-personal-data/ for additional information.