17 May 2017
DRAFT REGULATION ON DATA CONTROLLER REGISTRY HAS BEEN MADE AVALIABLE TO PUBLIC CONSULTATION BY THE DATA PROTECTION BOARD
Draft Regulation on Data Controller Registry (“Draft”) has been made available to public consultation on May 5, 2017 by the Data Protection Board (“Board”). The Draft has been prepared as per Article 16 of the Law on Data Protection No.6698 (“Law”).
Data Controller Registry (“Registry”) is a mandatory registration system foreseen under the Law for data controllers where the information regarding their data processing activities must be registered and disclosed to public. The purpose of the Draft is to establish and enforce the procedures and principles regarding the establishment and administration of the Registry and the information and records to be registered.
REGISTRY OBLIGATION AND EXEMPTIONS
Pursuant to the Law, any real person or legal entity who determines the purposes and means of processing personal data and who is responsible for the establishment and management of the data recording system is a “data controller”.
In principle, all data controllers must register with the Registry. However, pursuant to the Draft, the Board will determine exemptions of the registration requirement according to the following criteria in respect of personal data processing activities which are not fully or partially automatic;
If this provision is enacted as proposed, the exemption from registration obligation will only be applicable to those data controllers whose data processing activities are not fully or partially automatic. This would mean that the Board opts to limit its power given by the Law to determine the exemption criteria solely to a group of data controllers.
The Board will further announce the exemption rules to the public. However, it should be noted that being exempt from the registration obligation will not affect the other obligations of the data controller under the Law.
WHAT ARE THE RESPONSIBILITIES OF THE DATA CONTROLLERS WHO ARE OBLIGED TO REGISTER TO THE REGISTRY?
Data controllers subject to the registration obligation need to prepare a Retention and Erasure Policy, where data controllers determine the data processing [retention] periods that data processing purposes require.
WHAT IS VERBIS?
Application to the Registry and any operations regarding the Registry will be carried out through an information system called VERBIS that will be accessible via the Internet. Data controllers will be deemed to have fulfilled their registration obligation by uploading the above information to VERBIS. In the absence of proper notification, the Data Protection Authority may suspend the processing of personal data until such deficiencies are rectified.
WHAT ARE THE SANCTIONS?
Data controllers who fail to comply with the registry obligation will be subject to an administrative fine between TRY 20,000 and TRY 1,000,000.
THE LIABILITIES OF THE DATA CONTROLLER, DATA CONTROLLER REPRESENTATIVE AND THE CONTACT PERSON
According to the Draft, the data controller in the legal entity is the legal entity itself. Data controller’s liabilities within the scope of the Law will be fulfilled by the person or persons indicated in the relevant legislation or by the competent body that represents and binds the legal entity. The competent body representing the legal entity may appoint one or more persons to fulfill the obligations in respect of the application of the Law. This assignment of powers will not release the liability of the relevant body in accordance with the provisions of the Law. The competent body that represents and binds the legal entity cannot transfer its responsibilities to one or more persons within or outside the legal entity or to a member or members for the purposes of enforcement of the Law.
If the Draft is finalized in this way, board of directors of the companies will not be able to allocated the powers and liability to one of the board members or one of an employee who is not a board member (like a data privacy officer) or someone outside of the company The board of directors, as a body, will always be primarily responsible even if it appoints an executive director or a data officer.
The re-evaluation of this provision by the Data Protection Authority and rearrangement of this provision in accordance with the Turkish Code of Commerce will be great importance for the data controller companies.
register with the Registry.
For any further queries on the subject matter or for information on our recommendations submitted to the Board regarding the Draft, please contact Selen Gures at firstname.lastname@example.org.
Data Privacy Blog