After the publication of the Law on Protection of Personal Data (“Law”) numbered 6698 on 07.04.2016, the draft Directive on Register of Data Controllers (“Directive”) has been prepared and will be finalized soon.
The Law is already in force and according to its articles; all personal information processed so far (before the adoption of the Law) shall be brought in compliance with the Law in two years. Otherwise violation of the Law may result in administrative fines and/or imprisonment and/or pecuniary and non-pecuniary damages. Thereby it is important to take necessary steps and prepare your organization for the Law as soon as possible.
This brief memorandum aims to give brief information relating the Directive.
What are Controller and Register of Data Controllers?
According to Law, Controller shall mean natural or legal person, which determines the purposes and means of the processing of personal data and which is responsible of establishment and management of the data recording system. For instance, an accounting firm shall be considered as a controller relating to collected personal data of its employees or call centers shall be considered as a controller relating to collected personal data of their clients, etc.
Register of Data Controllers (“Register”) is a register system which the Controllers have to sign up and announce their activities relevant to processing of personal data.
Who will be the Controller in legal entities?
For the legal entities, the Controller is the legal entity itself. Authorized body to represent and bind the company will be responsible with regard to the Law, Directive and the other related directives.
If the Controller is not located in Turkey, a natural person or a legal entity should be appointed to represent and bind the Controller with the authorities stated by the directive in minimum.
Do you need to sign up for the Registry?
As a rule, every organization that processes personal information has to sign up unless they are exempted.
What are the exemptions?
The Law defines some circumstances with Article 28 which excludes application of the Law entirely. For instance, if personal data processing is related to one’s own data or a family member who is cohabitant to a processor; if personal data processing is necessary for national defense, national security, public safety, public order, economic safety or for the purposes of art, history, science or freedom of expression provided that right of privacy or personal right of data subject are not violated; if personal data processing is carried out by investigating, prosecution, judgment or enforcement authorities.
However apart from the circumstances defined with Article 28, the Committee (the Committee of Protection of Personal Data which is established to enforce the Law) is also entitled to designate new exceptional conditions by taking into account the qualification, number, retention period of the personal data and purpose of processing etc.
Is there a deadline to sign up for the Registry?
The Controllers shall sign up for the Registry before processing any personal data or within 30 days after such an obligation arises. Failure to do so is subject to administrative fine from 20.000-TL to 1.000.000.-TL.
Is there a fee to sign up for the Registry?
There will be an initial signup fee for the Registry and a fee for each and every registered year. Amount of these fees are not determined yet.
Which Information do you need to share with the Committee?
Controllers are obliged to submit following information to the Committee to sign up for the Registry.
- ID and address information of the Controller and the representative of the Controller if any,
- Information asked in the application form which will be determined by the Committee later on,
- Reasons/purposes for processing information,
- Types/Classes of information processed,
- Possible recipients of the personal data,
- Personal data which may be transferred to foreign countries,
- Precautions which are considered to be taken for data security in compliance with the criteria of the Committee.
Do you have Personal Data Inventory Map?
Controllers who are obliged to sign up for the Registry are also obliged to maintain Personal Data Inventory. Classifying personal data helps organizations to identify the personal data that they have collected and been processing. (What personal data is collected and why?, Who collects it?, Where it is stored?, Who it is disclosed to?)
Do you have Personal Data Retention and Disposal Policy?
Controllers who are obliged to sign up for the Registry are also obliged to have Personal Data Retention and Disposal Policy showing the retention periods of the related personal information as required by reasons/purposes for processing this information.
This brief memorandum is prepared based on the draft directive; accordingly it may be revised in compliance with the final version of the directive.
Av. Vedia Nihal Koyuncu, LL.M