FAQ

Every non-resident data controller (“Foreign Entity”) processing personal data of the data subjects in Turkey as a data controller should register before the Data Controllers Registry (“Registry” or “VERBIS”).

Article 16 of Law no. 6698 on the Protection of Personal Data (the “Data Protection Law”) introduced a general obligation on data controllers processing personal data of data subjects residing in Turkey to register before the Registry. With the Regulation on the Data Controllers Registry and a number of Board Decisions, the Board determined the scope of the obligation of registration and clarified the types of data controller that would be under the obligation to register before the Registry. As per the Regulation and the Board Decisions, it has been determined that no exemptions shall apply to foreign data controllers processing personal data of data subjects in Turkey and that all such foreign data controllers must carry out their registration processes before the Registry by the deadline of 31^st of December, 2021[1].

[1] The deadline extension has been determined by the Board Decision dated 11/03/2021 and numbered 2021/238 and has been announced on the official website of the Personal Data Protection Authority.

Failure to carry out the registration can be sanctioned with an administrative fine ranging from TRY 119.428 to 5.971.989 [1] TRY. (approximately between USD 5.971 to USD 298.599).

[1] With the revaluation rate of the year 2023.

 1- Appointment of a Data Controller Representative

In order to be able to complete registration before the Registry, Foreign Entity must appoint a data controller representative who must be either a Turkish national or a legal entity established in Turkey (“Data Controller Representative”). The appointed Representative must have the power to represent the foreign data controller before the Board and receive and facilitate communication from the Board and from any data subject in Turkey that files an application with regard to their rights guaranteed under the Data Protection Law.

Depending on the requirements of the jurisdiction in which the Foreign Entity is established Representative appointment document can be drafted as a decision of appointment or a power of attorney. The important points to consider are;

i)   the method of appointment should be consistent and valid with regard to the requirements of jurisdiction in which the Foreign Entity is established,

ii)  the document should be duly notarized by a notary and be apostilled (or otherwise be certified by a Turkish consulate located in the jurisdiction at which it is issued).

2- Preparation of a Personal Data Processing Inventory

According to the Turkish data protection legislation data controllers are required to prepare a personal data processing inventory (“Inventory”) containing at least the following information:

1. purposes of personal data processing activities
2. legal grounds of such processing activities,
3. data categories associated with such processing activities,
4. recipient groups of such processing activities,
5. data subject groups of such processing activities,
6. the maximum retention period required by the purposes of the processing, [1]
7. personal data envisaged to be transferred abroad, and
8. measures taken concerning data security.

While not completely identical, it should be noted that the scope and content of the Inventory is similar to the Records of Processing Activities (“RoPA”) required under Article 30 of the GDPR. Therefore, if within the scope of GDPR compliance the Foreign Entity has RoPA, these efforts can also be utilized as a basis of the inventory for VERBIS registration. The inventory shall not be uploaded to the Registry only the categorical information to be provided to the Registry should be based on the inventory.

Stated below is a comparison of Inventory and Records of Processing:

[1]Limitation of action period under Turkish legislation is 10 years. In this regard, the personal data that would constitute evidence could be stored maximum 10 years and the storage period would be legitimate. Nevertheless, decision of the retention periods of personal data should be made in accordance with the sector practices.

3- Fulfillment of the Sign-Up Form

Registration system sign-up form which is printed form document available at VERBIS’ website to request certain basic information both regarding the data controller (i.e. Foreign Entity) and the Data Controller Representative is requested. The following information is requested under the form:

4- What are the Registration Steps?

4 – Does the Foreign Entity Has to Pay a Fee with the Data Controllers Registration?

There is not any registration fee applied on the Regulator’s side.

5- After the Completion of the Registration How Often the Registration Records Should be Reviewed and Revised?

According to Article 13 of the Regulation on the Data Controllers Registry, “In the event of a change in the information registered to VERBİS, such changes must be notified via VERBİS within 7 days following the date of the change.”

As the information registered to VERBIS is categorical it is not expected that frequent changes would occur and affect the information declared to VERBIS. In any case it would be worth checking quarterly or in accordance with Foreign Entity’s internal Inventory/RoPA update policy. If the Foreign Entity implements changes that might have an impact over the submitted information, prior to the quarterly updates, timely reporting should be made in accordance with Article 13.