Utilizziamo cookie tecnici per personalizzare il sito web e offrire all’utente un servizio di maggior valore. Chiudendo il banner e continuando con la navigazione verranno installati nel Suo dispositivo i cookie tecnici necessari ai fini della navigazione nel Sito. L’installazione dei cookie tecnici non richiede alcun consenso da parte Sua. Ulteriori informazioni sono contenute nella nostra Cookie Policy.



Turkey: Registry of Data Controllers’

PrintMailRate-it

published on 23 January 2024 | reading time approx. 4 minutes


Personal Data Protection Law was introduced in 2016 and came into force on April 7, 2016, in Turkey.  Although there are provisions regarding data privacy and data protection in the Turkish Constitution regulating the right to privacy and protection of private life and also in Turkish Criminal Code regulating the illegal storage of personal data, unauthorized sharing or collection of personal data and non-destruction of personal data (within the legally prescribed period) and the penalties to be imposed for breaches thereto, Personal Data Protection Law, upon enforcement, serves as an umbrella covering the requirements and standards in other words dos and don’ts of data protection in Turkey. 

Although Turkey signed the Convention 108 on 28 January 1981, there has been no law enacted as required by the Convention until the adoption of Personal Data Protection Law. Personal Data Protection Law is drafted in conformity with the Directive 95/46/EC of the European Parliament and of the Council which was in force in 2016. However, when the Directive was replaced by GDPR in 2018, Turkey did not revise the Personal Data Protection Law accordingly and therefore the provisions of the Personal Data Protection Law currently in force in Turkey differ from the GDPR.

One significant difference of many is the obligation of Data Controllers’ Registry (VERBIS). According to Personal Data Protection Law and related regulations, data controllers are obliged to register to VERBIS under the following conditions. 

Data controllers:
  • who have more than 50 employees per year;
  • whose annual financial statement adds up to more than 100 million Turkish liras;
  • whose main activity is to process sensitive personal data, regardless of the figures determined for the number of employees and/or financial statements, and not established in Turkey but process personal data in Turkey.
Entry in the registry requires the data controllers to specify the category of personal data processed, the reason for the processing of such personal data, from which category of recipients the personal data was collected, if the data is transferred (both domestically and abroad), for how long the data will be processed and when it will be deleted/destroyed, as well as the security measures taken for the protection of the processed personal data. For the avoidance of doubt, the data controller is not required to enter any personal data in the registry only the category of the processed personal data. 

If the Data Controller is not resident in Turkey, but fulfils the conditions for registration in the Registry, a representative of Turkish nationality shall be appointed. The representative may be a Turkish legal entity or a Turkish natural person and shall act only as the contact person for the data controller without assuming further liability.  

The registry is controlled and managed by the Data Protection Authority online and is open to the public. It aims to make the processing of personal data transparent and accessible to the public. This way, as the data subjects will be able to review which of their data might be processed more easily and, in the event of a breach, the data subjects will be able to report it more quickly to the Data Controller and keep it accountable.

If the Data Protection Authority receives a complaint against the data controller or becomes aware of an unlawful act, an investigation may be initiated accordingly. In this regard, Data Protection Authority has the right to request information and documents from the data controller and to examine them on site and/or online. 

In the event that an unlawful act is identified as a result of a breach by the data controller, a penalty may be imposed up to an amount of 9.463.213,00 Turkish lira (as of 05/01/2024). The penalty amounts are updated every year. However, as far as we know, since the obligation of registering in the Data Controllers’ Registry, no sanctions have been imposed on a data controller yet for the failure of non-registering.

 DATA PROTECTION BITES

author

Contact Person Picture

Bortecine Gultekin

Avukat

+90 212 3101 434

Invia richiesta

 RÖDL & PARTNER Turkey

Discover more about our offices in Turkey. 
Deutschland Weltweit Search Menu