Pekin & Pekin



Legal Alert 2 / 2018


 

Pekin & Pekin Corporate \ M&A practice team beside assisting m&a transactions of various size and nature, provide practical and innovative advice to its clients on their day-to-day operations in various areas of law, including among other Data Protection and Internet Law which have been subject to significant changes in Turkey over the last few years and still are prone to developments.

 

To discuss how these developments affect your business interests please contact either:

Okan Or

Partner

Corporate / M&A

Elif Tolunay

Associate

Corporate / M&A

Cansưn Akưncư

Associate

Corporate / M&A

Email:
oor@pekin-pekin.com

Email:
etolunay@pekin-pekin.com

Email:
cakinci@pekin-pekin.com

 

Data Protection

 

Regulation on Data Controllers’ Registry has entered into force and the Board of Protection of Personal Data subsequently announced expected next steps with respect to establishment of Data Controllers’ Registry and data controllers’ obligation to register

 

As is known, Article 16/2 of Law on Personal Data Protection (Law No. 6698) (published in the Official Gazette dated April 7, 2016 and numbered 29677) (“Data Protection Law”) stipulates that real or legal persons, who process personal data, shall be registered before the data controllers’ registry (“Data Controllers’ Registry”) prior to commencing personal data processing and Article 16/5 provides that procedures and principles regarding Data Controllers’ Registry will be determined by a regulation.

Accordingly, for purposes of setting out the procedures and principles regarding establishment and management of the Data Controllers’ Registry and data required to be registered with Data Controllers’ Registry the Regulation on Data Controllers’ Registry (“RDCR”) has been published in the Official Gazette dated December 30, 2017 and numbered 30286 and has entered in force on January 1, 2018.

Subsequently, the Board of Protection of Personal Data (“Board”) announced in its website (http://www.kvkk.gov.tr/veri_sorumlulari_sicili_bilgilendirme.html) (at the moment only available in Turkish) that the obligation to register with the RDCR will be effective at a date to be later announced by the Board following announcement of the resolution(s) providing exemptions to this obligation and activation of the Data Controllers’ Registry Information System (“VERBIS”).

While there are steps yet to be taken by the Board before the registration obligation of data controllers commence and RDCR becomes fully effective and enforceable, the concepts RDCR has introduced and the obligations of data controllers, which are expected to become effective in the near future, are noteworthy in our view.

 

RDCR stipulate the following:

  • Pursuant to Article 5/1 (a) data controllers, which are defined in the Data Protection Law and RDCR as: “real or legal person who determines the processing purposes and means of personal data, and who is responsible for establishment and management of the data filling system”, shall apply for their registration into the Data Controllers’ Registry before starting to process personal data, unless (i) personal data process is necessary for prevention of crime or criminal investigation,;(ii) processed personal data has been made public by the data subject itself; (iii) personal data process is necessary for the fulfilment of the duty of supervision or regulation and disciplinary proceeding and prosecution by public authorities and organizations and public professional organizations which are competent and authorized by law; and/or (iv) personal data process is necessary for the protection of economic and financial interests of the government in relation to taxes and financial matters (Article 15). Furthermore, Article 16 stipulates that the Board is empowered to determine and announce other exemptions to this obligation by taking into consideration the following criteria (i) nature of the personal data; (ii) number of the personal data; (iii) purpose(s) of processing of the personal data; (iv) field of activity in which personal data is processed; (v) transfer of personal data to third parties; (vi)  personal data processing activity required by law; (vii) storage period of personal data; and/or (viii) data subject group or data categories.
  • Pursuant to Article 9/1 data controllers shall register into the Data Controllers’ Registry (i) identification and address information of itself, its representative if any and its contact person; (ii) purposes of processing personal data; (iii) group(s) of data subjects and related data categories; (iv) receiver and group of receivers that data may be transferred; (v) personal data that may be transferred to foreign countries; (vi) date of registration to Data Controllers’ Registry and the end of the registration; (vii) measures regarding personal data security that have been adopted in accordance with anticipated measures under Article 12 of Law on Personal Data Protection and criteria determined by the Board; and (viii) the maximum personal data storage period required by law or purposes for which the personal data is processed.
  • For communications with the concerned persons legal entity data controllers domiciled in Turkey shall designate a contact person and identify it in VERBIS according to Article 11/4.
  • Pursuant to Article 11/2 and Article 4/1 (p) legal entity data controllers domiciled outside of Turkey shall assign a data controller representative. This representative must be a Turkish citizen or a legal entity domiciled in Turkey.
  • Pursuant to Article 5/1 (ç) information to be disclosed to Data Controllers’ Registry during the application for registration shall be prepared in accordance with the personal data processing inventory which is defined under Article 4/1 (h) as the inventory that shall include (i) on-going personal data processing activities; (ii) purpose(s) of processing of the personal data; (iii) category of data; (iv) data receivers; (v) maximum data storage period for the purposes of processing of the personal data; (vi) personal data to be transferred to foreign countries; and (vii) data security measures.
  • Maximum storage period of the personal data shall be determined by taking into account the following criteria stipulated by Article 9/4 (i) period commonly adopted in the sector of the data controller with respect to the relevant data category; (ii) period during which the legal relationship established with the relevant person, that necessitates the process of the personal data in the relevant data category, will continue and; (iii) period in which the legitimate interests of the data controller will be valid in compliance with the law and good faith depending on the purpose of processing of the relevant data category; (iv) period during which risks, costs, and responsibilities arising from the storage of the relevant data category, depending on the purpose of processing, will continue; (v) whether the storage period is suitable to keep the relevant data category correct and updated; (vi) period during which the data controller is obliged to store personal data in the relevant data category due to its legal obligation; and (vii) expiration date determined by the data controller to claim a right attached to a personal data in the relevant data category.
  • Pursuant to Article 9/5 data controllers shall prepare a personal data storage and destruction policy to determine the maximum storage period, ensure its compliance with data processing inventory, and monitor application of the maximum storage period.
  • In the event of a change within the registered information, data controllers shall be obliged to notify such changes to the PDPA within 7 days as of the date of the change. Data controller shall apply to PDPA via VERBIS for deletion of any kind of personal data according to Article 13.
  • Pursuant to Article 8/2 data controllers, who are not obliged to be registered to Data Controllers’ Registry at the first place but then becomes obliged for registration, shall apply for their registration within 30 days as of the date of commencement of such obligation.
  • Pursuant to Article 8/3 PDPA may grant grace period of 30 days maximum for data controllers who have failed to timely fulfil their registration obligation and who applied in writing to PDPA within 7 business day upon occurrence of the reason for the non-fulfilment.
  • Pursuant to Article 5/1 (c) Data Controllers’ Registry will be open to public.

Pursuant to Article 17 of RDCR and Article 18/1(ç) of Data Protection Law administrative fines from TL 20,000 to TL 1,000,000 shall be imposed to data controllers who violates the registration and notification obligations.

 


This legal newsletter has been prepared for informational purposes only; it has not been prepared for advertising purposes or with the intention of creating an attorney-client relationship. It does not seek to provide information on all legal developments in Turkey with the quarter specified. None of the information contained in this legal newsletter shall constitute legal advice or anything akin thereto. To unsubscribe, email the editor: newsletter@pekin.pekin.com


© PEKIN & PEKIN 2018

t: +90 212 313 35 00 f: +90 212 313 35 35 e: postmaster@pekin-pekin.com

www.pekin-pekin.com