Last Days to Register for Data Controllers' Registry

The last day of the obligation to register in the Data Controllers' Registry is 30.09.2019 for the real and legal person data controllers who have more than 50 employees annually or the total financial balance of more than 25 million TRY and all real and legal person data officers residing abroad. Failure to fulfil this obligation may result in an administrative fine of 20.000 Turkish liras to 1.000.000 Turkish liras for data controllers.

Who is the Data Controller?

According to the Law on the Protection of Personal Data No. 6698, the data controller is the natural or legal person who determines the purposes of processing personal data and necessary procedures to store personal data of citizens. The data controller is also responsible for establishing and managing the data registry system. All natural and legal persons resident abroad are data controllers for processing the data of citizens of the Republic of Turkey due to the Law on the Protection of Personal Data is extraterritorial.

What is the Data Controllers' Registry, Who is Required to Register?

The Data Controllers' Registry is controlled and managed by the Presidency of the Turkish Data Protection Authority under the supervision of the Personal Data Protection Board. According to the Law on the Protection of Personal Data, data controllers are required to register with the Data Controllers' Registry.

The Personal Data Protection Board has made an exemption to the requirement to register in the Data Controllers' Registry for real and legal person data controllers whose annual number of employees is less than 50 and whose total annual financial balance is less than 25 million Try. This exemption does not include data controllers residing abroad.

What Happens if the Obligation to Register in the Data Controllers' Registry is Not Complied?

According to Article 18 of the Law on the Protection of Personal Data, the Board may impose an administrative fine of 20.000 Turkish Liras to 1.000.000 Turkish Liras for those who do not fulfill the obligation to register and notify the Data Controllers' Registry.

When is the Last Day to Register in the Data Controllers' Registry?

According to the decision of the Personal Data Protection Board dated 19.07.2018 and numbered 2018/88, to register in the Data Controllers' Registry;

  • 1- Real and legal person who are controlling data who have more than 50 employees or an annual balance sheet total of more than 25 million Try must register until 30.09.2019.
  • 2- Real and legal persons who are controlling data who are residing abroad must register until 30.09.2019.
  • 3- Real and legal persons who are controlling and processing of sensitive (special categories of) data but having less than 50 employees and an annual balance sheet total of less than 25 million Try must register until 31.03.2020.

If exceptional data controllers fall within the scope of one of the groups mentioned above they shall fulfill their registration obligation within the registration periods specified for their group. If registration becomes obligatory to a real or legal person after the expiration of given period, the persona must register within 30 days.

How are Annual Employee Numbers Calculated?

In order to calculate the annual number of employees, reports named "Withholding and Bonus Service Declaration" which are submitted to Social Security Institution on a monthly basis by the data controllers in each of at least 7 of 12 months in a completed year must be taken into account. Furthermore, it is not obligatory for these 7 months to be consecutive within the year.

According to this, a data controller is obliged to register if the number of employees declared on the Withholding and Bonus Service Declarations is more than 50 on at least 7 out of the 12 reports.

How is the Annual Financial Balance Sheet Calculated?

In order to calculate the total annual financial balance sheet, the financial balance sheet information given in the annexed income or corporate tax declaration given to the authorized public institution by the data controller in the completed year must be taken into consideration. Accordingly, the statement of the data controller must contain the total figure of the "assets" and "liabilities" of the data controller. Annual turnover or net sales / gross sales revenue information will not be considered.

What should be notified in the application for registration to the Data Controllers' Registry?

In the application for registration to the Data Controllers' Registry;

a) Identifying information (including the address of the data controller or its representative),
b) The purpose of the data processing.
c) The data subject groups and data categories (data processing inventory).
d) Recipient or recipient groups to which the data may be transferred,
e) Any personal data which may be transferred abroad,
f) The data security measures taken,
g) The maximum time for processing personal data (which must be in accordance with the purpose of the data processing),
h) In case of any change in the information listed above, such change shall be notified to the Authority immediately,

shall be reported. This information should be based on the Personal Data Processing Inventory.

What is the Personal Data Processing Inventory?

Personal Data Processing Inventory is a document which data controllers must submit that explain and detail the usage, purpose and storage of personal data. It includes data category, the group of recipients transferred and the group of data in relation to the person they are formed and the maximum amount of time required for the purposes of processing personal data, personal data foreseen to be transferred to foreign countries and data security measures taken in connection with the business processes. Data storage and destruction policies should be prepared with the inventory.

What happens if the Personal Data Processing Inventory is not Prepared?

In the guidance on technical and administrative measures published by the Board, inventory is considered among the administrative measures to be taken. Therefore, if the inventory is not prepared, the measures related to the data security mentioned in the Article 12 of the Law on the Protection of Personal Data shall not be fulfilled. Therefore, administrative fines of 15.000 Turkish lira to 1.000.000 Turkish lira may be imposed by the board.

How To Register in Data Controllers' Registry?

Registration to the Data Controllers' Registry can be made via VERBİS on the Board's website. A representative who is a natural person and has Turkish citizenship or legal entity in Turkey should be appointed by a data controller who are not resident in Turkey to communicate with the Personal Data Protection Board and to perform transactions related to the Data Controllers' Registry on behalf of the data controller.

For the data controllers, a contact person should be assigned via VERBİS to carry out the registration procedures to Registry. The contact person should be the real person as he / she performs his / her duties of ensuring communication between the data controller and the board and carrying out the registration procedures. The real person data controller himself/herself or their representative, or a member of the board of directors of the company or any third party person may be appointed as a contact person. The contact person selection from people who has knowledge of personal data processed at the company is recommended by the Board.

Yours Sincerely,
Muhtaranlar Attorney Partnership
Att. Gökhan Muhtaranlar