REGULATION ON THE REGISTRY OF DATA CONTROLLERS
Number and Date of the Base Law: 6698 – March 24, 2016
Date and Number of the Publishing Official Gazette: December 30, 2017 - Issue Number: 30286
PART ONE
Objective, Scope, Legal Basis and Definitions
Objective
ARTICLE 1- (1) The objective of this Regulation is to identify and set forth the principles and procedures regarding the creation of the Registry of Data Controllers, which shall be kept by the Chairman's Office publicly pursuant to the Law No. 6698 on the Protection of Personal Data, dated 24/3/2018, under the supervision of the Board, the administration of the same and the registrations, which are contemplated to be entered to the Registry of Data Controllers, and to ensure the enforcement of the same.
Scope
ARTICLE 2- (1) The scope of applicability of this Regulation encompasses any and all natural persons or legal entities, who or which determine the purposes and means of the processing of personal data, and who are responsible for establishment and management of the data recording system.
Legal Basis
ARTICLE 3- (1) This Regulation has been issued on the basis of the fifth paragraph of Article 16 and the sub-paragraphs (d) and (e) of the first paragraph of Article 22 of the Law No. 6698.
Definitions
ARTICLE 4- (1) The following terms in this Regulation shall have the following meanings;
a) Recipient group: The group of natural persons or legal entities, to whom the personal data are transferred by the data controller,
b) Chairman: Chairman of the Board of Personal Data Protection,
c) Chairman's Office: The Chairman's Office of the Authority of Personal Data Protection,
ç) Contact person: The natural person, who is designated at the time of registration to the Registry by the data controller for the purpose of the communications with the Authority in respect of the obligations of the legal entities, which are based in Turkey, and the data controller representatives of the legal entities, which are not based in Turkey, under the Law and the secondary regulations, which may be enacted and brought into force on the basis of the Law,
d) Law: The Law No. 6698 on the Protection of Personal Data,
e) Registration: The notification served by the data controllers, which are under the obligation of registration, in accordance with the principles and procedures identified and set forth by this Regulation,
f) The obligation of registration: The obligation of registration mandated and contemplated pursuant to the present Regulation,
g) Registered electronic mail (REM) address: The qualified form of electronic mail, which constitutes legal evidence in respect of the use of electronic communications, including the sending and the delivery of the same,
ğ) Personal data: Any information or data that is related to an identified or identifiable natural person,
h) Personal data processing inventory: The inventory, which is created by the data controllers by way of the association of the personal data processing activities that are carried out thereby with the purposes of processing of personal data, the data categories, the recipient groups and the groups of persons, being the subject matter of the data, and within which the the maximum duration as necessary for the purposes, for which the personal data are processed, the personal data, which are contemplated to be transferred to foreign countries, and the precautions taken in respect of data security are detailed and described thereby;
ı) Personal data storage and disposal policy: The Policy, on which the data controllers base the identification of the maximum period of time as necessary for the purpose, for which the personal data are processed, and the deletion, disposal and anonymization of the personal data,
i) Processing of personal data: Any operation, which is performed upon personal data such as collection, recording, storage, preservation, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization or blocking its use by wholly or partly automatic means or otherwise than by automatic means which form part of a filing system,
j) Board: The Board of Personal Data Protection,
k) Authority: The Authority of Personal Data Protection, which is comprised of the Board and the Chairman's Office,
l) Registry: The Registry of Data Controllers that is kept and maintained by the Chairman's Office,
m) Data category: The personal data class of the group(s) of persons, being the subject matters of personal data, in to which the personal data are group based on the common characteristics thereof,
n) Subject person group: The group of related persons, whose personal data are processed by the data controller,
o) Registry of Data Controllers Information System (VERBIS): The information system, which the Data Controllers shall use for the purpose of their applications to and any other relevant actions in relation to the Registry, which is accessible through the Internet and which has been created and is managed by the Chairman's Office,
ö) Data controller: A natural person or legal entity, who or which determines the purposes and means of the processing of personal data, and who is responsible for establishment and management of the filing system
p) Data controller representative: A legal entity, which is based in Turkey, or a natural person, who is a national of the Republic of Turkey, who is authorized to represent a data controller, which is not based in Turkey, in the minimum extent on the matters set forth within the second paragraph of Article 11 of the present Regulation.
(2) Any term not defined herein shall have the meaning that is ascribed thereto within the Law.
PART TWO
Creation, Administration and Supervision of and Access to the Registry
Rules, Principles and Procedures
ARTICLE 5- (1) The Registry shall be created, administered and supervised in compliance with the principles and procedures set forth below:
a) Data controllers shall be obliged to get registered to the Registry prior to their commencement of processing of personal data.
b) Any data controller, which is not based in Turkey, shall be obliged to get registered to the Registry through the agency of the respective data controller representative thereof prior to its commencement of processing of personal data.
c) The Registry shall be kept and maintained publicly. The Board shall be authorized to identify and set forth the scope of and derogations from the principle of publicity on the condition that the said principle is fulfilled.
ç) The information to be disclosed to the Registry through the course of applications to the Registry shall be prepared on the basis of the Personal Data Processing Inventory.
d) The information submitted to and published within the Registry on the basis of the personal data processing inventory shall lay the basis for the obligation of disclosure provided by Article 10 of the Law for the data controllers, the responding of the applications by the persons as provided by Article 13 of the Law and the identification of the scope of the explicit consent to be granted by the related persons.
e) The data controllers shall be responsible to ensure that the information submitted to and published within the Registry is complete, accurate, up-to-date and lawful. Having gotten registered to the Registry shall not relieve the data controllers from the other obligations thereof as imposed and contemplated under the Law.
f) Save for the cases provided within Article 28 of the Law; the Board's not enjoining the data controllers, which meet certain requirements on the basis of the objective criteria specified within Article 16 of the present Regulation, shall not relieve such data controllers from the obligations thereof as imposed and contemplated by the Law.
g) The actions related to the Registry shall be taken and conducted by the data controllers through VERBIS.
ğ) The period for the fulfillment of the obligation of deletion, disposal or anonymization of personal data by the data controllers as imposed and contemplated by Article 7 of the Law shall be the maximum period required for the accomplishment of the purpose, for which the personal data, which are submitted to and published within the Registry by the data controllers, are processed.
Creation, administration and supervision of the Registry
ARTICLE 6- (1) The Registry shall be created by the Chairman's Office. The Chairman's Office shall take the technical and administrative actions as necessary for the establishment and operation of VERBIS in order for the creation, administration and maintenance of the currency as well as the protection of the Registry.
(2) The service division that is in charge of the creation and the administration of the Registry shall be the Data Management Department.
(3) The Registry shall be supervised by the Board. The activity report, which shall be issued by the Data Management Department on a quarterly basis and the scope of which shall be identified and set forth by the Board, shall be submitted to the Board.
Access to the Registry
ARTICLE 7- (1) The Chairman's Office shall disclose the current data kept in the Registry to the public through such appropriate methods, which shall be identified under the relevant resolutions of the Board.
(2) The following data, which shall be kept in the Registry of data controllers, shall be disclosed to the public:
a) The full name/ trade name, address and, if created, the REM address of the data controller, the data controller representative, if any, and the contact person,
b) The designated purposes, for which the personal data may be processed,
c) The subject person group(s) and the data categories of such persons,
ç) The recipients and recipient groups, to whom the personal data may be transferred,
d) The personal data, which are contemplated to be transferred to foreign countries,
e) The date registration to the Registry and the date of expiration of the validity of such registration,
f) The precautions taken in respect of personal data security,
g) The maximum period required for the accomplishment of the purpose, for which the personal data are processed.
PART THREE
Start of the Obligation of Registration, Information to Be Entered to VERBIS, Application for Registration, Renewal of Registration and De-registration
Start the of obligation of registration
ARTICLE 8- (1) Data controllers should fulfil their obligation of registration to the Registry prior to their commencement of processing of personal data.
(2) Any data controller, which is not under the obligation of registration but subsequently becomes obliged to get registered to the Registry, shall get registered to the Registry within not later than thirty days as of the date, on which it so becomes obliged for the same.
(3) In the event any data controller, which is under the obligation of registration, fails to fulfill such obligation of registration on account of any practical, technical or legal incapacity to do so, may request extension from the Authority for the fulfillment of the obligation of registration thereof, provided that it shall apply to the Authority in writing within not later than 7 business days as of the date of emergence of such incapacity, as a part of which application it shall notify the Authority of the reasons for the emergence of the same. In that case, the Authority may grant a one-off extension to the relevant data controller, the period of which extension may not, however, exceed thirty days.
Information to be submitted as a part of the fulfilment of the obligation of registration
ARTICLE 9- (1) Any application filed with the Registry for registration shall contain the following information:
a) The information specified within the application form, the content of which shall be determined by the Authority, in respect of identity and address details of the data controller, the data controller representative, if any, and the contact person,
b) The designated purposes, for which the personal data will be processed,
c) The descriptions and remarks about the subject person group(s) and the data categories of such persons,
ç) The recipients or recipient groups, to whom the personal data may be transferred,
d) The personal data, which are contemplated to be transferred to foreign countries,
e) The precautions, which are contemplated to be taken by Article 12 of the Law, and are taken in accordance with the criteria identified and set forth by the Board,
f) The maximum period of retention of the personal data as prescribed by the applicable regulations or as necessary for the relevant purpose of processing.
(2) The information, which are to be disclosed and submitted to the Registry by data controllers pursuant to sub-paragraphs (b), (c), (d) and (e) of the first paragraph, shall be submitted to the Registry through VERBIS by way of the headers specified on VERBIS on the basis of the Personal Data Processing Inventory.
(3) The information, which are to be disclosed and submitted to the Registry by data controllers pursuant to subparagraph (f) of the first paragraph, and which shall include the matters specified within Article 12 of the Law, shall be submitted to the Registry through VERBIS by way of the headers specified on VERBIS on the basis of the Personal Data Processing Inventory.
(4) The information regarding the maximum period of retention of the personal data as prescribed by the applicable regulations or as necessary for the relevant purpose of processing, which are to be disclosed and submitted to the Registry by data controllers pursuant to subparagraph (g) of the first paragraph, shall be submitted to the Registry after being matched with the relevant data categories. The designated purposes of processing of the data categories and the maximum periods of retention of the personal data as necessary for such purposes of processing, which are notified by the data controller to the Registry, may be different from the periods prescribed by the applicable legislation. In that case; in the event the applicable legislation provide for a maximum period of retention, such period shall be notified to the Registry, and in the event any such maximum period is not provided, then the longest period among such periods shall be notified to the Registry. Through the course of the determination of the maximum period of retention of the personal data as necessary for the relevant purpose of processing; due consideration shall be given to:
a) The period that is generally recognized and implemented on the basis of the customs that prevail in the industry, in which the data controller operates, for the accomplishment of the purpose of processing of the relevant data category,
b) The period, throughout which the existence of legal relation, on account and on the basis of which the personal data within the relevant data category is required to be processed, and which has been established with the concerned period, will continue,
c) The period, throughout which the legitimate benefits, which the data controller is to gain in connection with the purpose of processing of the relevant data category, will remain in effect in compliance with the law and the rules of integrity,
ç) The period, throughout which the risk, costs and liabilities, which the retention the relevant data category in connection with the purpose of processing of the same, will create, will legally remain in effect,
d) Whether or not the maximum period to be determined is appropriate for the maintenance of the accuracy and, where necessary, the currency of the relevant data category,
e) The period, for which the data controller is obliged to retain the personal data within the relevant data category under the legal obligations thereof, and
f) The period of prescription identified for the claiming of any right by the data controller in respect of the personal data within the relevant data category.
(5) The data controllers shall issue a personal data storage and disposal policy in order for the determination of the maximum periods of retention as necessary for the accomplishment of the designated purpose of processing of personal data, the compliance of such periods with the information specified within the personal data processing inventory, and the monitoring of whether or not such maximum periods have been exceeded, and shall ensure the implementation of such policy.
(6) In the cases, where the headers and contents provided within VERBOS do not fully cover the operations, in which the data controller is engaged, and which the data controller is required to submit to the Registry; the data controller shall enter such information under the section with the header, "Other", provided for such purpose within VERBIS, whereby it shall have completed its submissions to the Registry.
Application for registration
ARTICLE 10- (1) The data controllers shall be considered to have fulfilled their obligation of registration upon the uploading to VERBIS of the information specified within Article 9 hereof.
(2) Any data controller, to which the Authority may have granted extension as provided within the third paragraph of Article 8 above, shall be obliged to complete the application for registration before the expiration of the period of such extension.
Obligations of data controllers, data controller representatives and contact persons
ARTICLE 11- (1) In the case of legal entities, the data controller shall be the legal entity. The obligations of the legal entities, which are based in Turkey, with the capacity of data controller, shall be fulfilled through the agency of the body, which is authorized and empowered to represent and engage the relevant legal entity under the relevant provisions of the applicable legislation, or the other person(s) specified within the applicable legislation. The body that is authorized and empowered to represent the legal entity, may appoint one person or several persons for the fulfilment of the obligations to be fulfilled in order for the enforcement of the Law.
Any such appointment shall not relieve the relevant legal entity from its liability under the applicable provisions of the Law.
(2) As far as the data controllers, which are not based in Turkey, are concerned; the certified copy of the resolution to be adopted by the competent governing body or the authorized official of any such data controller in respect of the appointment of the respective data controller representative thereof shall be submitted by such data controller representative to the Authority at the time of the filing of the application for registration.
(3) The resolution in respect of the appointment of the data controller representative shall be issued to contain the following elements and matters:
a) Receipt or acceptance of the notices, notifications or communications, which may be served or sent by the Authority, on behalf of the data controller,
b) The forwarding of the requests and inquiries, which may be addressed by the Authority to the data controller, to the data controller, and the forwarding of the reply to the same of the data controller to the Authority,
c) Unless any principle contemplating otherwise has been identified and set forth by the Board; receipt of any applications, which the related persons may file with the data controller under the provisions of the first paragraph of Article 13 of the Law, on behalf of the data controller and the forwarding of the same to the data controller,
ç) Unless any principle contemplating otherwise has been identified and set forth by the Board; the forwarding of the replies to the applications, which may be filed by the concerned persons under the provisions of the first paragraph of Article 13 of the Law, to such related persons, and
d) The performance of the acts and actions related to the Registry on behalf of the data controller.
(4) The legal entities, which are based in Turkey, shall enter the details of the respective contact persons thereof to the Registry as a part of their registration. The contact person shall not be authorized to represent the data controller under the provisions of the Law and this Regulation. The contact person shall facilitate the communication for the purpose of the responses to the requests, which may be addressed to the data controller by related persons.
(5) In the case of public institutions and organizations; the contact person shall be a department head or an executive at a higher hierarchical level, whom the senior executive may designate and assign for the maintenance of the communication with the Authority and may so be had registered to the Registry.
Communication
ARTICLE 12- (1) Any communication by the Authority with the data controller in respect and for the purpose of the enforcement of the Law shall be maintained with:
a) the relevant legal entity on the basis of the identity, address or REM address details as notified to the Registry in the case of the legal entities, which are based in Turkey, and
b) the relevant natural person on the basis of the identity, address or REM address details as notified to the Registry in the case of the natural persons, who are based in Turkey, and
c) the data controller representative notified to the Registry in the case of the data controllers, which are not based in Turkey.
Modifications to registration details
ARTICLE 13- (1) In the event of any change in the respective registration information thereof, the data controller shall notify such change to the Authority through VERBIS within a period of seven days.
De-registration
ARTICLE 14- (1) In the event the data controller intends for its registration to be revoked, it shall apply to the Authority through VERBIS.
(2) In the event the operation or activity, which requires the obligation of registration to be fulfilled, terminated or ceases to exist, the registration shall be revoked. Such registrations shall be kept in such form that they are accessible at any time but cannot be modified in any extent.
(3) Any de-registration specified above shall not relieve the data controller from its obligations that are in effect throughout the period of its registration to the Registry.
PART FOUR
Derogations from the Obligation of Registration
Cases of eligibility for derogation
ARTICLE 15- (1) Any data controller shall not be obliged to have the data processing activities registered to the Registry and to notify the Registry of the same in the following cases:
a) If the processing of personal data is necessary for prevention of crime or investigation of a crime,
b) If the processing of personal data has revealed to the public by the data owner herself/himself,
c) If the processing of personal data is necessary, deriving from the performance of supervision or regulatory duties, or disciplinary investigation or prosecution by assigned and authorized public institutions and organizations and professional organizations with public institution status, and
d) If the processing of personal data is necessary for the protection of economic and financial interests of the state related to budget, tax, and financial matters
Criteria for derogation
ARTICLE 16- (1) The Board may allow for derogation from the obligation of registration with due consideration of the following criteria:
a) Nature of personal data.
b) Quantity of personal data.
c) Purpose of processing of personal data.
ç) Field of operations, in which the personal data are processed.
d) Whether or not the personal data are to be transferred to third parties.
e) Whether or not the processing of personal data is required by the applicable legislation.
f) Period of retention of personal data.
g) Subject person group or data categories.
(2) The Board is authorized and empowered to adopt resolutions in order to identify and set forth the extent and the principles and procedures of applicability of the derogations, which may be permitted with due consideration of the criteria listed within the first paragraph above. The Board shall announce such resolutions to the public through appropriate methods.
PART FIVE
Miscellaneous and Final Provisions
Administrative sanctions
ARTICLE 17- (1) Any party, who or which acts in breach of the obligation of registration and notification to the Registry of data controllers, shall be imposed the administrative fine provided within sub-paragraph (d) of the first paragraph of Article 18 of the Law.
(2) In the event the action of acting in breach of the obligation of registration and notification to the Registry of data controllers is committed within the organization of public institutions and organizations or the professional institutions of public institution nature; appropriate disciplinary actions shall be taken in respect of the concerned public servants and the other concerned public officials, who serve within the organization of the relevant public institution or organization, or the concerned officials of the relevant professional institution of public institution nature, and the results of such actions shall be notified to the Board.
Elimination of doubts
ARTICLE 18- (1) The Board shall be authorized and empowered to eliminate any doubts that could arise through the course of enforcement of this Regulation, to address and resolve any issues that could emerge in respect of such enforcement and to provide guidance for the same, to set forth and identify the applicable principles and standards and to enact and introduce the regulations as necessary to ensure the uniformity of enforcement, to require and request any information and documents for such purpose, and to make decisions and adopt resolutions on any case or matter that is not provided herein in accordance with the applicable legislations.
Effectiveness
ARTICLE 19- (1) This Regulation shall enter into force on January 01, 2018.
Enforcement
ARTICLE 20- (1) The provisions of this Regulation shall be enforced by the Chairman.
