Legal Business Blogs

Sponsored briefing: Obligation to register before the Turkish data controllers registry and maintain personal data-processing inventory

Yasin Beceni and Susen Aklan of BTS clarify Turkey’s data protection regulations on data controller registry obligations

Article 16 of Law no. 6698 on the Protection of Personal Data (DP Law) introduced a general obligation on data controllers to register before the Data Controllers Registry that is to be maintained by the Turkish Data Protection Board.

Obligation of foreign data controllers to register before the Registry

With the Regulation on the Data Controllers Registry and a number of board decisions, the board determined the scope of the obligation of registration and clarified the types of data controller that would be under the obligation to register. As per the regulation and the board decisions, it has been determined that no exemptions shall apply to foreign data controllers acting as data controllers1 pursuant to Turkish data protection legislation and that all such foreign data controllers must carry out their registration processes by the deadline of 31 December 2019.

Obligation to maintain Personal Data-Processing Inventory

All data controllers under the obligation to register must maintain a data processing inventory, a document that is similar in format to records of processing maintained as per Article 30 of the General Data Protection Regulation (GDPR). Stated in the table opposite is a comparison of the inventory and records of processing.

1. Unlike Article 3/2 of GDPR, there is no explicit provision regulating territorial scope under the DP Law. However, under certain decisions of the board, Article 3/2 is taken as a reference on interpretation of the DP Law.

Records of processing Inventory
Obligation An enterprise or an organisation employing fewer than 250 persons is not obliged to maintain records of processing unless the processing:
• is likely to result in a risk;
• is not occasional;
• includes special categories of data or personal data relating to criminal convictions and offences.The processor and processor’s representative will maintain a record of processing.
All data controllers under the obligation to register must maintain an inventoryProcessors are not obliged to maintain an inventory
Contact details Name and contact details of the controller, the joint controller, the controller’s representative and the data protection officer Not explicitly stated. However, contact details of the controller and the controller’s representative should be submitted to the registry.
Purpose Purposes of processing Purposes of processing
Personal data Categories of personal data Categories of personal data
Data subjects Categories of data subjects Categories of data subjects
Recipients Categories of recipients to whom the personal data has been or will be disclosed, including recipients in third countries or international organisations Categories of third-party recipients
Cross-border transfers Identification of that third country or international organisation and the documentation of suitable safeguards Categories of personal data transferred abroad
Retention Envisaged time limits for erasure of the different categories of data Maximum retention periods
Security A general description of the technical and organisational security measures Administrative and technical measures
Legal ground N/A Legal grounds of the processing

For more information, please contact:Yasin Beceni, managing partner – attorney at law

E: yasin.beceni@bts-legal.com

Susen Aklan, managing associate – attorney at law

E: susen.aklan@bts-legal.com

BTS & Partners

www.bts-legal.com