Yasin Beceni and Susen Aklan of BTS clarify Turkey’s data protection regulations on data controller registry obligations
Article 16 of Law no. 6698 on the Protection of Personal Data (DP Law) introduced a general obligation on data controllers to register before the Data Controllers Registry that is to be maintained by the Turkish Data Protection Board.
Obligation of foreign data controllers to register before the Registry
With the Regulation on the Data Controllers Registry and a number of board decisions, the board determined the scope of the obligation of registration and clarified the types of data controller that would be under the obligation to register. As per the regulation and the board decisions, it has been determined that no exemptions shall apply to foreign data controllers acting as data controllers1 pursuant to Turkish data protection legislation and that all such foreign data controllers must carry out their registration processes by the deadline of 31 December 2019.
Obligation to maintain Personal Data-Processing Inventory
All data controllers under the obligation to register must maintain a data processing inventory, a document that is similar in format to records of processing maintained as per Article 30 of the General Data Protection Regulation (GDPR). Stated in the table opposite is a comparison of the inventory and records of processing.
1. Unlike Article 3/2 of GDPR, there is no explicit provision regulating territorial scope under the DP Law. However, under certain decisions of the board, Article 3/2 is taken as a reference on interpretation of the DP Law.