Approaching Deadline for Data Controller Registration and Representation Requirements in Turkey

Data controllers processing personal data in Turkey must register with the Turkish Data Controllers Registry, “VERBIS”, to notify the Turkish Data Protection Authority (“DPA”) of their processing activities by 31 December 2021, under penalty of a fine. In addition, data controllers not established in Turkey (“foreign controllers”) will need to appoint a Turkish data controller representative (“representative”) to do so. The representative will act as an intermediary to facilitate communication between the foreign controller on the one hand and the Turkish Data Protection Authority, Turkish data subjects and VERBIS on the other hand.

Article 16 of the Turkish Law No. 6698 on Personal Data Protection (“DPL”), which came into force in April 2016 (with a grace period until April 2018), requires non-Turkish and certain Turkish data controllers processing personal data subject to the DPL to register with VERBIS and notify the DPA of their processing activities. The initial deadlines for registration were extended multiple times. In March 2021, the Turkish Data Protection Board decided to postpone the deadlines to register again until the end of the year, in light of difficulties faced by many controllers due to the Covid -19 pandemic. The following controllers must register before 31 December 2021:

  • Foreign controllers that process personal data of data subjects resident or located in Turkey;
  • Turkish data controllers with more than 50 employees in a year or an annual balance sheet above 25 million Turkish lira (approx. 4 million USD);
  • Turkish data controllers with a main business activity that involves processing special categories of personal data (e.g. hospitals and insurance companies), regardless of the amount of employees or their annual balance sheet;
  • Turkish state institutions and organizations.

The registration requirement is comparable with the one that existed under Article 18 of EU Directive 95/46/EC, but was repealed under the EU GDPR, although Turkey’s approach is more comprehensive. As part of the registration process, data controllers must conduct a personal data mapping exercise and notify the DPA of their personal data processing activities, the purposes of such activities, categories of personal data processed and categories of data subjects, recipients of personal data, retention periods, information on international transfers and data security measures, and legal grounds for data processing.

Moreover, foreign controllers that process Turkish personal data must appoint a representative in Turkey. The obligation is similar to the requirement for controllers without establishment in the EU, but subject to the EU GDPR, to appoint a legal representative in the EU, pursuant to article 27 of the EU GDPR. The representative must be a legal entity located in Turkey or a Turkish citizen and must, at least, be authorized to:

  • Receive and accept, on behalf of the foreign controller, notifications and correspondence from the DPA, transmit correspondence from the DPA to the foreign controller and the responses from the foreign controller to the DPA;
  • Receive data subjects’ requests on behalf of the foreign controller, transmit the requests to the foreign controller and the foreign controller’s response to the data subjects; and
  • Perform all operations and transactions relating to VERBIS on behalf of the data controller.

The representative is appointed by resolution, which the foreign controller submits to the DPA, apostilled and together with its notarized Turkish translation. There is no fixed deadline for the appointment of a representative, but foreign controllers can only register with VERBIS after appointing a representative, as it is the representative that will perform all operations relating to the registry on their behalf. Therefore,  foreign controllers that have not done so yet must urgently appoint a representative, in order to meet the registration deadline.

While there is no specific fine for controllers without a representative, foreign controllers failing to register with VERBIS by 31 December 2021 risk an administrative fine of up to 1.966.862 Turkish lira (approx. 193.000 USD) (subject to yearly increases).