In 2018 the Turkish Personal Data Protection Board (“Board“) launched the online registration platform called VERBIS for Data Controllers1.
Accordingly, the Data Controllers are now required to register to with VERBIS system before 30 September 2019. Unless there is an exemption, registration is made via a personal data inventory prepared as per the guidelines of the Board.
The data inventory (“Data Inventory“) should include the type and category of the personal data collected and retained, the purpose, duration, method of the processing activity and other information deemed necessary by the Board.
Preparation of the Data Inventory could be a time consuming process and may require a couple of months to complete therefore both local and foreign corporations should already be taking action to ensure compliance.
The Board held the following categories of Data Controllers exempt from registration to VERBIS:
– Data Controllers who have less than 50 employees and annual balance sheet below TRY 25 million, provided that such Data Controller’s main activity is not the processing of special category personal data;
– Data Controllers who only process data manually, and which processing is not part of any data registration system;
– Public notaries;
– Associations (“Dernekler“), Foundations (“Vakıflar”) and Unions (“Sendikalar“).
– Political parties;
– Registered Lawyers;
– Certified public accountants and independent accountant and financial advisors;
– Customs brokers;
Even the foregoing entities exempt from registration in VERBIS are still required to comply with the requirements of the Code. We anticipate that even those currently exempted may be required to register in the future therefore a robust compliant data processing policy is recommended.
It should be noted that foreign entities even without an establishment in Turkey or permanent residence, which process data of local residents in Turkey are not exempt from registration and so they will be required to register before they start processing data. Processing without being registered could give rise to a potential fine.
Sanctions for Failure to Register within the Deadline
Under the Data Protection Law (“Law“), Data Controllers who fail to fulfill the obligation of registration by the deadline of 30 September 2019 are subject to penalties between TRY 20,000 and TRY 1,000,000.
In this context it is strongly recommended that all corporate entities in Turkey both foreign and local, take the necessary action to prepare for registration before the Deadline if they collect personal data from Turkey.
If you have any questions of require any further assistance with the foregoing we will be happy to help.
1 “Data Controllers” being real persons and legal entities that collect and retain personal data from Turkish residents.