By-Law On Data Controllers Registry


* This is an English translation. In case of any difference in meaning between the original Turkish text and the English translation, the Turkish text shall apply.

CHAPTER ONE

Purpose, Scope, Legal Basis and Definitions

Purpose

ARTICLE 1 – (1) The purpose of this By-law is to determine and ensure the implementation of procedures and principles related to the establishment and management of Data Controllers’ Registry to be kept publicly available by Presidency under supervision of the Board pursuant to Personal Data Protection Law No. 6698 of 24/3/2016 and envisaged records to be entered into Data Controllers’ Registry.

Scope

ARTICLE 2 – (1) This By-law shall apply to natural and legal persons who determine the purposes and means of personal data processing and are responsible for establishment and management of the data filing system.

Legal Basis

ARTICLE 3 – (1) This By-law has been prepared on the basis of Article 16(5) and subparagraphs (d) and (e) of Article 22(1) of Law No. 6698.

Definitions

ARTICLE 4 – (1) For the purposes of this By-law:

a) “Recipient group” means category of natural and legal persons to which the personal data are transferred by the data controller,

b) “President” means the President of Personal Data Protection Authority,

c) “Presidency” means the Presidency of Personal Data Protection Authority,

ç) (Amended: OG (Official Gazette) – 28/4/2019-30758) “Contact person” means the natural person notified by the data controller which is natural and legal person established in Turkey and by representative who represents the data controller which is natural and legal person not established in Turkey during the registration with the Registry for communicating with the Authority relating to obligations within the scope of the Law and secondary legislation to be prepared in accordance with this Law,

d) “Law” means the Personal Data Protection Law No. 6698,

e) “Registration” means the notification made by data controllers who are obliged to register, in accordance with procedures and principles determined by this By-law.

f) “Obligation to register” means the obligation relating to registration to be fulfilled pursuant to the By-law,

g) “Registered e-mail address (KEP)” means the qualified form of electronic mail which provides legal evidence for the use of it, including sending and delivering of electronic messages,

ğ) “Personal data” means any information relating to an identified or identifiable natural person,

h) (Amended: OG-28/4/2019-30758) “Personal data processing inventory” means the inventory which are detailed by explanations of the followings; personal data processing operations performed by data controllers according to their business processes, purposes and legal basis of personal data processing, data category, recipient group, maximum storage period which is formed relating to the group of person subject to data and necessary for the purpose for which personal data are processed, personal data envisaged to be transferred  to foreign countries, and measures taken relating to data security.

ı) “Personal data storage and disposal policy” means the policy which data controllers issue as a basis for erasure, destruction and anonymization of personal data and the determination of maximum storage period for the purpose for which personal data are processed.

i) “Processing of personal data” means any operation which is performed on personal data, wholly or partially by automated means or non-automated means which provided  that form part of a data filing system, such as collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization, preventing the use thereof,

j) “Board” means the Personal Data Protection Board,

k) “Authority” means the Personal Data Protection Authority,

l) “Registry” means Data Controllers’ Registry kept by the Presidency,

m) “Category of Data” means group of personal data related to group(s) of persons subject to data that are classified in accordance with their common features,

n) “Group of persons subject to the data” means category of the data subject whose personal data are processed by data controllers,

o) “Data Controllers’ Registry Information System (VERBIS)” means information system that is accessible through the Internet, established and managed by the Presidency, that data controllers will use for the registration with the Registry and the other operations related to the Registry,

ö) “Data controller” means the natural or legal person who determines the purpose and means of processing of personal data and is responsible for establishment and management of the data filing system,

p) (Amended: OG-28/4/2019-30758) “Representative of the data controller” means the legal person established in Turkey or the natural person who is citizen of Republic of Turkey, minimum authorized to represent data controllers which are not established in Turkey within the scope of the issues specified  in the third paragraph of Article 11 of this By-law,

(2) For the definitions not included in this By-law, the definitions in the Law shall apply.

CHAPTER TWO

Establishment, Management, Supervision of the Registry and Access to the Registry

 

Principle, rules and procedures

ARTICLE 5 – (1) Following principles, rules and procedures shall be applied in establishment, management and supervision of the Registry:

a) Data controllers are obliged to register with the Registry prior to the start of data processing.

b) Data controllers not established in Turkey are obliged to register with the Registry by their representatives prior to the start of data processing.

c) The Registry shall be kept publicly available. Board is authorized to determine the scope of this principle and derogations provided that the principle of making publicly available is ensured.

ç) (Amended: OG-28/4/2019-30758) Data controllers under registration obligation are obliged to prepare Personal Data Processing Inventory. The information to be entered in the application for the Registry is prepared based on Personal Data Processing Inventory.

d) The information entered into the Registry based on personal data processing inventory and published in the Registry, shall be the basis for the obligation to inform for data controllers referred to in Article 10 of the Law, responses to the request of concerned data subjects referred to in Article 13 of the Law and the determination of the scope of explicit consent to be given by data subjects.

e) Data controllers shall be responsible for the information entered into the Registry and published in the Registry to be complete, accurate, up-to-date and lawful. Registration of the data controllers with the Registry shall not remove the other obligations under the Law.

f) Without prejudice to the conditions specified in Article 28 of the Law, the Board may provide derogation from the obligation to register for the data controllers meeting certain conditions on the basis of the objective criteria specified in Article 16 of the By-law. This derogation shall not remove the obligations of those data controllers under the Law.     

g) The operations relating to the Registry shall be carried out by data controllers through VERBIS.

ğ) (Amendment: OG-28/4/2019-30758) – (1) Maximum storage period necessary for the purpose of processing of personal data entered by data controllers into the Registry and published in the Registry shall be basis for erasure, destruction and anonymization obligations of data controllers specified  in Article 7 of the Law.

Establishment, Management and Supervision of the Registry

ARTICLE 6 – (1) Registry is established by Presidency. Presidency, for the establishment, management, protection of the Registry and maintaining it up-to-date, shall take necessary technical and organizational measures to establish and to operate VERBIS.

(2) Responsible department for establishment and management of the Registry is Department of Data Management.

(3) Supervision of the Registry is carried out by the Board. Activity report which has been prepared by Department of Data Management once a three month and whose scope determined by the Board, shall be transmitted to the Board.

Access to Registry

ARTICLE 7 – (1) The Presidency shall make current information in the Registry publicly available by the appropriate means to be determined pursuant to Board decisions.

(2) Among the information given in the Registry, the following shall be disclosed to the public:

a) (Amendment: OG-28/4/2019-30758) The data controller, representative of the data controller, if any, address and KEP (Registered E-Mail) address, if taken,

b) The purposes for which the personal data will be processed,

c) Group(s) of persons subject to the data and data categories relating to those persons,

ç) Recipients and recipient groups to whom personal data may be transferred,

d) Personal data which are envisaged to be transferred to foreign countries,

e) Registration date and expiration date of the registration.

f) Measures taken for the security of personal data,

g) Maximum storage period necessary for the purposes for which personal data are processed.

 

CHAPTER THREE

Beginning of Registration Obligation, Information to be entered into VERBIS, Registration Application, Renewal and Erasure of Registration

 

Beginning of Registration Obligation

ARTICLE 8 – (1) Data controllers shall fulfil the obligation to register with the Registry prior to the start of data processing.

(2) If the data controllers, who are not under the registration obligation, become obliged to register later, they shall register with the Registry within thirty days following their entry into the obligation.

(3) Data controllers, who are obliged to register with the Registry, may request additional time for fulfilling their registration obligation from the Authority in cases where they cannot fulfil their obligation to register due to any technical, legal or actual impossibility on the condition that apply to the Authority in writing with justifiable grounds in not later than 7 work days. Authority may give additional time only once, not exceeding thirty days in any case.

Information to be entered within the scope of registration obligation

ARTICLE 9 – (1) Registration Application to the Registry includes the following information:

a) The information included in the application form determined by the Board relating to the identity and address of the data controller, representative of the data controller, if any and contact person,

b) The purposes for which the personal data will be processed,

c) The explanations about group(s) of persons subject to the data as well as about the data categories belonging to these people,

ç) The recipients or groups of recipients to whom personal data may be transferred,

d) The personal data which are envisaged to be transferred abroad,

e) Measures taken as referred to in Article 12 of the Law and in accordance with the criteria determined by the Board,

f) Maximum storage period of personal data laid down by the legislation or for the purposes for which personal data are processed,

2) Information to be entered into the Registry by data controllers pursuant to subparagraphs (b), (c), (ç) and (d) of the first paragraph; shall be transmitted through VERBIS to the Registry based on Personal Data Processing Inventory by using headings given in VERBIS.

(3) Information to be entered into the Registry by data controllers pursuant to subparagraph (e) of the first paragraph shall be transmitted through VERBIS to the Registry in the manner that cover the issues specified in the Article 12 of the Law by using headings given in VERBIS.

(4) Information relating to the maximum storage period laid down by the legislation or for the purposes for which personal data are processed relating to the personal data to be entered into the Registry by data controllers pursuant to the subparagraph (f) of the first paragraph, shall be entered into the Registry by matching them with data categories. Maximum storage period necessary for the purposes of processing of data categories entered into the Registry by the data controller may differ from the period envisaged in the legislation. In such cases, if maximum storage period is envisaged in the legislation, this period shall be entered into the Registry, if not envisaged, the longest storage period of this category shall be entered into the Registry. While determining the maximum storage period required for purposes for which personal data are processed, following issues shall be taken into account:

a) The period generally accepted in the sector in which the data controller operates within the scope of purposes for processing relevant data category,

b) The period that requires processing of personal data in the relevant data category and to continue legal relationship with the data subject,

c) The period to be valid for the legitimate interest to be obtained by the data controller in accordance with lawfulness and fairness, depending on the purpose of processing relevant data category,

ç) The period in which the risks, costs and responsibilities arising from the storage of the relevant data category depending on the purpose of processing shall continue legally,

d) Whether maximum storage period to be determined is appropriate to keep the relevant data category accurate and up-to-date where necessary,

e) Time period in which the data controller is obliged to retain personal data given in the relevant data category pursuant to its legal obligation,

f) Period of limitation determined by the data controller for assertion of a right relating to personal data in the relevant data category.

(5) Data controllers shall issue a personal data storage and disposal policy for defining maximum storage period of personal data for the purposes of processing, complying with this period indicated in personal data processing inventory and tracking whether these periods are exceeded or not and shall ensure the implementation of such policy.

(6) In cases where headings and contents given in VERBIS do not cover operations of the data controller and the information to be entered into the Registry, the data controller shall complete its registration by entering such information into “Others” section in VERBIS which is provided for such cases.

Application for Registration

ARTICLE 10 – (1) Data controllers shall be deemed to have fulfilled its registration obligation by entering the information specified in Article 9 into VERBIS.

(2) Data controllers, who have been given additional time by the Authority pursuant to third paragraph of Article 8, are obliged to complete registration before this time expires.

Obligations of the data controller, representative of the data controller and contact person

ARTICLE 11 – (1) Legal persons are themselves the data controllers for the legal persons. The data controller obligations of legal persons established in Turkey under the Law are fulfilled by capacity of competent to represent and bind the legal person or the person(s) specified in the relevant legislation pursuant to provisions of the relevant legislation. Competent representative may assign one or more persons for its obligations to be fulfilled for the implementation of the Law. This assignment does not remove the responsibilities of legal person pursuant to the provisions of the Law.

(2) Representatives of data controllers not established in Turkey shall submit certified copy of decision for the designation of a representative to be taken its competent or person to the Authority during application.

(3) Decision of designation for representative of the data controller shall be arranged to cover at least the following points:

a) to receive or  accept notifications  and correspondence made by the Authority on behalf of the data controller,

b) to transmit the demands made by the Authority to the data controller and to submit the responses of the data controller to the Authority,

c) to receive and transmit requests to be made by data subjects pursuant to first paragraph of the Article 13 of the Law on behalf of the data controller, in case no other principle has been determined by the Board.

ç) to transmit the response of the data controller to the data subjects pursuant to third paragraph of Article 13 of the Law, in case no other principle has been determined by the Board,

d) to perform operations relating to the Registry on behalf of the data controller.

4) (Amendment: OG-28/4/2019-30758), Data controllers established in Turkey and representatives of data controllers not established in Turkey shall enter contact person information into the Registry at the time of registration. Contact person is not authorized to represent data controllers in accordance with the provisions of the Law and the By-law.

5) (Amendment: OG-28/4/2019-30758) Contact person in the public institutions shall be head of department or higher executive to be assigned by the coordinating high level executive for the aim of communication with the Authority. 

Communication

ARTICLE 12 – (1) Related to the implementation of the Law, the Authority shall use following means of communications with data controllers:

a) For legal persons established in Turkey; identity, address or KEP (registered e-mail address) address notified to the Registry,

b) For natural persons settled in Turkey; identity, address or KEP address notified to the Registry,

c) For data controllers not established in Turkey; representative of the data controller notified to the Registry.

Changes in Registry records

ARTICLE 13 – (1) (Amendment: OG-28/4/2019-30758) In case of any change in the Registry records, data controllers shall notify the Authority through VERBIS within seven days of the date of change.

Erasure of Registry records

ARTICLE 14 – (1) The data controller shall apply to the Authority relating to the erasure of their Registry records through VERBIS.

(2) If the obligation to register is relieved or terminated, Registry records shall be erased. These records shall be accessible in case of any request however they are kept in a manner that no changes can be made.

(3) Erasure of registry records does not relieve the data controller of the obligations during the period in which it is registered.

 

CHAPTER FOUR

Exemptions from Registration Obligation

 

Cases of exemptions

ARTICLE 15 – (1) In respect of the following personal data processing activities, data controllers are not obliged to register and notify these activities to the Registry:

a) Data processing is necessary for the prevention of committing a crime or for crime investigation.

b) Processing the data which are made public by the data subject himself/herself.

c) Data processing is necessary for performance of supervision or regulatory duties and disciplinary investigation and prosecution to be carried out by the assigned and competent public institutions and organizations and by the public professional organizations, in accordance with the power conferred on them by the law,

ç) Data processing is necessary for protection economic and financial interests of State related to budgetary, tax and financial matters.

Derogation criteria

ARTICLE 16 – (1) The Board may provide derogation from registration obligation by considering following criteria:

a) The nature of personal data.

b) The quantity of personal data.

c) The purpose of processing of personal data.

ç) The field of activity where personal data are processed.

d) Transferring personal data to third parties.

e) The fact that the processing of data is laid down in the laws.

f) Storage period of personal data.

g) Group of persons subject to the data or categories of data.

ğ) (Annex: OG-28/4/2019-30758) The information of annual number of employees or annual financial balance sheet of the data controller. 

(2) Board has the authority to take decisions in order to determine principles and procedures of implementation and the scope of exemptions determined in the framework of criteria listed in the first paragraph. Board shall announce such decisions to public via appropriate means of communication.

 

CHAPTER FIVE

Miscellaneous

 

Administrative sanction

ARTICLE 17 – (1) Administrative fine referred to in sub-paragraph (ç) of Article 18(1) of the Law shall be imposed on data controllers who act contrary to the obligation to register and notify.  

(2) In the event that the action to contrary to the obligation to register and notify is committed within the public institutions and organizations as well as the public professional organizations, the disciplinary provisions shall be applied to the civil servants and other public officers employed in the relevant public institutions and organisations and those employed in the public professional organizations upon the notice of the Board and the result is reported to the Board.

Clarifying the Doubts

ARTICLE 18 – (1) The Board is authorised to clarify the doubts and recover disruptions to occur during the implementation of this By-law, to direct the implementation, to determine the principles and standards and make necessary arrangements to ensure the unity of implementation, to demand any type of information and documentation in this regard and to take a decision within the framework of the relevant legislation on matters which are not included in this By-law.

Entry into force

ARTICLE 19 – (1) This By-law enters into force on 1/1/2018.

Enforcement

ARTICLE 20 – (1) The President shall enforce the provisions of this By-law.

 

 

The By-law published in the Official Gazette

Date

Number

30/12/2017

30286

By-laws making amendments on the By-law published in the Official Gazette (s)

Date

Number

1.

28/4/2019

30758

2.