New announcements have recently been made on the official website of the Data Protection Authority (www.kvkk.gov.tr) regarding decisions introducing additional exemptions from the requirement to register with the Data Controllers Registry as well as commencement dates and deadlines of the same for those who are not eligible to benefit from such exemptions.
This Legal Alert aims at providing you with an overview on recent Decisions No. 2018/68, 2018/75, 2018/87 and 2018/88 of Personal Data Protection Board (“Board”) which were published in the Official Gazette numbered 30513 and dated August 18, 2018 (“New Decision”).
Please note that this Legal Alert is intended to be general information purposes only. No statement herein contains any opinion or professional legal advice.
I. GENERAL OVERVIEW
Before elaborating on the additional exemptions and commencement date and deadlines regarding the requirement to register with the Data Controllers Registry, we would like to briefly touch upon the general registration requirement as introduced under Article 16 of the Law on Personal Data Protection numbered 6698 and dated March 24, 2016 (the “Law”). As per Article 16 of the Law, the Data Protection Authority, under the supervision of the Data Protection Board, shall keep Data Controllers Registry to be publicly available. Data controllers are required to be registered with the Data Controllers Registry. However, the Data Protection Board can grant exemption from the registration requirement for certain data controllers.
The term “data controller” is defined as the real or legal person which determines purposes and means of processing of personal data and is responsible for the setup and management of the data recording system. Considering the broad nature of this definition, a significant majority of real and legal persons having business affairs in Turkey are very likely to qualify as data controllers within the context of the Law and accordingly will be required to register with the Data Controllers Registry, unless they fall under the scope of the exemptions to be introduced by Data Protection Board. Further, according to Provisional Article 1 of the Law, data controllers shall register with the Data Controllers Registry until the date determined and announced by the Board.
A board decision was published in the Official Gazette dated May 15, 2018 namely Decision No. 2018/32 whereby it was set out that the following data controllers be exempted from the registration requirement:
- Data controllers who process personal data solely by non-automatic means provided that it constitutes any part of a data recording system;
- Public notaries;
- Amongst the associations established in accordance with the Associations Law dated 04/11/2004 and numbered 5253, foundations established in accordance with the Foundations Law dated 20/02/2008 and numbered 5737 and unions established in accordance with the Law On Unions And Collective Labour Contracts dated 18/10/2012 and numbered 6356, only those which are processing personal data in accordance with the relevant legislation and purposes thereof, limited to its field of activity and only relating to their own employees, members, associates and donators;
- Political parties which are established pursuant to the Political Parties Law dated 22/04/1983 and numbered 2820;
- Independent certified public accountants and sworn-in certified public accountants operating pursuant to the Independent Certified Public Accountants and Sworn Certified Public Accountants Law dated 01/06/1989 and numbered 3568.
II. ADDITIONAL EXEMPTIONS
By virtue of the Decisions No. 2018/68, 2018/75 and 2018/87, in addition to the foregoing exemptions, the following data controllers were also announced to be exempt from the registration requirement:
- Real or legal person data controllers whose annual employee number is less than 50 and total of annual financial balance sheet is less than TRY 25 million provided that their main area of activity is not processing of special categories of personal data;
- Customs brokers;
III. COMMENCEMENT DATES AND DEADLINES FOR THE REGISTRATION REQUIREMENT
In the Decision No. 88, commencement dates and deadlines have been determined differently based on characteristics of the data controllers which have not been exempted from the registration requirement as shown in the table below:
|Data Controllers||Commencement date for registration||Time granted for registration||Deadline for registration|
|Real and legal person data controllers whose annual employee number exceeds 50 or annual financial balance sheet total is higher than TRY 25 million||01.10.2018||12 months||30.09.2019|
|Real and legal person data controllers located abroad||01.10.2018||12 months||30.09.2019|
|Real and legal person data controllers whose annual employee number is less than 50 and annual financial balance sheet total is less than TRY 25 million and whose main field of activity is processing of special categories of personal data||01.01.2019||15 months||31.03.2020|
|Public institutions and organizations||01.04.2019||15 months||30.06.2020|