Loading...

24.11.2021

Legal Alert - Registration Deadline for Data Controllers is Rapidly Approaching

While the deadline for the registration to Turkey’s Data Controllers’ Registry (“VERBIS”), which was set as December 31, 2021, is fast approaching, we would like to remind you obligations and procedures of this registration.



 Key Takeaways


  • Turkish data protection regulations require foreign data controllers that process personal data of data subjects located in Turkey to register with a centralized register called “Data Controllers’ Registry”: https://verbis.kvkk.gov.tr/
  • The registration obligation for foreign based data controllers is without any exemptions. E.g. a data controller that does not target Turkish customers via direct marketing or only processes personal data of Turkey based employees is still obliged to register to VERBIS.
  • During the registration procedure, foreign based data controllers are required to appoint a “Data Controller Representative”. The representative can be a real or a legal person but it is required to be Turkish national or a legal entity established in Turkey, respectively. Data Controller Representative’s responsibilities are mainly related to facilitating communication between the Turkish DPA and the foreign data controller.
  • The deadline for finalizing registration: December 31, 2021
  • Completion of registration procedure generally takes at least 2 weeks.


Non-compliance with the VERBIS registration obligation might result in an administrative fine from 39.337 TRY (approx. 3.700 USD) up to 1.966.862 TRY (approx. 185.200 USD

 

 

I.               Registration Obligation to VERBIS

 

Pursuant to Article 16 of Law No. 6698 on the Protection of Personal Data (“DP Law”), the Regulation on the Data Controllers Registry (“Regulation”), and relevant decisions of the Personal Data Protection Board (“Board”), the following data controllers are under the obligation to register to VERBIS:

  •       Non-resident data controllers,
  •       Data controllers that have more than fifty (50) employees per annum or an annual balance sheet above TRY 25 million,
  •      Data controllers that have less than fifty (50) employees per annum and an annual balance sheet below TRY 25 million and whose main field of activity is processing special categories of personal data,
  •       State institutions and organizations,

 

As per Article 16 of the DP Law, the Board may introduce exemptions from the obligation to register and so far, the Board has exempted the following data controllers:


     Controllers who process personal data, that form a part of a data filing system, without any automatic means,

     Notary publics,

     Associations who process personal data in accordance with the applicable legislation, limited to the scope of their field of activity, and do not have connected commercial enterprise,

     Foundations who process personal data in accordance with the applicable legislation, limited to the scope of their field of activity, and do not have connected commercial enterprise,

     Unions who process personal data in accordance with the applicable legislation, limited to the scope of their field of activity, and do not have connected commercial enterprise,

     Political parties,

     Attorneys,

     Certified public accountants,

     Sworn-in certified public accountants,

     Customs brokers,

     Mediators.

 

II.             Procedural Steps for the Registration before VERBIS

 

In order to complete the registration process, data controllers under the obligation to register to  VERBIS shall take the following steps:

 

STEPS TO BE TAKEN & EXPLANATIONS



Step 1: Appointment of a Data Controller Representative (Only for Non-Resident Data Controllers)

For data controllers residing outside of Turkey, the first step is appointing a data controller representative in order to register to VERBIS. The appointment process should be completed depending on the requirements of the jurisdiction in which the appointing data controller is established.

 

Step 2: Filling Out the Sign-up Form

Since the registration is completed by providing the required information via VERBIS, data controllers should create an account on VERBIS, and in order to create such an account, certain information related to the data controllers should be provided to the Data Protection Authority (“Authority”).

 

Step 3: Application for a username and password

As mentioned, to access the VERBIS, data controllers should provide a filled Sign-Up Form to the Authority and afterward, the log-in information (the username and password of the account) will be conveyed by the Authority to data controllers.


For non-resident data controllers, the notarized Turkish language translation of the representative appointment resolution (i.e., Power of Attorney document) should also be provided to the Authority to obtain the log-in information.

 

Step 4: Appointment of the Contact Person and Registration to VERBIS

The final step for completing the registration obligation is the appointment of the contact person and submitting the required information via VERBIS.

 

Data controllers who have access to the VERBIS should appoint a contact person, who is both a Turkish resident and citizen, to submit the information in accordance with the information stated under the personal data processing inventory of the controller.


For non-resident data controllers, the designated data representative should log in to the VERBIS with the username and password provided by the Authority, and appoint a Turkish citizen contact person, who is both a Turkish resident and citizen, to submit the required information.

 

a.     Appointment of a Data Controller Representative

 

In order to be able to complete registration before VERBIS, non-resident data controllers must appoint a data controller representative who must be either a Turkish national or a legal entity established in Turkey. The appointed representative must have the power to represent the foreign data controller before the Authority and receive and facilitate communication from the Authority and from any data subject in Turkey that files an application with regard to their rights guaranteed under the Law.

 

b.    Registration Form for Signing-up to the VERBIS

 

Registration system sign-up form, which is available on Registration page of the VERBIS, requests different basic information from data controllers depending on their residential status. The following table shows the information is requested under the form:





III.               Preparation of a Personal Data Processing Inventory

 

Similar to the obligation regarding maintaining a record of processing activities (RoPA) stipulated under the General Data Protection Regulation (GDPR), pursuant to Article 5 of the Regulation, data controllers under the registration obligation are obliged to prepare Personal Data Processing Inventory (“Inventory”). The information required to be submitted in the VERBIS is designed based on the Inventory. However, in certain sections of the registration, the system requests such information linked with the categories of processed data, for instance selecting the purposes for processing ID information, and therefore the Inventory will be used as a source to the information required to be submitted under the registration obligation. Accordingly, the Inventory shall contain at least the following information:


  • purposes of personal data processing activities,
  • data categories processed within such processing activities,
  • data recipient groups of such processing activities,
  • data subject groups of such processing activities,
  • the maximum retention period required by the purposes of the processing,
  • personal data envisaged to be transferred abroad, and
  • measures are taken concerning data security.

 

IV.             Deadline for the Registration

 

Although the original deadline was determined as of September 30, 2020, the Board evaluated the requests received for the deadline extension due to difficulties to duly fulfill VERBIS registration obligation under COVID-19 circumstances and postponed the deadline to December 31, 2021, with its announcement published on March 11, 2021.

 

V.            Sanction Risk for Non-Compliance with the Registration Obligation

 

Pursuant to Article 18 of the Law, non-compliance with the VERBIS registration obligation might result in an administrative fine from 39.337 TRY (approx. 3.700 USD) up to 1.966.862 TRY (approx. 185.200 USD).