Turkey: The New Data Protection Officer System
Five years after the enactment of the Law on Protection of Personal Data No. 6698 ('the Law'), the Personal Data Protection Authority ('KVKK') has introduced the new concept of a data protection officer ('DPO') with the Communiqué on the Procedures and Principles Regarding the Personnel Certification Mechanism1 ('the Communiqué'), which was published in the Official Gazette on 6 December 2021, and entered into force on the same date. Although the term 'DPO' is the same as the one recognised under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), the Communiqué introduced a more basic and non-compulsory system for Turkish DPOs. Melis Mert and Miray Muratoğlu, from BTS & Partners, provide an overview of the new Turkish DPO role and the obligations and consequences of the Communiqué.
Under Turkish laws, a communiqué is one of the atypical rulemaking tools enacted for the implementation of laws. Being adopted by either ministries or other public authorities, communiqués are binding regulations and can be enforced against any party obliged.
The Communiqué, which has been prepared by the KVKK, regulates: (i) certification activities conducted by personnel certification bodies; and (ii) candidates who want to obtain a certificate and persons who succeeded and are entitled to use the title of 'DPO' (i.e., becoming a Turkish DPO).
In other words, the Communiqué does not set forth additional obligations for data controllers (or for data processors), but mainly determines the principles and procedures regarding the authorisation of personnel certification bodies, the program and examination processes, and their validity, among other things. The KVKK has also announced2 that details on the certification processes shall be declared separately in the future.
The first new actor, the DPO, has been defined for the first time in the secondary regulations of the Law as 'the natural person who is entitled to use the title of data protection officer by successfully passing the exam'.
Accordingly, the personnel, who are the real persons participating in the program to obtain the certificate, i.e., Turkish DPO candidates, will be certified by the 'personnel certification bodies', which are defined as 'institutions accredited by the Turkish Accreditation Agency within the scope of (TS) EN ISO/IEC 17024 standard and authorized to certify those who succeed in the relevant certification exams'. In this regard, most of the provisions under the Communiqué regulate how these personnel certification bodies will be accredited and how they will conduct their activities for the certification of Turkish DPOs.
The Communiqué also introduced the Certificate Tracking and Verification Information System ('SERTABIS') to ensure that the certification activity is carried out impartially, transparently, and effectively. With SERTABIS, which will be established by the KVKK, the scope, dates, numbers, validity periods of the certificates, and the information of the personnel certification body and the certificate holders can be questioned.
On the other hand, the Communiqué is not specifically aimed at data controllers/processors and does not introduce any obligations for them.
As stated above, the Turkish DPO is a new concept introduced into Turkish law with the Communiqué. Accordingly, the university graduate personnel who: (i) have received a certificate of participation (certificate given by the KVKK to those who complete the training program) in the last four years before the exam date; or (ii) have a valid Turkish DPO certificate, and those meeting the conditions set in the program are eligible to apply for the Turkish DPO certificate exam. While exams will be announced by the personnel certification bodies at least 15 days before the exam date, candidates who succeed in the exam are entitled to receive the Turkish DPO certificate.
The Turkish DPO can use this title only during the validity period of their certificate, which is determined as four years. The Turkish DPO may renew the certificate before the validity period expires by applying to the personnel certification body again in accordance with the conditions determined in the program.
With respect to the Turkish DPO compared with the GDPR; unlike the GDPR, the term does not refer to a separate concept, but it is only used for people who have passed the exam. Within this scope, the KVKK has published an announcement3 recently due to the confusions regarding the Turkish DPO and the definition of the DPO under the GDPR. Accordingly, the KVKK explicitly stated that Turkish DPOs have not been granted with any authority/power and there is no 'job description' within the Communiqué for such persons. It has been also clarified that 'DPOs under the GDPR are different from persons having the data protection officer certificate'.
In this regard, introducing a more basic concept specific to Turkish legislation, the Communiqué mainly determines the procedural issues with respect to accreditation and activities of the personnel certification bodies, and while the Communiqué sets forth sanctions for violation of these bodies, it does not determine any additional sanctions for Turkish DPOs or data controllers.
The Data Protection Officer Certification Program4 determines the conditions for becoming a Turkish DPO and sets forth the scope of the knowledge required by them during the exam. Accordingly, the candidates will be tested on their knowledge of the Law (scope, basic concepts, general principles, conditions of data processing and transfer, obligations of data controllers, data subjects' rights, application to the data controller and the Board, data security, etc.) and be granted with the certificate if they receive at least 70 points by having a 60% success rate in each section.
While the successful candidates will become a Turkish DPO, they will also be deemed to have sufficient knowledge in terms of personal data protection legislation within the scope of the program. Although the Communiqué prefers to use a general term of 'personal data protection legislation', the extent of the eligibility of the Turkish DPOs shall be understood as limited to Turkish legislation since the program and exam focuses on the Law, apart from the four question (among 80 questions) related to the international legislation, namely, the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data No. 108 ('Convention 108'), the Data Protection Directive (Directive 95/46/EC), and the GDPR. However, considering that the Government is currently working on the harmonisation of the Law with the GDPR, the scope of the program and exam may be broadened in the future.
No, it is not mandatory. Natural persons are free to apply for the program. In other words, those wishing to obtain the certificate (and of course, fulfilling the application requirements) may attend to the Data Protection Officer Certification Program, and if successful, may become Turkish DPO.
No, the Communiqué does not foresee any obligation for the data controllers (nor for data processors). In other words, data controllers are not obliged to have a Turkish DPO within their companies.
According to the Communiqué, not having a Turkish DPO shall not result in a violation of a specific obligation per se, as this is not a liability for data controllers (nor for data processors).
As a possible indirect consequence, the KVKK may ask if the data controller employs a Turkish DPO (as a security measure) and not having a Turkish DPO may be evaluated to the detriment of the data controller (which may always be the case for other security measures as well, depending on the KVKK's discretion) in the event of an investigation.
Having a Turkish DPO within the data controller's (or data processor's) entity does not fulfil a specific obligation per se, however, it shall serve as a security measure.
The Communiqué underlines that the presence of one or more Turkish DPO before the data controllers will not affect the data controller's existing obligations; 'The employment of a data protection officer within the organization of a data controller and/or the data processor does not relieve the data controller and data processor from their responsibility to comply with the Law and the relevant legislation'.
If the data controller has a Turkish DPO within the company, this can be presented as an example of good practice, indicating that the data controller takes due care in fulfilling the organisational security measures foreseen under the Law and in complying with the Law in general.
Therefore, having a Turkish DPO shall be a security measure, but will not be fulfilling the data controller's obligation to ensure the security of the personal data by itself.
In line with the statements above, the Communiqué has introduced an arbitrary system regarding the certification of Turkish DPOs. Therefore, data controllers, data processors, or individuals are not under any obligation with regard to the Turkish DPO system. However, the Communiqué grants the KVKK with the power to decide and regulate issues not foreseen or that are not clear/explicitly stated under the Communiqué. Therefore, further provisions may be introduced by the KVKK.
In regards to practice, since the Communiqué has entered into force recently, and there is no application of the DPO regime yet, the KVKK's approach on the execution of the Communiqué is yet unknown. However, in the future, the KVKK may make a habit of asking for the existence of Turkish DPO while questioning data controller's security measures (such as asking for the employee awareness trainings etc.).
On the other hand, the Law shall be amended in the relatively near future, which may have several affects on the content of the certification program and the status of Turkish DPO regime once the new legislation is introduced.
On 2 March 2021, Human Rights Action Plan 20215 was introduced, which was prepared with the contributions of relevant ministries, institutions, business sector actors, and non-governmental organisations. The Human Rights Action Plan includes aims to be implemented within a one-year period that regard the harmonisation of the Law with the GDPR and the legal remedies within this scope.
Within this framework, the Turkish DPO regime may be affected in different ways; this Communiqué may be the first signal for an actual DPO concept similar to the one under the GDPR and the amended Law may introduce a mandatory regime within this scope (instead of the Communiqué's soft regime). Alternatively, the Turkish DPO scheme may be kept as is, but after the amendment, the program's content shall be changed and the validity of the past certificates may accordingly be vague.
In light of these possibilities, it is highly recommended for data controllers (and for processors) to follow developments on the Turkish DPO regime along with the KVKK's approach and take necessary actions to comply with the Law and its application, if any.