Appointment of a data privacy officer is regulated in detail under the EU General Data Protection Regulation. Mandatory DPO appointment is imposed under certain circumstances, and legal requirements are determined for the DPO role in terms of qualification as well as authorization. Under the Law on Protection of Personal Data numbered 6698 in Turkey, there is no legal requirement to appoint a DPO for data controllers, but there is a role introduced for the purposes of fulfilling the data controllers’ registry process under the Regulation on Data Controllers Registry. These differences between the role of a data controller’s representative/contact person under the LPPD and relevant regulation of a DPO under GDPR can create confusion in practice.
DPO role under the GDPR
Under the GDPR, the DPO role is mandatory for both data controllers and processors in case they carry out data processing as a public authority or oversee either regular and systematic monitoring of data subjects on a large scale or large amounts of special categories of personal data. Whereas a group of companies may appoint a single DPO to fulfill this obligation, the DPO may either be an employee or a third-party individual on a service contract. The DPO’s contact details must be published and communicated to the supervisory authority.
Independence is the major rule for a DPO. Article 38 of the GDPR explicitly states DPOs must be supported and involved in all issues relating to the data protection, cannot receive any instructions to fulfill their tasks and must not be penalized for performing their tasks. DPOs directly report to the highest management. Further, in case a DPO has other duties and tasks within or outside of the organization, organizations are obliged to ensure these do not create a conflict of interest with the DPO duties. DPOs must have adequate level of expertise in data privacy and required qualifications.
In practice, there is no requirement a DPO must be a lawyer or cybersecurity expert, but they must have expert knowledge of data protection law and must be able to fulfill the tasks envisaged under Article 39 of the GDPR, which includes monitoring compliance, advising the organization in its data processing activities, providing advice with regard to data impact assessments and acting as a contact point for the supervisory authority.
Data controller’s representative/contact person role under the LPPD
According to the Regulation on Data Controllers Registry, data controllers based in Turkey or foreign data controllers that process personal data in Turkey must be registered with the Data Controllers Registry in Turkey, called VERBIS. There are certain rules, or thresholds, for Turkish data controllers to be required to register with VERBIS (number of employees and balance sheet figures), whereas for foreign data controllers, there is no such a threshold, so any foreign data controller processing personal data in Turkey must register with VERBIS.
For VERBIS registration, data controllers are required to appoint a contact person/data controller representative who must be a Turkish citizen or Turkish legal entity. The obligations imposed on the representative are regulated under Article 11 of the Regulation, which clearly states the data controller is the legal entity in organizations and not the individuals responsible there. Liabilities in an organization regarding personal data protection are exercised by the authorized bodies of the organization per local laws. Further, the persons authorized to represent the company can be appointed to fulfill LPPD obligations. However, such an appointment will not release the organization from its liabilities as a data controller. The data controller representative must be appointed with the following minimum authorizations imposed under the regulation:
- The individual must receive or accept the notifications or correspondence sent by the Turkish supervisory authority.
- They must forward the requests made by the Turkish supervisory authority to the data controller and forward the data controller’s answers to the supervisory authority.
- They must receive the applications of data subjects on behalf of the data controller and forward the applications of data subjects to the data controller in accordance with LPPD.
- They must forward the data controller’s response to the data subjects in accordance with LPPD.
- They must do the necessary work under VERBIS on behalf of the controller.
With this in mind, it is clear the data controller’s representative/contact person role under the LPPD does not have the same liabilities and authorizations as the DPO role has under the GDPR.
Despite being appointed as a contact person of the data controller before the Turkish supervisory authority, the contact person has no specific liabilities unless they are appointed with a specific role and authorization per local laws. While people already authorized to represent the organization may be appointed as a representative for VERBIS purposes, this does not solely mean such person bears liability to data protection law obligations arising from the LPPD unless such a specific duty is imposed by the organization through a valid resolution.
How to appoint a DPO under Turkish law
Under Turkish law, the DPO role is not mandatory, but organizations under VERBIS registration obligations must appoint a person as representative/contact person and grant them certain minimum authorities.
The appointment of a data controller representative does not impose special liability on the representative. However, organizations willing to appoint a DPO role under the GDPR must consider commercial law rules on appointing a commercial representative, select a person who can exercise compliance and monitoring duties with data protection expertise, grant authorizations to them and ensure their independence. Afterward, the individual may have relevant liabilities as a DPO.
If a DPO is appointed properly under Turkish law, when the organization (usually the board of directors) is able to prove it appointed the DPO by acting as a prudent merchant, has completed all required actions for the appointment, provided the DPO with all required authorizations and supported them, the organization may have the right to recourse should any personal misconduct from the DPO arise.
It is worth saying the circumstances of each case must be analyzed in detail to assess whether the organization has any recourse right, but if companies would like to create a DPO role, they must at least take into account the commercial laws to appoint a commercial representative in a company as well as the specific rules outlined in the GDPR as an example. If the DPO role has no independence in the company, we believe the organization cannot impose liability on the DPO. The data controller’s primary obligation is to compliance with LPPD as stated under the regulation. Therefore, unveiling such liability is not possible but recourse conditions can be reviewed and assessed in each case. There is no case law in this specific matter, but in other roles within organizations, commercial representatives may be held personally liable in specific cases when certain conditions apply proving their personal willful misconduct.
In Turkey, the organizations tend to appoint a person among their employees as representative and foreign data controllers with no presence in Turkey tend to appoint a third-party service provider as a representative, solely for the purpose of fulfilling VERBIS registration. As such, the DPO role in Turkey is rarely seen in practice and DPO roles in general are not granted authority to represent the organization to exercise their duties with full independence.