On June 23, the Turkish data protection authority, the KVKK, announced a third extension to the Data Controllers’ Registry (VERBIS) registration requirement. The original deadline to register was Sept. 30, 2010, but it was extended to Dec. 31, 2019, and then again to June 30, 2020. The deadline was extended due to COVID-19. This is expected to be the last extension, and data controllers must take all necessary steps to register with VERBIS before the new deadline, Sept. 30.
Scope of registration
VERBIS's requirements cover foreign controllers (controllers not established in Turkey) that collect personal data from Turkey or process personal data collected from Turkey as a controller. It also covers requirements for Turkish controllers (those established in Turkey) that employ 50 or more people or have an annual turnover that is equal to or over TRY 25,000,000.
The registration requirement is one of the rare areas where we see the extraterritorial application of the Turkish law on Protection of Personal Data where the requirement extends outside of Turkey and requires a foreign controller to register with VERBIS.
What determines if an organization needs to register? Organizations face similar requirements as outlined above for data controllers. If an organization is established in Turkey and employs more than 50 employees and/or has an annual turnover equal to or more than TRY 25,000,000, it needs to register by the deadline. Conversely, if an organization is not established in Turkey but collects personal data or processes personal data collected from Turkish citizens, it will need to register by the deadline.
The registration procedures are different for foreign controllers and Turkish controllers.
Foreign controllers are required to appoint a data controller representative in Turkey. This requirement is similar to Article 27 of the EU General Data Protection Regulation.
The representative must be a Turkish legal entity established in Turkey or a Turkish natural person. Most foreign controllers appoint external lawyers or law firms based in Turkey as the representative since this role requires a level of legal expertise.
The controller will appoint the representative with either a duly signed decision or an appointment letter. The appointment letter/decision must contain certain minimal wording/elements to be accepted by the DPA. Further, it must be signed by an authorized signatory of the controller, notarized and also apostilled at the place of signing. After this stage, the letter/decision must be sent to the representative in physical form.
Once the letter/decision is received, the representative shall translate the decision into Turkish and notarize the document in Turkey. At this point, the representative will visit verbis.kvkk.gov.tr to handle the remaining initial registration steps by creating a profile for the data controller. Afterward, the VERBIS ID number and password will be sent to the representative.
Next, the representative will appoint a Turkish individual (an employee of the representative) as the contact person for the foreign controller. Please note that it is not possible to appoint one individual to multiple controllers as a contact person.
Finally, data-processing inventory (similar to Article 30 of the GDPR on records of processing) shall be entered into VERBIS by the representative/contact person. Registration will only be final after submitting the inventory into VERBIS.
Turkish controllers must visit verbis.kvkk.gov.tr to create a controller profile by submitting certain information, such as the name of entity, address, tax number and tax office. After creating their profile, Turkish controllers are required to appoint a contact person. Similar to the procedure explained above, a contact person can only be appointed to one data controller only. The appointment of the contact person is handled online by visiting the website.
After appointing a contact person, data-processing inventory shall be entered into VERBIS by the contact person. Registration will only be final after submitting the inventory into VERBIS.
Failure to register in time may result in an administrative fine of up to TRY 1,802,000, a second administrative fine of up to TRY 1,802,000 for not complying with DPA's decisions, and the DPA may restrict the controller's data processing activities in Turkey
Photo by Tarik Haiga on Unsplash
If you want to comment on this post, you need to login.