The following article, written by the team at Kılınç Law & Consulting, examines Turkey’s latest legislation and regulation in relation to data controllers and the processing of personal data.
The VERBIS System and the Law on the Protection of Personal Data
VERBIS (Data Controller Registry Information System) refers to the information system that can be accessed on the internet, where controllers will be used in the Registry and other procedures related to the Registry. In this way, this system is aimed to publicise who is responsible for data and by doing that it protects personal data more effectively. The obligation to register in the System aims to provide clarity in terms of the processing of personal data and to create a safer environment for the compliance of the data questions with the legislation.
According to Law No. 6698 on the Protection of Personal Data, published on 07.04.2016, in the Official Gazette, a real person or legal entity, which decides on the reasons and mediums to process the data and is responsible for establishing and managing the data registration system, are referred to as controllers. The processor is defined as natural or legal persons other than the organisation of the data officer, who process the personal data on its behalf, based on the authority granted by the controller. These persons are separate naturel or legal persons who are authorised by the controller through an agreement on personal data processing and process the personal data under the directives recevied.
2. TERMS AND CONDITIONS
If a corporation processes the data of its customers, employees or website visitors, according to the law, it is accepted as the data controller and takes responsibility in these cases.
As the responsibility of the decision on processing personal data belongs to the data responsible, they are with the data liability and necessary precautions must be taken regarding the protection of personal data. The most important of these responsibilities is to register to the “Data Controller Registry”. Registration to this System can be done via VERBIS and the obligation to be registered to VERBIS began on 01.10.2018.
It is mandatory for the data controller to register to VERBIS. The enrolment process must be completed before starting the data processing activities. According to Provisional Article 1 paragraph 2, natural and legal persons who are residents in Turkey, or not, fulfil obligations of enrolment to VERBIS before commencing the processing data within the period specified by the Board. The Board has determined the date of the obligation of the data controller to register to VERBIS to be 01.10.2018, with the decision dated 19.07.2018. If the data controller is a resident in Turkey, they are obliged to appoint a contact person and add the information about the contacts during enrolment to VERBIS. With regard to data controllers residing abroad, they must appoint a data representative and submit a certified sample of the decision to the Broad through this data representative. In case of changes in registration information, the data controller should inform the Board about these changes within seven days via VERBIS.
3. EXCEPTIONS AND LEGAL RESPONSIBILITY
The Board is authorised to provide exceptions to the obligation of enrolment in the Registry of Data Controllers by Law No. 6698 on the Protection of Personal Data. In the application of this exception, the objective criteria set by the Board, such as the nature and quantity of the data processed, the legal requirement for data processing, or transferring the data to third parties, are taken into account.
Controllers exempt from the obligation to register to VERBIS by the Personal Data Protection Board are as follows:
Controllers that process data only through non-automated means such as, Notaries; Associations and Foundations; Attorneys at Law; Political Parties; Independent Accountants and Financial Advisors; Certified Public Accountants; Customs Consultants; Arbitrators and those who have less than 50 workers and whose annual financial balance sheet is less than TL. -25.000,00 in total, or are the ones whose main activity is not personal data of a special nature.
Controllers are responsible for the lawfulness, accuracy and keeping up to date the data provided to and published in VERBİS. Any changes in the information provided to VERBIS shall be immediately notified to the Presidency. If the activity requiring the registration obligations discontinues or disappears, the registration will be deleted. Deleting the registration does not eliminate the obligations of the Controllers during the period in which they are registered.
In the case of negligence to fulfil the obligation to register with VERBİS, the Controllers will have legal and criminal responsibility. Although they are within the scope of enrollment and notification obligations in the Registry of Data Controllers, the Controllers, that fails to meet the obligations for enrolling in the Registry of Data Controllers, shall be required to pay an administrative fine of TL. -20.000 to TL. -1.000.000.
We hope that above information has been helpful. If you have any further questions, please feel free to contact us.