Sponsored briefing: Obligation to register before the Turkish data controllers registry and maintain personal data-processing inventory

Yasin Beceni and Susen Aklan of BTS clarify Turkey’s data protection regulations on data controller registry obligations

Article 16 of Law no. 6698 on the Protection of Personal Data (DP Law) introduced a general obligation on data controllers to register before the Data Controllers Registry that is to be maintained by the Turkish Data Protection Board.

Obligation of foreign data controllers to register before the Registry

With the Regulation on the Data Controllers Registry and a number of board decisions, the board determined the scope of the obligation of registration and clarified the types of data controller that would be under the obligation to register. As per the regulation and the board decisions, it has been determined that no exemptions shall apply to foreign data controllers acting as data controllers1 pursuant to Turkish data protection legislation and that all such foreign data controllers must carry out their registration processes by the deadline of 31 December 2019.

Obligation to maintain Personal Data-Processing Inventory

All data controllers under the obligation to register must maintain a data processing inventory, a document that is similar in format to records of processing maintained as per Article 30 of the General Data Protection Regulation (GDPR). Stated in the table opposite is a comparison of the inventory and records of processing.

1. Unlike Article 3/2 of GDPR, there is no explicit provision regulating territorial scope under the DP Law. However, under certain decisions of the board, Article 3/2 is taken as a reference on interpretation of the DP Law.

	Records of processing	Inventory
Obligation	An enterprise or an organisation employing fewer than 250 persons is not obliged to maintain records of processing unless the processing: • is likely to result in a risk; • is not occasional; • includes special categories of data or personal data relating to criminal convictions and offences.The processor and processor’s representative will maintain a record of processing.	All data controllers under the obligation to register must maintain an inventoryProcessors are not obliged to maintain an inventory
Contact details	Name and contact details of the controller, the joint controller, the controller’s representative and the data protection officer	Not explicitly stated. However, contact details of the controller and the controller’s representative should be submitted to the registry.
Purpose	Purposes of processing	Purposes of processing
Personal data	Categories of personal data	Categories of personal data
Data subjects	Categories of data subjects	Categories of data subjects
Recipients	Categories of recipients to whom the personal data has been or will be disclosed, including recipients in third countries or international organisations	Categories of third-party recipients
Cross-border transfers	Identification of that third country or international organisation and the documentation of suitable safeguards	Categories of personal data transferred abroad
Retention	Envisaged time limits for erasure of the different categories of data	Maximum retention periods
Security	A general description of the technical and organisational security measures	Administrative and technical measures
Legal ground	N/A	Legal grounds of the processing