Data Controllers’ Registry Obligation under Turkish Data Protection Law (LPPD)

The VERBIS registration system, which is implemented by Article 16 of the Turkish Data Protection Law, has taken into scope both Turkish and non-Turkish data controllers. So, what exactly is this VERBIS registration and which data controllers are within its scope? Does it also concern non-Turkish data controllers, without any exemptions? As a non-Turkish controller, what shall be the compliance steps for you? You can find an overview for the responses of these questions below.

In the modern world, where we carry out our business and daily life by sharing almost all of our information with others on digital platforms, one of the main concerns is not having control over with who and for what purpose our personal data is shared.

Following the concerns arising by the digital culture, the rapid developments in data processing and storage have also led to expediting the progress of legal regulations all over the world in order to protect privacy and control data operations.

One of the privacy regulations that have had substantial importance over time is the Turkish Data Protection and Privacy Regulations. Turkey was one of the first countries to take up the trend of legislating data protection. Turkeypublished “The Law on the Protection of Personal Data” No. 6698 (LPPD) covering personal data protection on April 07, 2016.

The LPPD is inspired by the European Union Data Protection Directive 95/46/EC and has several similarities with the GDPR. It aims to give data subjects control over their personal data and outlines obligations for organizations and individuals with access or processing with personal data. LPPD has also provided extended guidelines for the transfer of personal data to third countries and with regard to other requirements for better compliance.

similar to other national and regional data protection laws and regulations, the LPPD gives rights and imposes obligations.One of the most crucial obligations, and perhaps the one that will closely concern companies that process personal data in Turkey, is the “Data Controllers Registry System”, referred to as “VERBIS”.

VERBIS is a data protection measure and a specific mechanism that is not yet often encountered in other privacy practices in the world . The broad scope of the obligation of the registry has the considerable potential of making any data controllers a subject for VERBIS registration, a highly essential mechanism for data protection practitioners.

MyData-Trust proposes to raise the topic of this uncommon registry system, that requires to gather and keep up all the necessary information to be compliance with the Turkish LPPD. The analysis particularly would be a key for companies that process personal data as non-Turkish controllers, through their Clinical Study Sites in Turkey and their important role in the compliance with VERBIS obligation.

The following information must be submitted to the system:

• Identity and address of the data controller and its representative (if any)
• Purposes for which the personal data is to be processed
• Explanations about groups of data subjects and the data categories of those data subjects
• Recipients to whom the personal data may be transferred
• Type of personal data which may be transferred abroad
• Measures taken for data safety
• The maximum period of time required for the purpose of data processing

Pursuant to the LPPD and the Regulation, the obligation is structured in three categories:

• Natural / Legal Persons Domiciled in Turkey,
• Natural / Legal Entities Domiciled Abroad,
• Public Institutions and Organizations

The scope of this mechanism is broad ,and is not limited to people residing only in Turkey. Any data controller who is resident or non-resident and processes data in Turkey has the potential to be obliged for the registration, directly or by its branches or liaison offices, and also with some exceptions subjected by the Board.

The Board of the Turkey Data Protection Authority may bring an exception to the obligation of enrollment by considering the nature and number of personal data, the purpose of processing personal data, and other objective criteria. In 2018, the Board issued decisions granting exemptions from registration obligations to certain professional groups, associations, and political parties.

The Board granted a general exemption to local data controllers with less than 50 employees and actively less than TRY 25 million on their balance sheets. The exemption also includes certain types of data;

(i) for the prevention or investigation of a crime; (ii) of personal data made public by the data subject; (iii) for the performance of supervision, regulatory or disciplinary functions by public authorities or professional bodies; and (iv) for the protection of the economic and financial interests of Turkey related to budgetary, tax and financial matters.

Processing data in Turkey as a non-resident data controller requires extra steps to be fulfilled, compared to the local data controller, due to the VERBIS registration. These additional steps may remind the GDPR requirements for non-EU controllers asstated in Art. 27, the requirement of a Data Protection Representative (DPR) for non-EU Data Controllers.

The broad scope of VERBIS obligation makes companies, and our clients subject to he Regulation through their clinical trials and studies. For instance, a Sponsor based in Belgium conducting trials in Turkey will be directly obliged to VERBIS registration, regardless of the location of the Sponsor, the number of employees or balance sheets.

As mentioned earlier, VERBIS mechanism has laid down rules to complete the registration and recognizes an additional role of the “Data Protection Representative” for non-Turkey resident data controllers to register with the mechanism.

In Turkey, data controllers residing abroad must first appoint a “Data Controller Representative” by submitting the approved and signed document to the Board. The Data Controller Representative may be either a legal person residing in Turkey or a natural person who is a citizen of the Republic of Turkey. The appointment of the Representative must be made with a resolution of the data controller, which needs to be notarized and apostilled (or otherwise legalized).

The Representative will act as a point of contact and handle the communication for the data controller about its dealings with the Board, the Turkish Data Protection Authority and the data subjects. If a legal entity is appointed as the representative, an individual must also be appointed by the non-resident data controller as the contact person.

there is a clear analogy between the roles of Data Protection Representatives under the LPPD and the GDPR. Under both laws, DPRs shall be delegated by the controller and to be addressed to supervisory authorities and data subjects, on all issues related to processing, to ensure compliance.

On the other hand, diversely from the GDPR, in LPPD, appointing a DPR is strictly mandatory and the DPR role is constituted for VERBIS registration only for the non-Turkey resident data controllers; regardless of their frequency, scale or categories of data processed,.

In addition, the process of appointing a DPR in Turkey requires additional procedural duty different from the GDPR, as the appointment needs to be signed and the signature needs to be notarized and apostilled. As of yet, the end-to-end digital process is not possible, and the VERBIS mechanism is available only in Turkish.

To provide a general insight into the fines issued for non-compliance with the LPPD, it is correct to say that VERBIS registration violation tends to end up with a higher amount, compared to the other types of fines.

For instance, in 2022, a record fine for the violation of the disclosure requirement is around 270,000 TL. However much higher fines are on the table, in the case of violation of registration obligation to the VERBIS.

The fine in case of the violation to fulfil the “obligation to register with the Data Controllers’ Registry”could reach up to 2,700,000 TL, which is about 10 times more than the highest fine for the violation of disclosure requirement.

Administrative fines in Turkey are re-evaluated every year. From 2021 to 2022, the increase rate was 36.20% for the fines due to the obligation to register with the Data Controllers’ Registry.