The Turkish Law on Personal Data Protection No. 6698 (DPL), which entered into force on April 7, 2016, prescribes that data controllers that are not established in Turkey but process personal data of subjects in Turkey (“foreign controllers”) must appoint a data controller representative (“representative”). This provision bears resemblance to article 27 of the EU General Data Protection Regulation (GDPR).
Who can be a Representative?
The representative must be located in Turkey and must be either a legal entity or a Turkish citizen.
What are the Obligations of a Representative?
The representative will be the contact point for the controller for any communication with the Data Protection Authority. The representative will also be the contact point for data subject requests.
The representative must be vested with the following authorities:
- Receive and accept, on behalf of the data controller, correspondence and notifications from the Data Protection Authority,
- Convey the requests sent from the Authority to the data controller and to convey the response from data controller to the Authority,
- Receive data subjects’ requests on behalf of the data controller and transmit the requests to the data controller,
- Transmit the Data Controller’s response to data subjects,
- Perform the required actions regarding the Data Controllers Registry Information System (VERBIS) on behalf of the controller.
How to appoint the Representative?
The Representative can be appointed with an appointment letter that must be signed by the authorized persons of the data controller, notarized in the place of signing, and apostilled.
And the Registration?
The representative will enter the information of the foreign data controller and the representative in the Data Controllers Registry Information System (VERBIS). Registration can only be done after the appointment of a representative.
What are the Consequences of Non-Compliance?
Failure to register can result in an administrative fine of currently up to 1.966.862 TRY (approx. 146.000 EUR) and the Data Protection Authority may restrict the organization’s data processing operations.
Is there a Deadline?
Yes, registration must be done by December 31, 2021.