The Turkish Law on Personal Data Protection No. 6698 (DPL), which entered into force on April 7, 2016, prescribes that data controllers that are not established in Turkey but process personal data of subjects in Turkey („foreign controllers“) must appoint a data controller representative („representative“). This provision bears resemblance to article 27 of the EU General Data Protection Regulation (GDPR).
Who can be a Representative?
The representative must be located in Turkey and must be either a legal entity or a Turkish citizen.
What are the Obligations of a Representative?
The representative will be the contact point for the controller for any communication with the Data Protection Authority. The representative will also be the contact point for data subject requests.
The representative must be vested with the following authorities:
- Receive and accept, on behalf of the data controller, correspondence and notifications from the Data Protection Authority,
- Convey the requests sent from the Authority to the data controller and to convey the response from data controller to the Authority,
- Receive data subjects’ requests on behalf of the data controller and transmit the requests to the data controller,
- Transmit the Data Controller’s response to data subjects,
- Perform the required actions regarding the Data Controllers Registry Information System (VERBIS) on behalf of the controller.
How to appoint the Representative?
The Representative can be appointed with an appointment letter that must be signed by the authorized persons of the data controller, notarized in the place of signing, and apostilled.
And the Registration?
The representative will enter the information of the foreign data controller and the representative in the Data Controllers Registry Information System (VERBIS). Registration can only be done after the appointment of a representative.
Privacy Policy
The name and a method to contact the representative must be provided in the organization’s privacy policy.
What are the Consequences of Non-Compliance?
Failure to register can result in an administrative fine of currently up to 1.966.862 TRY (approx. 146.000 EUR) and the Data Protection Authority may restrict the organization’s data processing operations.
Is there a Deadline?
Yes, registration must be done by December 31, 2021.
17. Dezember 2021 @ 7:44
Vielen Dank für die Information. Wo steht denn die Frist bis Ende 2021? Diese kann ich leider auch nicht finden.
Vielen Dank für Ihre Hilfe.
17. Dezember 2021 @ 10:16
Hallo,
anbei die gesuchte Fundstelle.
Mit freundlichen Grüßen
Ihre Blogredaktion
The periods and deadlines originally stipulated by the Turkish Data Protection Law have been extended by serval decisions of the Turkish Data Protection Authority (KVKK). You can find a table of the latest deadlines established by the authority here:
https://www.verisistem.com/en/verbis-data-chamber-authority-record-responsibility-who-and-when
14. Dezember 2021 @ 8:06
Sehr geehrte Damen und Herren,
ich kann leider die gesetzlichen Stellen nicht finden, die besagen, dass ein Vertreter notwendig ist und in welchen Fällen. Könnten Sie mir hier bitte weiterhelfen?
Vielen Dank.
16. Dezember 2021 @ 9:54
Guten Tag,
die gesetzlichen Stellen haben wir Ihnen hier zusammengestellt:
The requirement to register as a data controller is laid down in Art. 16 of the Turkish Law on Personal Data Protection: https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/aea97a33-089b-4e7d-85cb-694adb57bed3.pdf
The requirement to register a Representative is established in Art. 5 b) of the By-Law On Data Controllers Registry: https://www.kvkk.gov.tr/Icerik/6635/By-Law-On-Data-Controllers-Registry)
Mit freundlichen Grüßen
Ihre Blogredaktion