General Information on Registration to the Data Controllers Registry and the Decision of the Personal Data Protection Authority
Introduction
Law on the Personal Data Protection numbered 6698 (“Law”) was accepted on 24 March 2016 and entered into force, except for certain articles that are reserved, through publication in the Official Gazette dated 7 April 2016 and numbered 29677.
The purpose of this Law is to protect the fundamental rights and freedoms of persons and, in particular, the confidentiality of private life, and is to regulate the procedures and principles to be followed by natural persons and legal persons who process personal data, and their obligations pursuant to Article 1 of the Law. Pursuant to Article 16 of the Law, in order to effectively fulfill these purposes, the Chairmanship shall keep the record of the Data Controllers Registry (“Registry”) that is publicly available under surveillance by the Personal Data Protection Board (“Board”).
Within this scope, the general provisions regarding the Registry will be addressed, below, first. Thereafter, a recent decision of the Personal Data Protection Authority (“Authority”) will be elaborated upon.
The Obligation to register with the Data Controllers Registry
As per Article 16 of the Law, the data controllers must fulfill their obligations as to the registration with the Registry before starting to process personal data. Likewise, according to Article 8 of the Regulation on the Data Controllers Registry (“Regulation”), which is stipulated and based on the same provision of the law, to determine and provide the application of the rules and procedures as to the formation of the Data Controllers Registry that will be kept by the Chairmanship, publicly, pursuant to the Law under the surveillance of the Board, and its administrations and the registration that will be made to the Registry, the data controllers must fulfill their obligation to the Registry before starting to process personal data.
According to these provisions, the data controllers that are not under obligation to register, but are obligated to register later on, shall file with the Registry within the thirty days following the date they became obligated.
In the event that the Data Controllers who are under obligation to register cannot fulfill their registration obligations due to a factual, technical, or legal impossibility, they shall apply to the Authority within 7 working days following the date when this impossibility arose, provided that they apply in writing, and with justification; and they may demand additional time. The Authority, one time only, may grant additional time, provided that it does not exceed thirty days.
The Exceptions to the Obligation of Registration
As mentioned, above, the data controllers must fulfill their obligations as to filing with the Registry, prior to the processing of personal data. Be that as it may, pursuant to Article 16 of the Law, the Board may allow exceptions to this obligation, by considering the objective criteria to be determined by the Board, such as the qualification of the personal data, its number, whether the processing derives from the law or transfer of the personal data to third parties.
The provisions, below, are stipulated under Article 16 of the Regulation, as well:
“The Board may bring exceptions to the registration obligation by way of considering the criteria below:
- The qualification of the personal data;
- The number of the personal data;
- The purpose of processing the personal data;
- The field of activity in which the personal data is processed;
- The status as to the transfer of the personal data to third parties;
- The fact that the processing activity derives from the laws;
- The term of conservation of the personal data;
- The personal group related to the data or data categories.
The Board is competent to render a decision in order to determine the scope and rules and procedures regarding the exceptions that are determined within the framework of the criteria indicated under the first paragraph. The Board shall publish its decisions in this respect through the adequate methods and shall announce them to the public.”
The Decision of the Personal Data Protection Authority that brings Exceptions to the Obligation of Registration with the Data Controllers Registry
The Authority, based on the above-mentioned provisions, rendered a decision dated 02.04.2018 and numbered 2018/32, regarding the exceptions to the Obligation of Registration to the Data Controllers Registry. This decision is published in the Official Gazette dated 15.05.2018 and numbered 30422.
According to this decision, the above-mentioned persons are exempted from the obligation to register to the Data Controllers Registry:
- The persons who process the personal data, being a part of a data registration system with only non-automatic methods;
- The Notaries who operate pursuant to the Notary Law dated 18.01.1972 and numbered 1512;
- The persons who process the personal data with regard to the associations founded pursuant to Associations Law numbered 5253 and dated 04.11.2004, the foundations founded pursuant to Foundations Law numbered 5737 and dated 29.02.2008, and the syndicates that are founded pursuant to Syndicates and Collective Bargaining Agreements Law numbered 6356 and dated 18.10.2012; only regarding their own employees, members and donators, limited to their fields of activity, in conformity with their related legislation and purpose;
- The political parties that are founded pursuant to Political Parties Law numbered 2820 and dated 22.04.1983;
- The attorneys who work pursuant to Law on Advocacy numbered 1136 and dated 19.03.1969;
- The independent accountants and financial advisors and sworn-in certified public accountants who operate pursuant to Law on Independent Accountant and Financial Councillorship and Sworn-in Certified Public Councillorship numbered 3568 and dated 01.06.1989.
Conclusion
The above-mentioned data processors are exempted from the obligation to register with the Registry according to the Decision of the Personal Data Protection Authority dated 02.04.2018 and numbered 2018/32, regarding the Exception Brought to the Obligation of Registration with the Data Controllers Registry. That being said, it is important to note that the fact that these processors are exempted from the obligation to register with the Registry, does not imply that they are not required to fulfill the other obligations within the scope of the Personal Data Protection Law. In other words, these persons are also subject to the provisions under the Law. The exceptions are only related to the obligation of registration.
All rights of this article are reserved. This article may not be used, reproduced, copied, published, distributed, or otherwise disseminated without quotation or Erdem & Erdem Law Firm's written consent. Any content created without citing the resource or Erdem & Erdem Law Firm’s written consent is regularly tracked, and legal action will be taken in case of violation.
Other Contents
The first “Artificial Intelligence Act” of all time, which includes rules and regulations that directly affect tools such as ChatGPT, Bard and Midjourney adopted by the European Parliament with a majority of votes. Thus, the European Parliament has officially taken the steps of a regulation that could be a turning point for...
In its decision regarding Case-300/21 and dated May 4, 2023, the Court of Justice of the European Union (“CJEU”) evaluates the right to compensation for an infringement of the European Union General Data Protection Regulation (“GDPR”) regulated in Article 82 of the GDPR. The CJEU decided that a mere...
ChatGPT, a large language model (LLM) developed by OpenAI, is an artificial intelligence (AI) system based on deep learning techniques and neural networks for natural language processing. ChatGPT can process and generate human-like text, chat, analyse and answer follow-up questions, and acknowledge errors...
The Personal Data Protection Law numbered 6698 (“PDPL”) introduces definitions for many concepts such as personal data, data controller, data processor and data subject. In terms of understanding and interpreting these concepts, secondary legislation, Personal Data Protection Authority (“Authority”) guidelines...
The Covid-19 pandemic and recent technological developments have significantly accelerated the digital transformation of all sectors. However, this rapid change especially in the financial sector (mobile banking, e-commerce, contactless payments, etc.) has brought some risks along with making life extremely...
Smartwatches have undeniably revolutionized our lives in the past decade. Apart from their core function as a timepiece, these wearable computers packaged in the form of a watch enable us to answer incoming calls, reply to messages and skim through social media notifications in seconds. Their steady rechargeable...
The Personal Data Protection Authority (“DPA”), on 16.06.2022, published the Draft Guidelines on Examination of Loyalty Programs within the Scope of Personal Data Protection Legislation (“Draft Guidelines”). The public has until 16.07.2022 to submit comments on them, and after these are evaluated...
The German Competition Authority (“Bundeskartellamt”) had previously found Meta (formerly Facebook) responsible for abusing its dominant position in the social network market by collecting and processing the personal data of its users without their consent and imposed measures on Meta and its associated...
Banks process large volumes of personal data in their daily operations. In order to deal with this sensitive information, the Turkish Personal Data Protection Authority, in cooperation with the Banks Association of Turkey, published Good Practice Guidelines on Personal Data Protection in the Banking...
The procedural rules on mass claims within European Union (“EU”) Member States is not uniform. To improve the position of consumers who might wish to make such claims, the European Parliament passed the Collective Redress Directive (“Directive”). The impact of the Directive is expected to...
In February 2020, the European Commission (“Commission”) published “A European Strategy for Data” as part of a wider drive concerning digital transformation and policy. Through this communication, the European Union (“EU”), defining itself as having a leading role in the data economy...
The Regulation on Protection and Processing of Personal Data by the Social Security Institution (the “Regulation”), the purpose of which is to determine the procedures and principles for processing data obtained within the scope of the duties and authority of...
The Personal Information Protection Law of the People’s Republic of China (“PIPL”) passed at the 30th meeting of the Standing Committee of the 13th National People’s Congress on 20 August 2021 and entered into force on 1 November 2021 as per Article 74...
In today's world, there is no doubt that data has become one of the most valuable assets and resources for some companies. The ability to collect, store, process, and analyze data on a large scale has dramatically changed...
