Draft Regulation on Data Controller Registry (“Draft Regulation”) that is among the regulations required to be arranged within the scope of the Law for Protection of Personal Data no.6698, enacted as of 7 April 2016, has been published on the official website of Council for Protection of Personal Data (“the Council”) on 5 May 2017 particularly aimed at gathering commentary from sector-specific occupational organizations.
The Council has granted a period until 20 May 2017 for public review on the Draft Regulation.
Terms of the Draft Regulation arranged in line with the EU practices will be handled by Head of the Council.
When the incoming arrangements that will be introduced pursuant to the aforementioned Draft Regulation are examined, most remarkable parts of it are provided below:
- Information to be disclosed for registry should be gathered based on the data inventory. The relevant application is transmitted to the Registry through VERBIS based on the Personal Data Entry Inventory, by using the titles indicated in VERBIS.
- An IT system used by the data controllers in Registry application and other Registry operations, accessible on the web, handled and managed by the Head of Organization for Protection of Personal Data will be set up.
- Assignment of an intra-company data dealer as mandatory under the EU regulation titled “Data Officer” or referred as “contact person” within the regulation in UK was arranged as data dealing representative for foreign legal person and a foreign data controller representative in charge of a contact person is deemed compulsory for foreign legal person non-resident in Turkey.
- The mechanism responsible for the liabilities as the legal person data controller is arranged as “legal person organ”. In other words, the relevant body in charge of meeting the legal liabilities of the data controller has been determined as board of management or board or directors while that authority is un-transferable. Despite the way for reverting is paved by acknowledging the relevant organ’s ability for insider assignments; the fact that the relevant organ’s liability would not be ending through this authorization is arranged within Article 11 of the Draft Regulation titled as “Liabilities of the data controller, data controller representative and contact person”.
- The arguments on implementation scope of the Law for Protection of Personal Data have also been arranged under the Article 17 of the Draft Regulation. Pertaining to the concerning article, an exception is introduced in entries to the data registry as applied in independent auditing. In terms of the concerning exception’s implementation, some of the criteria to be taken into account by the Council may be identified as (i) company’s turnover, (ii) number of employees and (iii) amount of personal data held.
The concerning regulation will be enacted as of its date of promulgation.
Our explanations provided above include general information on the issue. No responsibility can be claimed against EY and/or Kuzey YMM ve Bağımsız Denetim A.Ş. due to the implications arising from the context of this document or emerging with respect to its context.
Kuzey YMM ve Bağımsız Denetim A.Ş.