Data controller registry regulation published.

Regulation on Data Controllers Registry (“Regulation”) prepared based on articles 16 and 22 of the Law for Protection of Personal Data no.6698 (“Law”) intended to create and manage Data Controllers Registry and identify the procedure and principles concerning the required entries to the Data Controllers Registry and ensure implementation of them has been published in the Official Gazette dated 30.12.2017, no. 30286. 

Pertaining to the related regulation, the Data Controllers Registry (“Registry”) will be kept on data controller registry information system (VERBİS) with public access in the presence of the presidency of Institute for Protection of Personal Data. Pursuant to the Article 9 of the Regulation, applications to the Registry should contain information concerning;

a) Information required by the application form determined by Board on the data controller’s, representative of the data controller if any the contact person’s identity and address, 

b) The intention for personal data entry,

c) Explanation on personal group and groups subject to data and data categories for those people,

ç) Receiver or receiver groups to transmit personal data,

d) Personal data proposed to be transmitted abroad,

e) Measures taken in line with the criteria set by the Board and indicated in the Article 12 of the Law,

f) Maximum period of preservation for the personal data required by the legislation or purpose of processing.

Data controllers should be enrolled to the Registry prior to the entry of personal data pursuant to the regulation. Regarding the data controllers non-resident in Turkey, the aforementioned registration procedure will be handled by the representative of the data controller. Exceptions of registry enrolment liability are also arranged within the Regulation. As per the Article 15; the liability of enrolment to the Registry for data controllers would be out of question in the circumstances that;

a) If personal data entry is necessary for prevention of crime or a criminal investigation.

b) Entry of the personal data that is already made public by the owner of it.

c) The requirement of personal data entry for the execution of a supervisory or regulatory task, disciplinary investigation or prosecution by an authorized public institution or organization and occupational organizations serving as a public body.

ç) The requirement of personal data entry for protecting the State’s economic and financial interests in terms of budgetary, tax and fiscal matters.

The Regulation has been enacted as of 01.01.2018 and its provisions will be executed by the president of Personal Data Protection Board.

Our explanations provided above include general information on the issue. No responsibility can be claimed against EY and/or Kuzey YMM ve Bağımsız Denetim A.Ş. due to the implications arising from the context of this document or emerging with respect to its context.


Best Regards,
Kuzey YMM ve Bağımsız Denetim  A.Ş.