Turkish Personal Data Protection Board’s Announcement on Registration System
One of the many obligations that data controllers should take into account is registration before Data Controllers Registration System (“Registration System”) as per Personal Data Protection Law numbered 6698 (“PDPL”). While doing so data controllers must not disregard the decisions taken by Turkish Data Protection Council (the “Council”) and complete such registration process within due time. Data controllers are also responsible for the data that they have filled to be accurate, updated, lawful and complete.
Decisions by the Council must be followed up to be able to duly complete the registration process. Thus, data controllers are obliged to complete registration processes within due time as it has been clearly stipulated by Provisional Article numbered 1 in PDPL. As per the Council’s decision dated 19/07/2018 and numbered 2018/88, data controllers with more than 50 employees or more than TRY 25 million total financial statement sum are obliged to registrar before the Registration System on 30/09/2019 at latest. In the end, such deadline has been pushed forward a few times for various reasons and currently the deadline for the data controllers with abovementioned criterion is 30/09/2020. Failure to register results to an administrative fine up to the amount of TRY 1,000,000 in line with Article 18/1-(ç) of PDPL. However, at the first instance, the Council has made an announcement upon the expiration of the deadline, and stated that the data controllers who fail to fulfill the registration obligation will be granted with an additional time to fulfill such obligation. This paved the way for the imposition of burdensome administrative fines within the framework of the aforementioned article for data controllers who do not comply with the further instructions provided by the Council.
Finally, it will be useful to state that compliance with the PDPL is not completed by making accurate and timely registration to Registration System, and the Registration System also means announcing the behaviors in compliance with the PDPL to the public and the Council. Therefore, it is safe to state that the data controllers who have completed the registration process yet failed to comply with the PDPL may face with administrative fines in weighty amounts if they disregard to amendments in legislations and do not organize their commercial processes in line with the Council’s decisions. Data controllers are expected to comply with all obligations foreseen within PDPL whether their registration is complete or not.