Extraterritorial Implications of Turkish Data Protection Legislation: Compliance Requirements for Foreign Data Controllers
This article explores the regulatory landscape for data controllers located outside Turkey and their obligations under the Turkish Data Protection Law. It highlights the requirement for appointing a representative, registration processes, and various compliance measures.
2. Appointment of Data Controller Representative:
Similar to GDPR Article 27, the Turkish Data Protection Law mandates the appointment of a representative when non-resident data controllers process Turkish residents' data. The Data Protection Agency (DPA) has instituted a Data Controllers' Registry, and non-resident controllers must register by submitting a certified copy of the decision appointing their representative to the Personal Data Protection Authority (Authority).
2.1. Representation by Natural or Legal Persons:
A decision by the Personal Data Protection Commission affirms that a representative can act on behalf of more than one data controller, assuming the responsibilities outlined in the Law on the Protection of Personal Data (LPPD) and relevant legislation.
3. Registration Obligations for Data Controllers:
Before commencing data processing in Turkey, data controllers, including those abroad, must register with the VERBIS register. Unlike controllers in Turkey, foreign controllers are exempt from criteria based on annual employees or financial balances. Registration is required for any data processing activity.
3.1. Analysis of Liaison Offices and Branches:
The Authority has differentiated between liaison offices and branches established in Turkey. If a branch determines the purposes of personal data processing, it must register in Turkey. However, liaison offices, due to their structure, are exempt from this obligation, with the responsibility falling on the parent company.
4. Privacy Notices and Explicit Consent:
Article 10 of the Turkish Data Protection Law mandates informing data subjects about the data controller's identity, representative (if any), purposes of data processing, potential transfers, collection methods, legal reasons, and other rights. Companies should incorporate Turkey-specific obligations into their privacy policies, as highlighted by the Authority.
5. Data Breach Notification Obligation:
Pursuant to Article 12(5) of the LPPD, in the event that the personal data processed is unlawfully obtained by others, the data controller is obliged to notify the relevant person and the Board as soon as possible. The data breach notification procedure was announced by the Board with the "Decision of the Personal Data Protection Board dated 24/01/2019 and numbered 2019/10 on the Procedures and Principles of Personal Data Breach Notification".
In case of unlawfully obtained personal data, data controllers must promptly notify affected individuals and the Authority. The notification period, interpreted as 72 hours, applies to breaches occurring abroad if Turkish residents are affected, emphasizing the global reach of the legislation.
6. Data Subjects Access Requests:
Within the scope of the rights listed in Article 11 of the KVKK titled "Rights of the data subject", it is regulated that the data subject has the right to learn all kinds of activities on his personal data by applying to the data controller and to obtain information about his personal data and processing activity.
Article 11 of the Law on the Protection of Personal Data grants data subjects the right to inquire about their personal data. Foreign data controllers must appoint a representative responsible for facilitating communication between the Authority and the data controller, handling data subject requests, and ensuring compliance with the LPPD.
Understanding the extraterritorial effects of Turkish Data Protection Legislation is crucial for foreign data controllers. Compliance with registration, notification, and representation requirements is essential to navigate the intricate regulatory framework and ensure the protection of personal data in Turkey.
Article provided by INPLP member: Can Çayırpare (CVG Law Firm, Turkey)
Dr. Tobias Höllwarth (Managing Director INPLP)