Turkey: The role of data controller representatives - What you need to know
Law on Protection of Personal Data No. 6698 ('the Law') introduced a significant number of responsibilities for domestic and foreign data controllers, among which the appointment of a data controller representative ('DCR'). Can Sözer, Berfu Öztoprak, and Ecenur Etiler, from Esin Attorney Partnership, discuss the role of DCRs and compare it to that of contact persons and data protection officers ('DPOs').
DCRs in general
Along with other responsibilities, data controllers are required to lawfully process personal data, fulfil their notice requirement, take necessary technical and organisational measures, and register with the Data Controller's Information System ('VERBIS'). Although there are exemptions to the VERBIS registration requirement, all foreign data controllers must register with VERBIS. As part of the VERBIS registration, data controllers must also prepare a data processing inventory, a data retention and disposal policy, and appoint a DCR, as well as a contact person.
The Regulation on Data Controllers Registry 2017 ('the Regulation') defines DCRs as Turkish citizens or legal entities residing in Turkey that assume certain responsibilities, as per the Regulation, on behalf of a foreign data controller. The main purpose of the appointment of the DCR is to enable the effective communication of the foreign data controller with the Personal Data Protection Authority ('KVKK') and the data subjects. Accordingly, as part of their VERBIS registration, foreign data controllers must appoint a DCR.
The DCR must be a Turkish citizen or a legal entity residing in Turkey. In practice, foreign data controllers can appoint their Turkish entities, branches (if any), or their lawyers as their DCR, or other Turkish citizens or entities that they deem appropriate. The foreign data controllers must appoint the DCR through a decision of its authorised body, and a certified copy of the decision must be submitted to the DPA for registration with VERBIS. The legislation does not explicitly require that the board of directors make the appointment; therefore, if the data controller has another authorised body that is authorised to make the appointment, this body can also complete the appointment. In practice, DPOs may make the appointment as well. A copy of the decision must be certified as per the applicable legislation (e.g. apostilled and notarised).
Powers and responsibilities of DCRs
The DCR must be a Turkish citizen or a legal entity residing in Turkey who assumes certain responsibilities. As per Article 11(3) of the Regulation, DCRs have the power and duty to:
- receive official notifications and correspondence from the KVKK on behalf of the data controller;
- convey the requests of the KVKK to the data controller and to submit the data controller's response to the KVKK;
- receive and convey data subject requests;
- respond to the relevant data subjects on behalf of the data controller; and
- carry out and manage VERBIS registration procedures on behalf of the data controller.
For the DCR to receive the data subject requests, Article 10 of the Law requires data controllers to disclose the identity of the DCR as part of their notice requirements. In this vein, the identity of the DCR is also accessible to data subjects from the VERBIS registration page of the relevant data controller.
The DPA states in its announcements that the responsibility of ensuring compliance with the Law does not lie on the DCR. Accordingly, even when a foreign data controller appoints a DCR, the data controller is still responsible of any incompliance with the Law. Therefore, the administrative fines on the data controller or any compensation claims by data subjects concern the data controller, and not the DCR. However, the right of recourse under general principles of the law (e.g. in the case of unauthorised representation) are reserved.
Differences between DCRs and contact persons
The Regulation also introduces the concept of a contact person. All data controllers (both foreign and domestic) must appoint a contact person, who must be a Turkish citizen residing in Turkey. The contact person's information is registered in the system online during registration with VERBIS. Furhtermore, no corporate resolution is required for the appointment of the contact person. As per Article 11(4) of the Regulation, unlike DCRs, contact persons are not authorised to represent the data controllers, and they are merely contact points for the KVKK or data subjects to reach out to the data controllers.
Differences between DCRs and DPOs under the GDPR
Although the DCR concept seems similar to that of DPOs under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), the roles and responsibilities of DCRs are much more limited compared to those of DPOs, as the DCRs do not have a decision-making authority and have very limited representation duties.
Moreover, on 6 December 2021, the DPA introduced the concept of DPOs with the Communiqué on the Procedures and Principles Regarding the Personnel Certification Mechanism ('the Communiqué'). As per the Communiqué, it is stipulated that DPOs have sufficient knowledge in terms of personal data protection legislation in addition to their certification programme.
However, there are still uncertainties on the concept of the DPO under Turkish data protection legislation, as the Communiqué does not explicitly stipulate their roles and responsibilities. Still, one might argue that the approach of the KVKK also indicates that the DCRs under Turkish data protection legislation are different from the DPOs under the GDPR.