The Personal Data Protection Authority (‘KVKK’) announced, on 27 December 2019, that it had extended the deadline for data controllers to register with the Data Controllers Registry (‘VERBIS’) prior to commencing personal data processing. In particular, the KVKK noted that data controllers with 50 employees or more, or an annual turnover in excess of TRY 25 million (approx. €3.56 million), and data controllers residing abroad must register by 30 June 2020. In addition, the KVKK stated that data controllers with less than 50 employees or an annual turnover less than TRY 25 million and data controllers whose main activity is to process sensitive personal data must register by 30 September 2020, while data controllers responsible for the data of public institutions and organisations must register by 31 December 2020.

Ilay Yilmaz, Can Sozer, and Yigit Acar, Partner, Senior Associate and Associate respectively, at Esin Attorney Partnership, Member of Baker McKenzie International, Istanbul, told OneTrust DataGuidance, “After the deadline for the registration with VERBIS passes, the KVKK will have much more scrutiny over data controllers and may conduct investigations, issue more decisions and impose significant administrative fines to non-compliant companies. [In addition], the KVKK might tighten their inspections for data controllers processing sensitive personal data or transferring personal data abroad. We expect that [mandatory registration to VERBIS] will increase data subjects’ awareness of the protection of their personal data and [the ability to] exercise their rights. This might result in data subjects’ filing more complaints to the KVKK or exercising their rights with data controllers under Law on Protection of Personal Data No. 6698 (‘the Law’).”

Moreover, the KVKK noted that VERBIS will be publicly accessible and that the purpose of the obligation of the registration and notification of data controllers to VERBIS is to promote transparency in the processing of personal data. In addition, the KVKK highlighted that VERBIS aims, among other things, to prevent the unregulated processing of personal data, develop a culture of awareness in all aspects of the society with regard to personal data protection, as well as improve data controllers’ compliance with the Law.

Data controllers must prepare a personal data processing inventory that includes all activities which require the processing of personal data

In addition, Tuğrul Sevim and Selen Zengin, Partner and Associate respectively at BTS & Partners, Istanbul, told OneTrust DataGuidance, “[By] extending the deadline for registration, the KVKK [emphasised] that while complying with the registration obligation, data controllers must also prepare a personal data processing inventory that includes all activities which require the processing of personal data. [The extension] underscores the rationale behind the registration obligation to ensure data subjects’ control over their personal data, by imposing transparency and accountability obligations on data controllers. VERBIS registration, to a certain extent, allows data subjects to learn which personal data are processed, the purposes for processing, third-party recipients, retention periods, whether personal data will be transferred outside of Turkey, and the technical and organisational data security measures implemented by the respective data controller.”

Furthermore, the KVKK outlined that the extension decision, which followed an evaluation of VERBIS, found that several data controllers had not submitted the application forms necessary for the registration obligation to be fulfilled. Moreover, the KVKK highlighted that the registration and notification obligation would only be fulfilled when data controllers log in to VERBIS, complete the application form via the VERBIS system, and deliver this form to the KVKK by hand, post or via Registered Electronic Mail. Additionally, the KVKK stipulated that once the application form is submitted, data controllers will be required to log in to VERBIS with the username and password issued to them by the KVKK.

Finally, Burcu Tuzcu Ersin, Partner at Moroğlu Arseven, Istanbul, told OneTrust DataGuidance, “As per Article 18(1)(ç) of the Law, if there is a violation of the registration and notification obligation to VERBIS, an administrative fine between TRY 36,050 (approx. €5,400) and TRY 1.8 million (approx. €270,250) may be imposed. A violation may occur when an obliged data controller fails to complete the registration [before] the relevant deadline; the registered information is not accurate, lawful or up-to-date; or when changes to data controller’s activities are not reflected in VERBIS records within seven days.”

Lily Davies Privacy Analyst