Pursuant to Article 16 of the Code No. 6698 on the Protection of Personal Data, real persons or legal entities processing personal data shall register with the Data Controller’s Registry before processing.More
| Reading Time: 6 Minute(s)
Liabilities of Members of Board of Directors at Joint-Stock Companies Within The Context of Personal Data Protection Law in Turkey
Directors of Joint-Stock Companies are Liable Under Turkish Personal Data Protection Law
According to Article 16 of the Code Numbered 6698 on the Protection of Personal Data, real persons or legal entities processing personal data shall register with the Data Controller’s Registry before any processing.
Article 3 of the said Code defines the Data Controllers as real persons or legal entities responsible for setting out the objectives of processing persona data, establishment and management of data registration system within the meaning of the law. In practice, the company itself has deemed a data controller for the joint-stock companies. It is obliged to register at the so-called (“VERBIS”) Data Controllers’ Registry Information System.
According to the recent announcement of the Turkish Personal Data Protection Board on the extension of the deadline to register with the Data Controllers’ Registry “VERBIS” system dated December 27, 2019, the Board has provided the reasoning behind such extension for registration, besides elaborated on what is expected from the Data Controllers to honour the law and avoid sanctions stipulated in the law.
As a side note, for joint-stock companies, which have more than 50 employees annually or have a balance sheet sum of more than 25 million TRY per year, the deadline for registration with the VERBIS and notification requirement has been extended to 30.06.2020.
To obey the law, Data Controllers are obliged to make an entry and provide information to the so-called Data Controllers’ Registry Information System (“VERBIS”) concerning personal data being processed by them. The Board has also stressed the importance of accuracy and reliability of the updated information to VERBIS within personal data processing activities.
In addition to Code No. 6698 on the Protection of Personal Data, to fully comply with the personal data protection requirements, special attention must be paid to the procedures and principles set out at;
I) Regulation on Data Controllers’ Registry published at Official Gazette of Turkey dated 31.12.2017 and,
II) Regulation on Deletion, Destruction and Making Anonymous of Personal data published at the Official Gazette dated October 28, 2017, respectively.
Among others, one of the important provisions set forth at the said secondary legislation is that Data Controllers who are obliged to register with VERBIS are also obliged to prepare a Personal Data Processing Inventory, and information to be disclosed to the VERBIS shall be prepared based on that Personal Data Processing Inventory.
In determining whether;
I) duty to disclose and full representation to the personal data owner has been met and,
II) open consent of the data owner has been obtained, the Personal Data Processing Inventory prepared by the Data Controllers is also taken into account.
As stated above, Data Controllers are responsible for accuracy, completeness, up to datedness and compliance with the law of the information submitted to and published at the Registry.
What is The Criminal Liability of Board Members of Joint-Stock Companies?
In Section 5 of the Code Numbered 6698 on the Protection of Personal Data Code, the type of wrongdoing in felonies and misdemeanours have been defined in detail in case of breach of the law. Article 17 of the Code defines the felony and stipulates that relevant articles of Turkish Criminal Code Numbered 5237, which are Article 135 to Article 140, shall apply for personal data crimes.
In addition, if the Data Controller fails to erase, destroy or make anonymous the personal data within the due course, Article 138 of the Turkish Criminal Code shall apply.
When we take a close look at the referred Articles of Turkish Criminal Code; Article 135 of the Turkish Criminal Code reads as; any wrongdoer shall be subject to sanction starting from one year up to 3 years of imprisonment in case the personal data is illegally recorded.
Article 136 regulates illegal taking and dissemination of personal data, and the sanction stipulated for violation of the said Article is imprisonment starting from two years up to four years.
Article 137 regulates aggravating factors, which is committing the crime will increase the punishment up to half of the originally imposed sanction.
Article 138 specifically regulates the destruction of data. It imposes on the person in charge to destruct the data when required, and the consequence of non-obedience is imprisonment starting from one year up to two years.
According to Article 139, in almost all the crimes within the context of personal data protection, the Prosecutor acts automatically for investigation without any need for a criminal complaint of a third party.
Finally, in Article 140 of the Turkish Criminal Code, the proper sanction shall be imposed for the legal entities such as joint-stock companies by considering the unique character associated with being a legal entity and structure.
Having reviewed the pertinent provisions of the Protection of Personal Data Code and Turkish Criminal Code, it is fair to jump to the conclusion that the Legislator attaches specific importance to the protection of personal data and therefore set forth severe sanctions in case of any violation.
When it comes to corporations, such as in the case of joint-stock companies, which are in the form of a legal entity, the Data Controller is designated as the company itself within the meaning of the law. Therefore, the company rather than the shareholders will face and be subject to criminal and monetary sanctions stipulated in the law.
The responsible organ of the joint-stock companies is the Board of Directors, which can bind and represent the company, and about criminal liability, proving culpability element (existence of men’s rea, actus reus and concurrence), the members of the Board of Directors do have personal criminal liability for the crimes set out at the Personal Data Protection Code and Turkish Criminal Code.
However, the Board, with a clear division of labour among themselves like obtaining a board resolution or issuance of an internal directive to that end, might confer upon and delegate certain duties with regard to the protection of personal data to one of the Board of Directors members or other professionals within the company. In the absence of such delegation, all Board of Directors members might be held liable for criminal liability.
Administrative Sanctions – Misdemeanor
Article 17 of the Code defines the misdemeanour and specifies the acts that lead to administrative fines. Accordingly;
- Any data controller who fails to meet the duty to disclose and full representation stipulated at Article 10 of the Code shall be punished with an administrative fine in the range of 5.000TRY to 100.000 TRY.
- Any data controller who fails to meet the duty to ensure data security stipulated in Article 12 of the Code shall be punished with an administrative fine in the range of 15.000TRY to 1.000.000 TRY
- Any data controller who fails to fulfil the decisions of the Personal Data Protection Board stipulated in Article 15 of the Code shall be punished with an administrative fine in the range of 25.000TRY to 1.000.000 TRY.
- Any data controller who fails to register with VERBIS and meet the notification requirement stipulated in Article 16 of the Code shall be punished with an administrative fine in the range of 20.000TRY to 1.000.000 TRY.
When it comes to an administrative fine, it should be noted that it is public debt. Therefore the member of the Board of Directors is also personally liable for the debt unless it is fully satisfied from the assets of the joint-stock companies in the first place.
It is important to note that the only obligation of the shareholders of the joint-stock companies is against the company itself, which is making the committed capital payment in full, which also means the shareholders do not have any responsibility for the public debts incurred in joint-stock companies.
However, suppose a shareholder also holds a position as a member of the Board of Directors at joint-stock companies. In that case, it does incur personal liability for the administrative fines imposed by the Personal Data Protection Board.
Accordingly, to avoid the risk of facing any criminal and civil liability in joint-stock companies completely, the shareholders usually opt for recruiting professionals who would hold a seat at the Board of Directors and decide on the delicate matters, or delegate certain powers to third parties under well-pleaded Board of Directors Resolution or Internal Directives which inexplicitly indicate the persons in charge on specific matters.
-  Published at Official Gazette of Turkey dated 07.04.2016 and numbered 29677.
-  The full text can be reached from the following address: <https://www.kvkk.gov.tr/Icerik/6631/Veri-Sorumlulari-Siciline-Kayit-Yukumlulugune-Iliskin-Kurulca-Belirlenen-Tarihler-Hakkinda-2019-387-Sayili-Kurul-Karar-Ozeti>.
-  According to Article 365 of the Turkish Commercial Code, the Joint Stock Company is managed and represented by the Company’s Board of Directors.
Article Keywords: Board of Directors, Protection of Personal Data, Joint-Stock Companies, Personal Data Protection Law in Turkey, Personal Data Protection Law, Data Controller, Data Controller’s Registry, Liabilities of Members of Board of Directors at Joint-Stock Companies Within The Context of Personal Data Protection Law in Turkey, Turkish Commercial Code, Joint Stock Company, Personal Data Protection Board, Turkish Personal Data Protection Board.