The Announcement Of Turkish Personal Data Protection Board On Extension Of The Deadline To Register With The Verbis System
The Brief Summary of Personal Data Protection Board’s Resolution on the dates with regard to registration to the Data Controllers’ Registry
:amendment in registration dates to Data Controllers’ Registry
Pursuant to Article 16 of the Code No. 6698 on the Protection of Personal Data, real persons or legal entities processing personal data shall register with the Data Controller’s Registry before processing.
Data Controllers’ Registry is maintained by the Personal Data Protection Authority in an open to public manner under the auspices of the Turkish Personal Data Protection Board(‘‘Board’’). The Data Controllers are obliged to make an entry and provide information to the so called Data Controllers’ Registry Information System (‘‘VERBIS’’) with regard to personal data being processed by them.
Due to the fact that VERBIS is maintained in a publicly available manner, it offers the real persons whose personal data has been processed to have control over their own data, accordingly VERBIS is a transparent and accountable system.
The obligation to register with VERBIS is imposed by the Law for real persons and legal entities processing personal data, and sanctions have been stipulated for those who fail to meet this obligation. However, the primary objective is to ensure transparency in personal data processing, to make sure the data controllers pay attention to comply with the law and make the data processing in a disciplinary manner, providing accountability, to avoid haphazard processing of the personal data and to provide an awareness and culture on data processing.
As a result of assessments made based on VERBIS; it has been observed that some of the Data Controllers believe that they meet the obligation only by sending the Application Forms to the Personal Data Protection Authority and accordingly fail to make notification. It is important to note that the contact person shall complete the notification after having access through ‘Register’ button. The obligation to register with the system and notification would not be finalized unless made through the system. As known, the obligation stipulated at Article 16 of the Code is registration and notification for the data controllers who are not within the scope exemption. In this regard, Data Controllers shall first access to VERBIS and fill in the Application Form through system, and afterwards deliver the Application Form to Board via courier, mail, in person or through KEP registered e-mail address. After the submission of the Application Form, the Authority will send the Data Controller a username and password, and the Data Controller shall make the notification through VERBIS system with this username and password.
On the other hand, it has been observed that to meet the registration and notification requirement within due course, the Data Controllers have made extensive and profound amount of applications and notifications in recent days through VERBIS.
The primary objectives of the registration and notification requirement set forth at the Code No.6698 for the Data Controller are to ensure;
- Transparency in data processing,
- Avoiding haphazard processing of the personal data and to discipline personal data processing activities,
- Increasing culture and awareness at all segments of the society on data processing, providing accountability against the data owners whose is data is being processed,
- Data Controllers comply with the Law,
- Registration of all Data Controllers to the VERBIS, except for the exempted ones.
As it could be understood from the foregoing objectives, the requirement of registration and notification requires not only registration with VERBIS in due course but also accuracy and reliability of the updated information to be provided to VERBIS within the context of personal data processing activities.
Based on the reviews made at VERBIS on the recently provided notifications, it has been concluded that; the processed personal data does not reconcile with purposes of process, the receivers of the transmitted information, data owners, technical and administrative measures taken, sufficient measures to be taken for personal data with special character, transmission of the data abroad, and the time period for preservation of data. It is also concluded that there are serious mistakes and noncompliance with the Code and Regulation.
- is understood that one of the reasons behind such mistakes is attempting to make a registration within deadline set forth by the Board just to avoid the sanctions stipulated at Article 18 of the Code.
There are certain provisions set out at Article 16 of the Code and it is stated thereof that other procedures and principles related to Data Controllers’ Registry shall be set out by a secondary legislation. Accordingly, the following sub paragraphs have been set forth at Article 5 of the Regulation on Data Controllers’ Registry published at Official Gazette of Turkey dated 31.12.2017;
“ç) The Data Controllers who are obliged to register with VERBIS are also obliged to prepare a ‘‘Personal Data Processing Inventory’’ and information to be disclosed to the Registry shall be prepared based on Personal Data Processing Inventory.
d) Information published at the Registry based on Personal Data Processing Inventory shall be used in the duty of explanation imposed on the Data Controllers at Article 10 of the Code; in providing answer to the queries of the relevant person and determination of the content of the open consent stipulated at Article 13 of the Code.
e) Data Controllers are responsible for accuracy, completeness, up to datedness and compliance with the law of the information which are submitted to and published at the Registry.”
Accordingly, first and foremost Data Controllers are obliged to prepare a Personal Data Processing Inventory including all the phases for data processing in meeting their obligations of registry to VERBIS and notification. In making the notification, instead of randomly, the entries shall be made based on the Personal Data Processing Inventory.
Besides, in accordance with Article 16 of the Code which stipulates that changes in information provided to Registry shall be immediately notified to the Authority and Article 13 of the Regulation on Data Controller Registry which imposes notification to the Authority of all changes within a week through VERBIS, all the updating shall be completed within the set deadline.
Having reviewed the information and made an evaluation based on the information entered to the VERBIS system within the context of registration and notification requirement the Board has decided as follows;
a) Within the scope of registration with VERBIS and notification requirement; it has been decided to remind to all Data Controllers that,
- Some of the Data Controllers has only submitted Application Form, however the requirement stipulated at Article 16 of the Code requires both registration and notification, therefore it is mandatory to log into VERBIS through assigned username and password and completion of notification on personal data processing activity,
- The main objective of registration with VERBIS and notification is to ensure transparency in personal data processing, avoiding haphazard processing and disciplining the processing activity, increasing the culture and awareness in this area, providing accountability against the data owners to ensure the Data Controllers comply with the law and registration of all the Data Controllers except for the ones who are granted with exemption,
- Registration with VERBIS and notification requirement should not be interpreted as only making registry within due course to avoid the sanction stipulated at the Law, and registry and notification itself might be contrary to the law,
- Having reviewed the recent notifications made to VERBİS, it is understood that the personal data does not coincide with purposes of process, the receiver/receivers group, personal data owners, technical and administrative measures taken, sufficient measures, transmission of the data abroad, and the time period for preservation of data. It is also concluded that there are serious mistakes and noncompliance with the Code and Regulation.
- Information submitted to VERBIS shall be accurate and updated and the pertinent Data Controller has the responsible for these information,
- The Data Controllers who are obliged to register with the Registry are also obliged to prepare a Personal Data Processing Inventory in accordance with the Regulation on Data Controllers’ Registry,
- Data Controllers are obliged to prepare Personal Data Processing Inventory first, including all the phases for data processing in meeting their obligations of registry to VERBIS and notification. In making the notification, instead of randomly, the entries shall be made based on the Personal Data Processing Inventory.
- Changes in information registered to Registry shall be immediately notified to the Authority within a week starting from occurrence of the change.
b) In the light of the explanations provided above and taking into consideration the Data Controllers who made haphazard registration and notification without preparation of Personal Data Processing Inventory and the Data Controllers who did not complete Inventory preparation phase and as a result of which who would not be able to make the registration and notification within the set deadline; besides to correct the mistakes and rectify noncompliance with the law immediately; pursuant to the Provisional Article 1 of the Code No:6698, the Board has decided as follows,
- For the real person and legal entity Data Controllers; who have more than 50 employees annually or have a balance sheet sum of more than 25 million TRY for per year, the deadline for registration with the VERBIS and notification requirement has been extended to 30.06.2020.
- For the real person and legal entity Data Controllers who are domiciled, incorporated abroad, the deadline for registration with the VERBIS and notification requirement has been extended to 30.06.2020.
- For the real person and legal entity Data Controllers who have less than 50 employees annually and have a balance sheet sum of less than 25 million TRY for per year, but still having main activity as processing personal data in special character, the deadline for registration with the VERBIS and notification requirement has been extended to 30.09.2020.
- For the public institution Data Controllers, the deadline for registration with the VERBIS and notification requirement has been extended to 31.12.2020.
c) It has been also decided to announce that Decision at the web page of the Personal Data Protection Authority and publish at the Official Gazette of Turkey.