Towards the end of 2022, the Turkish Data Protection Authority (“DPA”) had started sending information request letters to foreign controllers (data controllers located outside Turkey but collect/process personal data from Turkey) that did not register with the Data Controllers’ Registry (“VERBIS”) by the appliable deadline (i.e. December 31, 2021)
Pursuant to the Law on Protection of Personal Data with no. 6698 (“DPL”), all foreign controllers that collect data from Turkey are required to:
- appoint a local representative in Turkey, and
- register with VERBIS.
The deadline to register with VERBIS was December 31, 2021, and now, foreign controllers that missed this deadline to register or failed to register at all are being investigated by the DPA.
Additionally, on April 21, 2022, the DPA made a public announcement about VERBIS, stating that for data controllers that did not fulfil the obligation to register with VERBIS, administrative sanctions will be applied.
How are the administrative sanctions calculated?
Pursuant to Art. 17/2 of the Law on Misdemeanours w. no. 5326, when an administrative fine is stipulated in the legislation by providing a range (minimum and maximum), the following must be taken into consideration to determine the applicable fine:
- Level of illegality,
- Level of negligence of the perpetrator, and
- Financial status of the perpetrator.
For this purpose, in its information request letters sent to foreign controllers, the DPA requests below information to calculate the administrative fines that will be applied:
- Is the foreign controller targeting the data subjects residing in Turkey?
- Does the foreign controller have an establishment in Turkey?
- Is the foreign controller monitoring behaviours of data subjects residing in Turkey?
- Is the foreign controller process sensitive personal data of data subjects residing in Turkey?
- What is the total number of users, members, customers, daily visits and number of application downloads from Turkey?
- Global annual turnover and employee number for 2020 and 2021.
What is the timeline to provide the information?
The foreign controllers are required to respond within 15 days as of receiving the letter. Having said that, requesting time extension from the DPA is possible. If the requested information is not provided by the foreign controller in time, the DPA may impose administrative sanctions based on publicly available information and resources.
What is the actual risk for non-compliance?
The administrative sanction that the DPA may apply is between TRY 119.428 – TRY 5.971.989 (approx. USD 6.120 – USD 306.000).
In addition to the administrative fine, the DPA may instruct the foreign controller to register with VERBIS. If the foreign controller fails to comply with this instruction, an additional fine between TRY 149.285 – TRY 5.971.989 (approx. USD 7.650 – USD 306.000) may be imposed.
Lastly, although unlikely, the DPA may decide to restrict the data processing operations of the foreign controller pursuant to Art. 15/7 of the DPL.
Author: Burak Ozdagistanli, CIPM, CIPPE, LL.M.