Regulation for Data Controller Registry

Some of the important updates on data protection legislation in Turkey in the beginning of the new year are:

1. The Regulation on Data Controller Registry (“RDCR”) was published on December 30, 2017 and came into force on January 1, 2018. The data controllers, who will not be exempted by the Data Protection Board (“Board”), will have to register to Data Controller Registry system called VERBIS. The Board’s announcement of January 2, 2018 stated that the obligation of VERBIS registration will begin on the date the Board will determine, which will be after initiation of VERBIS and identification of exemption criteria by the Board.

As RDCR requires data controllers to complete their registration, we recommend data controllers to register immediately after the registration commencement date is announced by the Board. Although the Board will determine the exemption criteria, we recommend data controllers to begin preparations assuming they will not be exempt. The preparations may require extensive work as a complete knowledge of the company data processing operations is mandatory to properly comply with registration requirements. Time is essential.

The following will be required for registration:

  • Identity and address information of data controller, its representative and contact person as determined in the application form Board will issue.
  • Purposes for processing personal data (To be input in VERBIS based on Personal Data Processing Inventory)
  • Personal data receivers or receiver groups (To be input in VERBIS based on Personal Data Processing Inventory)
  • Security measures taken per Article 12 of the Data Protection Law and Board’s criteria (To be input in VERBIS based on Personal Data Processing Inventory encompassing requirements of Article 12)
  • Personal data maximum retention periods based on relevant legislation or the time needed to fulfill the purposes of processing. The information regarding such retention periods will be notified to the Data Controller Registry by matching them with data categories.

In addition to the foregoing, data controllers who are obliged to register, must also prepare a Retention & Neutralization Policy[1].

2. The Regulation on Deletion, Destruction and Anonymization of Personal Data (RDDA) was published on October 28, 2017. In the beginning of the year 2018, first day of January, RDDA came into force. Data controllers who are obliged to register to VERBIS are also required to prepare a Retention & Neutralization Policy.

These essential developments are probably a signal of an active and important year in terms of data protection in Turkey. Therefore, we recommend all data controllers to at least make their Personal Data Inventory and Retention & Neutralization Policy ready.



[1] See http://www.ozbek.av.tr/data-privacy-blog/article-on-neutralization-of-personal-data for additional information.