Welcoming 2018: What a year for Protection of Data in Turkey and Europe

There is no doubt that 2017 was full of hard work for many of us who have been actively working on data protection compliance projects.

Now that the Turkish Data Protection Authority (“DPA”) is fully functional and Data Protection Board (“Board”) is working really hard to prepare certain secondary legislation and guide us in the data privacy practice, it is time to take this seriously!

We thought giving you an update on what happened in 2017 could be a good starting point. 2018 will be the year we will all be talking and working about data privacy as the April 2018 deadline is approaching and GDPR is happening!


We need to register with VERBIS!

The Regulation on Data Protection Registry was published by the DPA literally on the last days of 2017 and came into force as of January 1, 2018. To cut it short, this is the main piece of legislation regarding the registry system that will be applicable for data controllers. The online registry system is called VERBIS and is expected to be live and running in a very short time. We know that the infrastructure is ready, and tests are to be completed soon.

What does this mean?

It means that if you are a data controller you must register with VERBIS. There may be few exemptions, but the Board did not announce them yet.  So hurry!

What is needed for registration?

  • All data controllers must have a correspondent for managing the relations with the DPA. If you are a Turkish company, the correspondent will be the Company itself to be represented via a real person to be informed to the DPA. If you are a foreign company processing Turkish person’s data in Turkey you must APPOINT A REPRESENTATIVE as correspondent.
  • You must prepare a personal data processing INVENTORY.
  • You must determine WHY you are processing personal data.
  • You must identify TO WHOM YOU TRANSFER the personal data you are processing.
  • You must verify what type of SECURITY MEASURES you are taking and make sure that you comply with the law and the criteria determined by the DPA.  
  • You must determine your MAXIMUM RETENTION PERIODS based on data categories. Also you must prepare a policy and set your principles for retention and neutralization[1].

Time for decluttering!

The Regulation on Deletion, Destruction and Anonymization was published earlier in October 28, 2017 and came into force as of January 1, 2018.

What does this mean?

It means that it is time for Spring Cleaning!

There is no doubt that deletion, destruction and/or anonymization are all very technical and administrative. Plus, all of these are very new concepts for Turkish data controllers. But there is a lot to be done to comply with the laws.

Those data controllers, who are required to be registered with VERBIS must determine their retention periods and prepare a retention & neutralization policy.

The neutralization is not only applicable to those who are required to be registered with VERBIS. Other data controllers who may be exempt from registration must also comply with the regulations but they are exempt from preparing a retention and neutralization policy.  All data controllers must examine which data they can keep in compliance with the laws and delete/destroy/anonymize the others.

What is needed for preparing a policy?

You must prepare your policy in light of your personal data inventory.

You must include in your policy, among others,

  • What data STORAGE MEDIUMS you are using and how your retention and neutralization policy is organizing them,
  • What legal, technical or other GROUNDS are necessary for you to duly retain and neutralize others’ personal data,
  • What technical and administrative measures you are taking or willing to take to SAFEGUARD the data and to prevent unlawful processing and access by others,
  • Technical and administrative METHODS for neutralization of the data as per the laws,
  • Who are involved in the retention and neutralization processes and what are their roles in your ORGANIZATION chart (titles, departments and job descriptions),
  • What are your retention and neutralization PERIODS,
  • How you plan to keep it up to date and when will you be doing your PERIODIC NEUTRALIZATION



We are expecting the Board to issue the WHITE LISTED COUNTRIES in the first quarter of 2018 or even the criteria for such. Transfer of data outside of Turkey (which may simply include using cloud computing services or apps having their own cloud servers) or simply sharing a database with the parent company outside of Turkey is currently very problematic if you do not obtain the consent of the data subjects. We hope this will soon be clarified by the Board. We expect that global companies or global service providers (like Microsoft, Salesforce, Oracle etc.)  will be able to solve the problem to transfer of data to abroad by applying to the DPA for permission.

Although not explicitly regulated in the Turkish legislation, we are expecting that assessment requirements may be imposed similar to data PRIVACY IMPACT ASSESSMENTS in the EU.

Use of CLOUD systems is currently problematic, but we expect the Board to also clarify this point very soon.

The DPA is working hard to raise AWARENESS of data subjects regarding their data privacy. Thus Data Controllers must be ready to handle requests of data subjects in 2018 and neutralize the data subject’s data if requested or respond accordingly. This is especially very important for telecommunication companies, retail businesses, e-commerce companies, and any B2C companies.

April 7, 2018 may be beginning for a new era. We must get ready!



Don’t forget the DEADLINE for compliance of any data obtained prior to April 7, 2016 is expiring on APRIL 7, 2018.

What should we have done? What do we need to do?

  • REVISE YOUR NEW YEAR’S RESOLUTIONS LIST! You should have prepared your data inventory, data processing policy and your retention and neutralization policy. If you didn’t do so, you should include these to the top of your new year’s resolutions list.
  • DOUBLE CHECK WHAT YOU DID! If you were good in 2017 and prepared your inventory and policies, just double check them with the newly issued regulations and guidelines of the DPA.
  • DPO, REALLY? Appoint a data protection officer or at least form an internal committee who will manage and organize all the necessary work. Yes, it is not mandatory! But it is extremely useful. Don’t forget, once the data subjects (i.e your customers, employees and your partners) are more aware of their rights, they will start knocking your door.
  • FIND YOUR REP! If you are not a Turkish company but doing business in Turkey and processing personal information you need to appoint a representative to liaise your relations with the DPA. Don’t forget, if you fail to do it, you may be fined.
  • DECLUTTER, DECLUTTER, DECLUTTER! April 7, 2018 is the latest date to provide compliance for all data processing as per provisional article 1 of the Data Protection Law. By this date, all personal data, which were not duly processed within the scope of the Data Protection Law, must be neutralized (deleted, destroyed or anonymized).
  • GET ORGANIZED. Revise your organizational chart, just authorize who are permitted to process / have access to data, and re-organize yourselves. If you fail to properly distribute the authorization for access to data you may be engaging in illegal data processing.


[1] See http://www.ozbek.av.tr/data-privacy-blog/deletion-destruction-or-anonymization-of-personal-data/ for additional information.