Turkish Data Protection Law (KVKK), VERBIS registration and what to do before December 31st, 2021!
Andreas Maetzler, Michael Schweiger
What is KVKK?
The Turkish Data Protection Law (Turkish law no. 6698 - KVKK) was adopted in March 2016 and entered into force in April 2016. Among other things, Article 16 of the KVKK includes a provision requiring registration for all data controllers subject to this law in a Data Controller Registry (VERBIS). Additionally, data controllers located outside of Turkey are required to appoint a representative. The deadline for compliance with these obligations has been postponed several times and finally expired on 31 December 2021.
Find out in this article whether your organisation is subject to KVKK! You can find more information here.
1. Is your organisation subject to KVKK?
Article 2 KVKK defines the scope of the Turkish data protection regulation. KVKK applies to natural and legal persons processing personal data of Turkish data subjects. A “data subject” is the person whose personal data is processed. “Personal data” means any information relating to an identified or identifiable natural person. The definition of “processing” is very broad and includes any operation which is performed on the data, such as collecting, recording, storing, altering, transferring, etc. The law does not distinguish between public and private bodies. The procedures and principles laid down are generally applicable to all organisations. Exemptions of the applicability include the processing only for purposes of private households, official statistics with anonymised data, processing by judicial authorities and processing for public order.
2. Data Controller Registry VERBIS and VERBIS representative
A “data controller” according to Article 4 para (1) lit (i) KVKK is a legal or natural person determining the purpose and means of processing personal data. Article 16 KVKK stipulates that all Turkish and non-Turkish data controllers must register in the Data Controller Registry (VERBIS) before starting to process personal data. Only certain professions like notary publics, law firms and accounting firms, trade unions and political parties are exempted. For non-Turkish data controllers there is no threshold due to turnover or the number of employees, meaning that even small non-Turkish organisations are subject to KVKK.
The VERBIS registration requires entering a company’s processing activities with:
- the data categories,
- the categories of data subjects,
- the purposes of the processing,
- legal basis,
- data transfers,
- technical and organisational measures and
- retention period.
Any changes to these records have to be made public through VERBIS within seven days of the change.
This registry is to be made public under the supervision of Turkish data protection authorities.
3. Requirements for Non-Turkish controllers
Similar to Article 27 GDPR, the Turkish data protection regulation contains a provision which is only applicable on foreign data controllers requiring them to appoint a representative in Turkey in addition to the VERBIS registration. Other than under GDPR there is no obligation for data processors to appoint a representative. However, it is important to note that the applicability of KVKK does not depend on the amount of data processed of Turkish data subjects. So being a B2B service provider with limited sales activity in Turkey does not per se exclude KVKK applicability.
4. Data subject rights under KVKK
- Right to access
- Right to rectification
- Right to be forgotten
- Right to restriction
- Right to object processing through automated decision making
- Right to compensation for damages
For the procedure of the data subject request a Communique has been published by the Turkish data protection authority. The request made by the data subject must include name, physical address, Turkish Citizen number (TC), a contact method (email, fax number, telephone) and of course the subject of the DSR. The answer of the controller must contain the same information.
5. What are the fines for non-compliance?
For violations of disclosure obligations, fines of up to TL 270,000 may be imposed in 2022. However, for violations of the registration obligation in VERBIS, significantly higher fines of up to TL 2,700,000 may be imposed. Administrative fines in Turkey are re-evaluated each year. The increase from 2021 to 2022 is 36.20%. This should be kept in mind when working on compliance with KVKK.