Blog

Turkish Data Protection Law (KVKK), VERBIS registration and what to do before December 31st, 2021!

Man called Andreas in a suit. Man called Michael in a suit.

Andreas Maetzler, Michael Schweiger

What is KVKK?

The Turkish Data Protection Law (Turkish law no. 6698 - KVKK) was adopted in March 2016 and entered into force in April 2016. Among other things, Article 16 of the KVKK includes a provision requiring registration for all data controllers subject to this law in a Data Controller Registry (VERBIS). Additionally, data controllers located outside of Turkey are required to appoint a representative. The deadline for compliance with these obligations has been postponed several times and finally expired on 31 December 2021.

Find out in this article whether your organisation is subject to KVKK! You can find more information here.

1. Is your organisation subject to KVKK?

Article 2 KVKK defines the scope of the Turkish data protection regulation. KVKK applies to natural and legal persons processing personal data of Turkish data subjects. A “data subject” is the person whose personal data is processed. “Personal data” means any information relating to an identified or identifiable natural person. The definition of “processing” is very broad and includes any operation which is performed on the data, such as collecting, recording, storing, altering, transferring, etc. The law does not distinguish between public and private bodies. The procedures and principles laid down are generally applicable to all organisations. Exemptions of the applicability include the processing only for purposes of private households, official statistics with anonymised data, processing by judicial authorities and processing for public order.

2. Data Controller Registry VERBIS and VERBIS representative

A “data controller” according to Article 4 para (1) lit (i) KVKK is a legal or natural person determining the purpose and means of processing personal data. Article 16 KVKK stipulates that all Turkish and non-Turkish data controllers must register in the Data Controller Registry (VERBIS) before starting to process personal data. Only certain professions like notary publics, law firms and accounting firms, trade unions and political parties are exempted. For non-Turkish data controllers there is no threshold due to turnover or the number of employees, meaning that even small non-Turkish organisations are subject to KVKK.

The VERBIS registration requires entering a company’s processing activities with:

  • the data categories,
  • the categories of data subjects,
  • the purposes of the processing,
  • legal basis,
  • data transfers,
  • technical and organisational measures and
  • retention period.

Any changes to these records have to be made public through VERBIS within seven days of the change.

This registry is to be made public under the supervision of Turkish data protection authorities.

3. Requirements for Non-Turkish controllers

Similar to Article 27 GDPR, the Turkish data protection regulation contains a provision which is only applicable on foreign data controllers requiring them to appoint a representative in Turkey in addition to the VERBIS registration. Other than under GDPR there is no obligation for data processors to appoint a representative. However, it is important to note that the applicability of KVKK does not depend on the amount of data processed of Turkish data subjects. So being a B2B service provider with limited sales activity in Turkey does not per se exclude KVKK applicability.

The representative will be the point of contact for the Turkish data protection authority and for data subjects and handle the communication with these stakeholders. The fact that a representative is appointed by a company has to be communicated to the Turkish data subject, when collecting its personal data to comply with information obligations. The usual way to comply with this obligation is to include a wording in the privacy policy. Furthermore, the representative conducts the registration for VERBIS. The prevailing legal opinion considers a registration by a foreign controller itself as impossible. At least from a practical point of view this makes sense, because the attempt by a foreign data controller to self-register would be as if one had declared their own non-compliance with the requirement to appoint a representative to the Turkish data protection authority. In GDPR and UK-GDPR you will find an exemption for the appointment of a representative for public bodies, meaning e.g. public universities and governmental institutions do not have to appoint a representative according to Article 27 (UK) GDPR. However, as mentioned above, KVKK does not distinguish between private and public bodies, but only contains exemptions for preventive, protective and intelligence activities by public bodies. The process of appointing a data controller representative in Turkey is more complicated than under GDPR, because the appointment needs to be signed and the signature needs to be notarised and apostilled. An end-to-end digital process is not possible.

4. Data subject rights under KVKK

When reaching out to the Turkish market, foreign data controllers should also be prepared to handle data subjects’ rights in compliance with KVKK. Art 10 KVKK obliges data controllers to inform the data subject about the processing activities when collecting personal data. This can be done in the privacy policy. The controller must inform about its identity, its representative in Turkey, the purposes of the processing, the data transfers, the legal basis and about the data subject rights granted by KVKK. We assume that a similar standard will be applied in the assessment of this information as for the information obligation under GDPR. Therefore, the information should be concise, transparent, intelligible and in an easily accessible form, using clear and plain language. Besides the information right, Turkish data subjects have the following data subject rights (DSRs):

  • Right to access
  • Right to rectification
  • Right to be forgotten
  • Right to restriction
  • Right to object processing through automated decision making
  • Right to compensation for damages

For the procedure of the data subject request a Communique has been published by the Turkish data protection authority. The request made by the data subject must include name, physical address, Turkish Citizen number (TC), a contact method (email, fax number, telephone) and of course the subject of the DSR. The answer of the controller must contain the same information.

5. What are the fines for non-compliance?

For violations of disclosure obligations, fines of up to TL 270,000 may be imposed in 2022. However, for violations of the registration obligation in VERBIS, significantly higher fines of up to TL 2,700,000 may be imposed. Administrative fines in Turkey are re-evaluated each year. The increase from 2021 to 2022 is 36.20%. This should be kept in mind when working on compliance with KVKK.