Article 5
Principle, rules and procedures
(1) Following principles, rules and procedures shall be applied in establishment, management and supervision of the Registry:
- a) Data controllers are obliged to register with the Registry prior to the start of data processing.
- b) Data controllers not established in Türkiye are obliged to register with the Registry by their representatives prior to the start of data processing.
- c) The Registry shall be kept publicly available. Board is authorized to determine the scope of this principle and derogations provided that the principle of making publicly available is ensured.
- ç) (Amended: OG-28/4/2019-30758) Data controllers under registration obligation are obliged to prepare Personal Data Processing Inventory. The information to be entered in the application for the Registry is prepared based on Personal Data Processing Inventory.
- d) The information entered into the Registry based on personal data processing inventory and published in the Registry, shall be the basis for the obligation to inform for data controllers referred to in Article 10 of the Law, responses to the request of concerned data subjects referred to in Article 13 of the Law and the determination of the scope of explicit consent to be given by data subjects.
- e) Data controllers shall be responsible for the information entered into the Registry and published in the Registry to be complete, accurate, up-to-date and lawful. Registration of the data controllers with the Registry shall not remove the other obligations under the Law.
- f) Without prejudice to the conditions specified in Article 28 of the Law, the Board may provide derogation from the obligation to register for the data controllers meeting certain conditions on the basis of the objective criteria specified in Article 16 of the By-law. This derogation shall not remove the obligations of those data controllers under the Law.
- g) The operations relating to the Registry shall be carried out by data controllers through VERBIS.
- ğ) (Amendment: OG-28/4/2019-30758) – (1) Maximum storage period necessary for the purpose of processing of personal data entered by data controllers into the Registry and published in the Registry shall be basis for erasure, destruction and anonymization obligations of data controllers specified in Article 7 of the Law.