Does the KVKK apply to my company?

KVKK applies to all organisations processing personal data of data subjects in Turkey. Insofar KVKK reaches out globally and regulates all processing activities related to Turkish individuals.

Exempted from the applicability of KVKK are only:

• household activities;
• official statistics with anonymised data;
• artistical, historical, literary or scientific purpose if national defence, national security, public security, public order, economic security are not violated;
• preventive, protective and intelligence activities by public bodies which are assigned by law to protect the above-mentioned public goods;
• processing by judicial or execution authorities with regard to investigation, prosecution, judicial and execution proceedings.

All other processing activities by foreign organisations are therefore subject to KVKK and need to comply with it, especially with the obligation to appoint a Data Controller Representative and to register with Data Controllers' Registry Information System (VERBIS).

You are required to appoint a Data Controller Representative in Turkey if your organisation:

• is acting as a Data Controller and not as a processor;
• is processing personal data of individuals in Turkey; and
• is not established in Turkey.

Is our company a Data Controller under KVKK?

An organisation qualifies as a data controller under KVKK if it determines the purposes and means of processing personal data and is responsible for the establishment and management of the technical infrastructure to process such data. In contrast, a processor under KVKK is an organisation which processes personal data on behalf of the data controller upon its authorisation. The concept is therefore identical with the GDPR and the decisive criteria is, if an organisation has the authority to decide over and define the processing activities.

Are we processing personal data of data subjects in Turkey?

Processing means any operation which is performed on personal data with at least partially automated means, such as collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorisation, preventing the use thereof and much more. The term is therefore very broad and intends to include any handling of personal data. Are subject to such processing activities individuals in Turkey, your organisation falls under KVKK. Examples are:

• having active business in Turkey with customers, users, students, patients, which are Turkish data subjects;
• any attempt to target Turkish individuals with google ads or any other online marketing campaign;
• monitoring Turkish individuals with cookies, behavioural advertisement, geo-localisation activities.

If your organisation qualifies as a controller and processes personal data of Turkish individuals, you are required to appoint a Data Controller Representative according to KVKK.

Are there any exemptions?

Besides those companies which process personal data only by non-automatic means, the following organisations are exempted from the obligation to appoint a representative:

• Certain professions like notary publics, law and accounting firms;
• Trade unions;
• Political parties.

VERBIS is the Data Controllers' Registry Information System established on the basis of art 16 KVKK. Before processing personal data, a Data Controller must register in VERBIS.

How does the registration work?

For Foreign Data Controllers the registration can only be conducted by the representative. You first need to appoint a Data Controller Representative who then takes care of the registration.

The registration requires a list of processing activities similar to the records of processing activities under GDPR. The representative enters these processing activities in the VERBIS interface (verbis.kvkk.gov.tr) to complete the registration.

What is the deadline for the registration?

The deadline was extended several times but will end now on December 31st, 2021.

Not appointing a Data Controller Representative although being required to do so, may trigger sanctions according to Art. 18 of the CCCTB. Non-compliance fines are increased every year and are now about 2 million Turkish Lira as of 2022. Be aware that the increase from 2021 to 2022 is as high as 36,20%.

How to sign up for the Prighter Turkey DCR service?

As Turkish law contains formal requirements for signatures and the VERBIS registration an end-end digital process is not compliant. Therefore, the signup process is as follows:

1. Complete the signup form with your company information and generate the Power of Attorney (PoA).
2. Have the PoA duly signed, notarised and apostilled at the place of signature.
3. Send us the scanned version of the PoA followed by the originals to our Turkish address via registered mail.
4. We have the PoA notarised in Turkey and handle the VERBIS registration.

Who is the service provider for the Prighter Turkey DCR?

Prighter partners with IPTECH Legal Danışmanlık Ltd. Şti for the Prighter Turkey DCR service and Ozdagistanli Ekici Attorney Partnership for the legal advice according to Turkish law. The client relationship, support and payments are centralised and managed by Prighter Group.