New Regulations Have Been Announced by the Protection of Personal Data Institution
In the 28 April 2019 dated and 30758 numbered Official Gazette, certain amendment texts directly related with the law on protection of personal data legislation, have been published. These amendments have been done in legislations of purge/destruction/anonymization of personal data, VERBIS and the obligation to inform, are respectively as follows:
- Regulation on Purging, Destruction and Anonymization of Personal Data
- Regulation on the Data Controllers’ Registry System
- Communiqué on Procedures and Principles to Be Followed in Fulfilling Obligation to Inform
Our comments along with the amendments regarding the abovementioned legislations are as follows:
1. Regulation on Purging, Destruction and Anonymization of Personal Data
Article No. |
Previous Text |
Updated Text |
Art. 4/1 |
e) Personal data processing inventory: refers to the inventory where data controllers conduct their data processing activities which are dependent on their business processes and defines the maximum necessary duration by linking with data processing goals, data category, recipient group and elaborates by explaining the precautions regarding data security. |
e) Personal data processing inventory: refers to the inventory where data controllers conduct their data processing activities which are dependent on their business processes and defines the maximum necessary retention period by linking with data processing goals and legal cause, data category, recipient group and elaborates by explaining the precautions regarding data security. |
Art. 7/4 |
Data controller is required to explain the methods applied when conducting transactions of purge, destruction, anonymization of personal data in the related policies and procedures. |
Data controller is required to explain the methods applied when conducting transactions of purge, destruction or anonymization of personal data in the related policies and procedures. |
Art. 12 |
When relevant individual requests purge or deletion of his/her own personal data as per the 13th clauses of the Law. |
When relevant individual requests purge or deletion of his/her own personal data as per the 11th and 13th clauses of the Law. |
In the above table, amendments and additions are indicated in the column “Updated Text” as underlined. Amendment on the 4th clause of the Regulation draws an inference regarding the necessity of including legal cause and maximum retention period in the data inventory. On the same day of regulation change, 28 April 2019, “Personal Data Inventory Preparation Guide” and “Personal Data Inventory Processing Sample” are published on Personal Data Protections Agency’s website. As known, Sample Inventory and the Guide containing details regarding personal data inventory which is required to be prepared by data controllers in the compliance process of the Law on Protection of Personal Data (“Law”) could be reached in Turkish from here.
Another amendment made in the Regulation consists of inclusion of the 11th clause with the title “relevant person’s rights” into 12th clause to establish a conjunction between the legislations, because former also regulates relevant person’s rights to request deletion or destruction of the personal data by making an application to data controller.
2. The Regulation on the Data Controllers’ Registry System
Art No. |
Previous Text |
Updated Text |
Art. 4/1 (ç) |
Contact person: In relation with the obligations of legal entities reside in Türkiye and the data controller representative of the non-resident legal entities under the Law and secondary regulations linked with this Law, the contact person refers to the individual notified while registering the System by the data controller for the contact |
Contact person: In relation with the obligations of data controller for the natural persons and legal entities reside in Türkiye, and the data controller’s representative for the natural persons and legal entities that are non-resident in Türkiye under the Law and secondary regulations linked with this Law, the contact person refers to the individual notified while registering the System in order to make contact. |
Art. 4/1 (h) |
Personal data processing inventory: refers to the inventory where data controllers conduct their data processing activities which are dependent on their business processes and defines the maximum necessary duration by linking with data processing goals, data category, recipient group and elaborates by explaining the precautions regarding data security. |
Personal data processing inventory: refers to the inventory where data controllers conduct their data processing activities which are dependent on their business processes and defines the maximum necessary retention period by linking with data processing goals and legal cause, data category, recipient group and elaborates by explaining the precautions regarding data security. |
Art. 4/1 (p) |
Data controller’s representative: refers the natural person citizen of the Turkish Republic or Türkiye resident legal entity that is authorized to represent non-resident data controllers for the issues mentioned in the clause |
Data controller’s representative: refers the natural person citizen of the Turkish Republic or Türkiye resident legal entity that is authorized to represent non-resident data controllers for the issues mentioned in the third clause of Art. 11 of this Regulation. |
Art. 5/1 (ç) |
The information to be disclosed to the Registry System while making an application, shall be prepared based on the Personal Data Processing Inventory. |
The data controllers who are obliged to register the Registry System, are obliged to prepare a Personal Data Processing Inventory. The information to be disclosed to the Registry System while making an application, shall be prepared based on the Personal Data Processing Inventory. |
Art. 5/1 (ğ) |
The necessary minimum period for the personal data processing purpose to be published and submitted to the Registry by the data controllers; shall be based upon while fulfilling the data controllers’ obligations of purging, destruction and anonymization mentioned in the Art 7 of the Law. |
The necessary minimum retention period for the personal data processing purpose to be published and submitted to the Registry by the data controllers; shall be based upon while fulfilling the data controllers’ obligations of purging, destruction and anonymization mentioned in the Art 7 of the Law. |
Art. 7/2 (a) |
Data controller, data controller’s representative if any and |
Data controller, data controller’s representative if any, address and REM (registered e-mail) address if provided, |
Art. 11/4 |
The legal entities resident in Türkiye, shall process the information of contact person into the Registry while registering the system. The contact person is not authorized to represent the data controller according to provisions of the Law and the Regulation. |
The data controllers resident in Türkiye and the data controller’s representatives on behalf of the non-resident data controllers, shall process the information of contact person into the Registry while registering the system. The contact person is not authorized to represent the data controller according to provisions of the Law and the Regulation. |
Art. 11/5 |
The contact person in the public institutions and organizations, is the head of departments or the top manager that is registered to the Registry determined by the senior executive to make contact with the Institution. |
The contact person in the public institutions and organizations, is the head of departments or the top manager that is registered to the Registry determined by the senior executive who shall ensure coordination, to make contact with the Institution. |
Art. 13/1 |
The data controllers shall notify the Institution of the any change in the registered information, within seven days on VERBIS. |
The data controllers shall notify the Institution of the any change in the registered information, within seven days as of the occurrence date of the alteration through VERBIS. |
Art. 16 (ğ) |
- |
Total employee number or total annual financial statement information of the data controller. |
The art. 5/1(ç) alteration is important beyond the above alterations of which states that it is obligatory to prepare a personal data processing inventory for the data controllers who are also obliged to register into the registry. You may reach our previous article on the registration deadline of the data controllers for the Registry (VERBIS) here.
With the “ğ” clause added to the Art. 16 of the Regulation is regulated that the Institution may exempt some data controllers from registering the Registry with considering “the data controllers’ total annual employee number or annual financial statement info”. This regulation has secured uniformity between the Regulation and the registration exemptions published by the Institution. You may reach the Turkish announcement of the Institution about the data controllers who are exempted from registering the Registry, here.
3. Communiqué on Procedures and Principles to Be Followed in Fulfilling Obligation to Inform
Art No. |
Previous Text |
Updated Text |
Art. 3/1 (f) |
The Data registration system: |
Veri kayıt sistemi: refers to the registry system in which personal data are processed into according to certain criteria. |
Art. 3/1 (ğ) |
The data controller’s representative: refers to Turkish Republic citizen natural person or Türkiye resident legal entity who is authorized to represent non-resident data controllers in the issues mentioned in the |
The data controller’s representative: refers to Turkish Republic citizen natural person or Türkiye resident legal entity who is authorized to represent non-resident data controllers in the issues mentioned in the third clause of Art. 11 of the Regulation on the Data Controller’s Registry published on 30/12/2017 dated and 30286 numbered Official Gazette. |
Art. 5/1 (c) |
|
Abrogated |
The amendment in the 3/1 (f) clause of the Regulation secured uniformity in the definition of “data registry system” found in related regulations. The abrogation of the 5/1(c) clause makes it easy for the data controllers in practice, so that it is not necessary for each department of the data controller which are processing personal data, to fulfill obligation to inform separately.
-
-
Notification!