In Türkiye, the most significant step towards the protection of personal data is the Personal Data Protection Law (KVKK ) numbered 6698 which entered into force after its publication in the Official Gazette dated April 7, 2016. The law includes provisions that grant time period to the real persons whose data are processed and the natural and legal persons who process such data, until April 7, 2018 for conducting compliance with the law. Similarly, the European Union General Data Protection Regulation (GDPR) entered into force on May 25, 2018 and constituted an important stage in the improvements made towards protection of personal data in Europe.

In the Paragraph 5 of the Article 12 of the Turkish Personal Data Protection Law (“KVKK”) No.6698, in the event that the personal data processed is obtained by third parties by illegal means as a result of a data breach, the data controller shall inform the data subject and the Board as soon as possible. In case it is found necessary, the Board may announce the details of the breach on its website and/or in any other way that is considered appropriate.

Due to the activities on personal data processing in Türkiye, legal persons which are located abroad;

Legal persons residing abroad,

The branches of legal persons residing abroad,

The liaison offices of legal persons residing abroad

the Turkish Data Protection Board announced a decision no: 2019/225 (“Decision”) in regards with the personal data protection Law numbered 6698, as a result of the examination whether these entities are to be considered as data officers and whether there is an obligation for these entities to submit a record to the Data Responsible Register (“Registry”).

In the event that some or all of the personal data is transferred to the founder / partner foreign company located abroad and the foreign company uses this data for its own purposes, there is an obligation to register with the Data Controller’s Registry Information System (“VERBIS”). These transfers, in general, consist of recordings of all or part of the data of the employees, suppliers and customers of the legal entity in Türkiye to a registration system which is provided and managed by foreign partner. However, keeping only personal data in a registration system by the foreign partner does not constitute VERBIS registration obligation and the foreign partner should use this data for their own purposes.