Legal Status of the Liaison Offices Within the Scope of Turkish Personal Data Protection Law
What is Liaison Office?
Liaison offices are named as places established by foreign country-based companies in the Turkish market, whose main field of activity is market research, communication, promotion, information and/or technical support. The most important difference of liaison offices from branches is that they are not allowed to engage in any commercial activity in Türkiye.
Liaison offices are regulated in the Foreign Direct Investment Law No. 4875 (In Turkish). According to the aforementioned Foreign Direct Investment Law, companies established in accordance with the laws of foreign countries may be allowed to establish a liaison office in Türkiye, provided that they cannot engage in commercial activities.The procedures and principles of the process of opening a liaison office are regulated in the Implementation Regulation of the Foreign Direct Investment Law (In Turkish), which is enacted based on the aforementioned Law.
Status of Liaison Offices within the Scope of Turkish Personal Data Protection Law
Due to the personal data processed by legal entities residing abroad in Türkiye;
- Legal entities residing abroad,
- Branches of legal entities residing abroad in Türkiye,
- Liaison offices in Türkiye of legal entities residing abroad
According to the Turkish Personal Data Protection Law No. 6698 ("KVKK"), as a result of examining whether it is considered a data controller and whether it is obliged to make a declaration to the Data Controllers' Registry System ("VERBIS"), the Turkish Personal Data Protection Authority ("Turkish DPA")'s decision No. 2019/225 ("Decision No. 2019/225") was given. Within the scope of this Decision No. 2019/225, liaison offices will not be considered as data controllers since they are established for the purpose of informing the head quarter abroad about matters other than commercial activities and they do not have branch features. In this context, it has been decided by the Turkish DPA, it is not obligatory to make a declaration to VERBIS for the liaison offices. You can reach our article, which includes our detailed explanations regarding the Decision No. 2019/225, here.
However, in addition to all these, legal entities abroad who use personal data for their own purposes or manage the data recording system of the organization in Türkiye through their branches or liaison office in Türkiye are required to appoint a Data Controller Representative (DCR), although they are obliged to register with the VERBIS. You can reach our article, which includes detailed information on the obligations of data controllers residing abroad, here.
Examining the Decision of the Turkish DPA on the Request for Opinion on the Obligation of Registration in the VERBIS of the Branches and Liaison Offices of Legal Entities Residing Abroad
In this article, the decision of the Turkish DPA dated 23.07.2022 and numbered 2019/225 ("Decision") will be examined and in this context, the liabilities of liaison offices and the legal entities residing abroad will be briefly mentioned. You can find the detailed text of the Decision here (In Turkish).
Subject of the Complaint
In the complaint made by the data subject in the decision review published by the Turkish DPA on its website briefly states that;
- Beginning of the onboarding process of the data subject, the liaison office of the data controller requests the relevant documents from data subject, such as, criminal record, health report, lung x-ray report, blood group certificate, photocopy of driver's license, photocopy of marriage certificate and identity card of family members,
- The liaison office has not obtained explicit consent from the data subject for the processing of the aforementioned sensitive personal data,
- Requesting identity card information of family members contradicts the general principles in Article 4 of the Law,
- The data controller has not fulfilled the issues specified in the decision of the Turkish DPA dated 31.01.2018 and numbered 2018/10, in the processing of sensitive personal data,
- Due to the fact that the data controller is a resident abroad, the personal data of the data subject may also be transferred abroad,
- The data controller does not respond to the application of the data subject within the 30-day legal period.
Complaints have been made about the issues and necessary actions have been requested within the scope of KVKK.
Defense of the Liaison Office in Türkiye Submitted to the Turkish DPA on Behalf of the Data Controller
Within the framework of the investigation initiated by the Turkish DPA on the relevant subject, the defense of the liaison office of the data controller in Türkiye has been requested, and the defense is summarized as below:
- The complainant is the liaison office of the data controller residing abroad, and does not have a separate legal personality and commercial activity in accordance with the legal establishment principles,
- The working conditions of the data subject within the body of the data controller is determined directly in accordance with the provisions of the foreign-based legal legislation, and accordingly, the workplace registry file is created in accordance with the provisions of the current legislation abroad,
- Since the personal data subject to the complaint of the data subject is the employee of the data controller residing abroad, consent is obtained in line with his/her consent and in this sense, it is not possible to mention a situation such as transferring the personal data abroad without permission,
- The personal data subject to the complaint is kept in the form of "personnel file" under the responsibility of the liaison office during the working period, in accordance with the legitimate purpose determined by the relevant regulations,a copy of the file is presented to the Labor Court and, once there has been no legal obligation regarding the applicable law, the personal data is destroyed in the records of the liaison office and the legal entity residing abroad.
Reviews and Evaluation
In the investigation carried out by the Turkish DPA on the subject; employer status of liaison offices has been evaluated within the scope of various legislation. It has been stated that, the liaison offices have the status of "workplace" within the scope of the Turkish Labor Law No. 4857, and the "foreign investors" defined in the Foreign Direct Investment Law No. 4875, in this regard liaison offices will have the title of employer within the scope of labor law, thus the employer who employs the employees of the liaison office and title of data controller can be attributed to the data controller who is resident abroad and has a legal personality, not the liaison office of the data controller.
In the concrete case stated that the notification send by the data subject is legally valid, and the company manager is authorized on behalf of the data controller with a power of attorney approved and issued by the authorized notary of the place of residence abroad, and in this case, the liaison office representative and the representative of the employer of the data controller are assigned to the data controller.In addition, the data controller must also respond to this notification, but in the relevant case the data controller did not respond to the application of the data subject within the legal period, thus contrary to the provisions of the data controller's Law and the Communiqué on the Procedures and Principles of Application to the Data Controller regarding responding to the applications of the data subjects.
Based on the evaluations made by the Turkish DPA, since the notifications made to the data controller through the representative of the liaison office and the employer's representative will be legally valid, and in this context, the notifications received by the liaison offices will be considered as if they were made to the data controller.
Another important point in the examinations made by the Turkish DPA is that considering that the employer's title is on the data controller residing abroad, the employment contracts concluded with the employees should be concluded with the data controller, not with the liaison office, therefore, in accordance with the contract concluded between the parties within the scope of the business relationship. It has been stated that there is no illegality in the transfer of the personal data of the data subject to the data controller residing abroad by the liaison office.
The Turkish DPA have been made important evaluations to the employee with whom the employment contract is made to work within the body of the data controller on the issues of, it is not possible for the data controller not to think that the personal data in the forms of information and documents obtained from her/him in accordance with the foreign legislation to which she/he is subject will be processed abroad, in the event that there is no other legal way other than obtaining explicit consent from the data subject to fulfill the requirements of a contract, requesting explicit consent from the parties while establishing this contract will not injure the legal elements of explicit consent, in the concrete case it is stated that the data subject was aware of the fate of her/his personal data when this contract was concluded.
Conclusion
As a result of the relevant decision of the Turkish DPA, could be reached to below conclusions;
- The title of "data controller" will belong to a foreign-based legal entity, not to the liaison office itself,
- Since the director/manager of the liaison office is also the representative of the employer of the data controller, the notification made by the data subject to the liaison office will be legally valid,
- The personal data of the data subject can be obtained through the contract concluded by the data controller residing abroad within the scope of the business relationship, provided that it is processed in accordance with the law of the resident country,
- For the performance of the employment contract between the parties, it is necessary to process the personal data of the data subject abroad and the only way is to obtain the explicit consent of the data subject, and it will be appropriate to process the personal data with the explicit consent obtained from the data subject in accordance with the Law.
In this context, it is important for the liaison offices in accordance with the obligations to complete compliance with the KVKK even though they do not have the obligation to register with the Registry, since the liaison offices in Türkiye cannot carry out commercial activities in Türkiye and were established for the purpose of informing the central company abroad legal entity, which has the title of data controller, will be responsible within the scope of KVKK. In this respect, the legal entity residing abroad who uses personal data for their own purposes through the liaison office in Türkiye manages the data recording system of the organization in Türkiye must fulfill its obligation and shall registered to the VERBIS by appointing a data controller representative within the scope of Article 11 of the Regulation on Data Controllers Registry.
Should you need further details or our services "Data Controller Representative", please contact us.
-
-
Bilgilendirme Metni!