The Regulation on Data Controller Registry has been published in Official Journal numbered 30286, dated 30 January 2017.
As is known, according to Law on The Protection of Personal Data, No. 6698 all natural and legal persons, collecting, processing and transferring personal data are deemed as “Data Controller” and shall be registered in “Data Controller Registry” (VERBİS) before starting personal data processing with some exceptions determined by Personal Data Protection Board (The Board).
OBLIGATION OF REGISTRATION
Although registry obligation to the VERBİS system has not been started yet, and will be determined by the Board at a later date, persons and legal entities dealing with personal data should be ready to register at the commencement date.
- Data controller shall be registered in Data Controller Registry before starting personal data processing.
- Data controller who is not under the obligation of registering at the beginning but get under this obligation in a later time must be registered within 30 days.
- Data controller who is not registered due to technical or legal impossibility should apply to the Board for additional time within 7 days the registration obligation begins. Board may grant an extension of time not exceeding 30 days for once only.
REQUIRED INFORMATION FOR REGISTRATION
- Identity and address information of data controller or its representative, if any, and contact person.
- Purpose of processing personal data.
- Explanation related to data subject groups and categories.
- Personal data receivers or receiver groups.
- Personal data to be transferred abroad.
- Security measures taken.
- Maximum duration the data will be kept.
DATA CONTROLLER INVENTORY
Data controller shall prepare a personal data inventory before registering. All information will be sent through the inventory, and therefore it must be kept updated.
In case of non-compliance with registration, the data controller may be applied administrative fines of 20.000 TRY to 1.000.000 TRY.
You can also get detailed information on “Regulation on Deletion, Destruction or Anonymization of Personal Data” in our website;