The Law on Personal Data Protection w. no: 6698 (“DPL”) sets forth obligations, principles and procedures which shall be binding upon natural or legal persons who process personal data.
Similar to Art. 27 of the GDPR, controllers that are not established in Turkey but process personal data of subjects in Turkey (“Foreign Controllers”) must appoint a Data Controller Representative (“Representative”) under the DPL and Regulation on Data Controllers’ Registry.
The Representative must be located in Turkey and either must be a legal entity or a Turkish Citizen. The Representative, at the minimum, must be vested with the powers below;
- on behalf of the data controller, to receive or accept notifications and correspondences made by the Data Protection Authority (“DPA”),
- to transmit the demands made by the DPA to the data controller and to submit the responses of the data controller to the DPA,
- to receive data subjects’ requests on behalf of the data controller and to transmit the requests to the data controller, in cases where no other principle has been determined by the DPA.
- to transmit the data controller’s response to the data subjects, in cases where no other principle has been determined by the DPA,
- to perform operations relating to the Data Controllers’ Registry on behalf of the data controller.
The Representative must be appointed with an appointment decision by the Foreign Controller.
The Appointment Letter must contain the powers of the Representative as well as the full name and address of both the Foreign Controller and Representative.
Lastly, the Appointment Letter must be notarized and apostilled in the country of signing and must be sent to the Representative.
Please note that there is no deadline under the legislation specific to appointment of a Representative. Having said that, since the initial step that the Representative will take would be to register the Foreign Controller with the Data Controllers’ Registry, the deadline to register with the Data Controllers’ Registry (December 31st, 2021) is also treated as the deadline to appoint a Representative in Turkey.
Having said the above, since controllers have an obligation to receive, respond to and conclude DSARs and other personal data related requests in a timely and effective manner, many foreign controllers have already appointed Representatives in 2020 and 2021. Therefore, Foreign Controllers that process personal data collected from Turkey must appoint their Representative without delay to prevent risks.
Please note that there is no fine under the DPL for not appointing a Representative, however if the Foreign Controller cannot satisfy its obligation to receive, respond to and conclude DSARs and other personal data related requests in a timely and effective manner due to lack of a Representative, this may lead to complaints by data subjects to the DPA which may end up in administrative fines of up to TRY 1.966.862 (approximately USD 218,338.40).
Further, if Foreign Controllers fail to appoint a Representative and register with the Data Controllers’ Registry by December 31st 2021, an administrative fine of up to TRY 1.966.862 (approximately USD 218,338.40) may be imposed. Please note that it is also possible for the DPA to decide to restrict the data processing operations of the controller.