13 December 2021

The "Communiqué on the Procedures and Principles Regarding the Personnel Certification Mechanism" (the "Communiqué") issued by the Personal Data Protection Authority ("Authority") entered into force through its publication in the Official Gazette dated 6 December 2021 and numbered 31681. Within the scope of the Communiqué, the relevant procedures and principles regarding the certification of individuals within the Data Protection Officer Program have been determined in accordance with the standard numbered (TS) EN ISO/IEC 17024. This practice provides a legal basis to the concept of "DPO" (Data Protection Officer) which we frequently encounter in foreign jurisdictions and recently even in domestic level. Contrary to the obligation of employment of a Data Protection Officer in foreign jurisdictions when certain conditions are met, such employment has not yet been made compulsory under the Turkish legislation. Within the framework of the provisions of the legislation, the Personal Data Protection Board (the "Board") is authorized to decide and regulate the details which are not included in the Communiqué, or which are not clear thereunder.

The significant points under the Communiqué are as follows: 

  • The title of "Data Protection Officer" will be given to those who are successful in the exam among those who receive the certificate of participation in the program, the procedures and principles of which will be determined and announced by the Board.
  • The Turkish Accreditation Agency ("TÜRKAK") will carry out the determination of the educational institutions which will be authorized to provide the necessary trainings and exams. Thus, certain training centres will be authorized to train data protection officers, and those who want to qualify as protection officers will take the exam after completing the training program in these training institutions. Organizations accredited by TÜRKAK under the EN ISO/IEC 17024 standard will be authorized to certify those who are successful in the relevant certification exams.
  • Among the real persons who have obtained a training participation certificate in the last 4 years before the exam date or who have a valid data protection officer certificate, those who meet the conditions determined in the program published by the Board will be entitled to apply for the data protection officer certification exam. Attention: Solely having a certificate of participation does not provide the capability to use the data protection officer title and to operate within this scope.
  • The data protection officers will only be entitled to use such title during the validity period of their certificates. The certificate validity period is 4 years starting from the announcement of the exam results. After this period expires, data protection officers will need to retake the exam and renew their certificates.
  • In order to maintain the certification processes in a transparent, impartial, and effective manner, the certificate tracking and verification information system ("SERTABIS") will be established and managed by the Authority, where the information of personnel certification institutions and data protection officer certificate holders will be kept open to the public. In SERTABIS, information on the certificate of participation and the institutions accredited by the TÜRKAK and the changes in their status, the information of the certificate holders, the dates of the exams held within the scope of the program, as well as the certificate dates, certificate numbers and certificate validity periods of the people who were successful in the exam, will be covered.
  • Employing a data protection officer within the data controller and/or data processor's embodiment will not lift the responsibility of the data controller and the data processor to comply with the Personal Data Protection Law No. 6698 dated 24/3/2016 and the relevant legislation. 

Should you have any enquires on the above, please do not hesitate to contact us. We would be happy to assist.

Güner Law Office