INFORMATION NOTE ON THE AMENDMENTS TO THE PERSONAL DATA PROTECTION LEGISLATION
8 May 2019
The Regulation on the Amendment of the Regulation on Deletion, Destruction or Anonymization of Personal Data (“Destruction Regulation”), the Regulation on the Amendment of the Regulation on Data Controllers Registry (“Registry Regulation”) and the Communique on the Amendment of the Communiqué on the Procedures and Principles regarding the Fulfilment of the Disclosure Requirement (“Disclosure Communiqué”) have been published in the Official Gazette dated April 28, 2019 and numbered 30758 by the Personal Data Protection Authority (“Authority”) and entered into force on the same day.
With the amendments, the secondary legislation have become compatible with the Law on the Protection of Personal Data numbered 6698 (“Law”) and with the decisions of the Personal Data Protection Board (“Board”).
Furthermore, the Board has published a Personal Data Processing Inventory Preparation Guideline (“Guideline”) in order to draw a road map for data controllers as to how a personal data inventory should be prepared.
You may find below a brief summary of the prominent amendments to the Destruction Regulation, Registry Regulation, Disclosure Communiqué and the Guideline:
1. Amendments to the Destruction Regulation
With the amendment to paragraph (e) of Article 4/1 of the Destruction Regulation, the definition of the personal data inventory has been changed in a manner consistent with the practice and it has been stated under the relevant Article that the “legal reason” shall be specified in the inventory. Furthermore, the Board has also included this matter explicitly in the sample Guideline published on its web-site
The “maximum period” term in the definition of the personal data inventory which gives rise to the obscurities has been clarified and replaced with the “maximum retention period”.
2. The Amendments to the Registry Regulation
- The “real person” term has been added to the “contact person” definition stated under paragraph (ç) of Article 4/1 of the Registry Regulation and accordingly, the real person data controllers will also be entitled to appoint the contact person.
- The definition of the personal data inventory has been amended as amended in the Destruction Regulation.
- With the insertion of the phrase “The data controllers who are under the obligation to be registered with the registry shall be obliged to prepare Personal Data Processing Inventory” into paragraph (ç) of Article 5/1 of the Registry Regulation, an obligation which was not explicitly stated under the legislation previously, has been added to the Registry Regulation and thus, in compliance with the prior decisions of the Board, the obligation to prepare personal data inventory is undertaken by the data controllers who are obliged to register with the registry.
- With the amendment to paragraph (ğ) of Article 5/1, the maximum period term has been clarified and replaced with the maximum retention period in parallel with the aforementioned change under the Destruction Regulation.
- The information of the contact person” shall no longer be disclosed to the public as per the amendment to paragraph (a) of Article 7/1 in relation to the disclosure of the up-to-date information in the registry.
- As per the amendment to Article 11/4 of the Registry Regulation, the obligation to notify the contact person shall be assumed by the data controllers residing in Turkey and by the data controller representatives on behalf of the data controllers residing abroad which was previously assumed only by the “legal entities residing in Turkey”. Furthermore, the provision regarding the communications of the contact person to reply the data subject applications has been removed from the Registry Regulation.
- With the amendment to Article 11/5 in relation to the obligation of the data controller, the data controller representative and contact person, the definition of the senior manager who will determine the contact person in public institutions and organisations has been clarified and it has been specified that the contact person shall be determined by the senior manager who is responsible for the coordination.
With the amendment to Article 13 of the Registry Regulation, it has been set forth that in case of any change in the information recorded in the registry, such change shall be notified to the Authority within 7 (seven) days as of the date of the relevant change. Prior to this amendment, it was unclear when the notification period of 7 (seven) days will commence; however, with this amendment it has been clarified that the notification period will commence as of the date of change.
- With the amendment of Article 16 of the Registry Regulation with respect to the exemption from the registration with registry, the legislation have become compatible with the decisions of the Board and “information on the annual employee number of the data controller or the sum of annual financial statement”2 has become one of the criteria of the Board with respect to the exemption from the registration with registry.
3. The Amendments to the Disclosure Communiqué
The definition of the “data record system” under paragraph (f) of Article 3/1 has been amended. Accordingly, the definition of the data record system has been harmonized with the Law and the term of “environment” which causes ambiguity has been replaced with “the registration system where personal data is processed through configuration according to certain criteria”.
- The following paragraph (c) of Article 5/1 has been abolished with the amendment:
"In case the personal data is processed for different purposes in different business units of the data controller, the disclosure obligation should be carried out separately specific to each unit.”
Accordingly, the separate disclosure obligation specific to each business unit has been removed and thus, the convenience of the disclosure in one time in relation to all data to be processed by one person has been ensured.
4. Personal Data Processing Inventory Preparation Guideline
It is stated in the published Guideline that the data controllers who are obliged to be registered with the registry are under obligation to prepare Personal Data Processing Inventory containing the following information:
- The activities of personal data processing,
- The purpose of the personal data processing and its legal reason,
- Data category,
- The recipient group to which the personal date is transferred,
- The maximum retention period necessary for the purposes for which the personal data is processed,
- The personal data which is transferred to foreign countries,
- Technical and administrative measures taken for data security.
It has further been stated in the Guideline that the personal data processing inventory and Data Controller Information System (“VERBIS”) are different concept and the personal data processing inventory is a source used in the course of the registration with VERBIS.
Should you have any queries, please do not hesitate to contact us.