Page 1

Official newspaper

Saturday, December 30, 2017

Number : 30286

REGULATION
From the Personal Data Protection Authority:
REGULATION ABOUT DATA RESPONSIBILITIES REGISTRY
FIRST PART
Purpose, Scope, Basis and Definitions
Goal
ARTICLE 1 – (1) The purpose of this Regulation is the Law on Protection of Personal Data No. 6698 dated 24/3/2016
the Data Controllers Registry, which will be kept open to the public by the Presidency, under the supervision of the Board.
To determine the procedures and principles regarding the establishment, administration and records to be made in the Data Controllers Registry,
ensure its implementation.
Scope
ARTICLE 2 – (1) This Regulation is a data recording policy that determines the processing purposes and means of personal data.
It covers the natural and legal persons responsible for the establishment and management of the system.
Rest
ARTICLE 3 - (1) This Regulation is governed by the fifth paragraph of Article 16 and Article 22 of the Law No. 6698.
It has been prepared based on subparagraphs (d) and (e) of the first paragraph.
Definitions
ARTICLE 4 – (1) In this Regulation;
a) Recipient group: The natural or legal person category to which personal data is transferred by the data controller,
b) Chairman: Chairman of the Personal Data Protection Authority,
c) Presidency: Presidency of the Personal Data Protection Authority,
ç) Contact person: Data controller for legal persons residing in Turkey and legal persons not residing in Turkey
with the obligations of the representative under the Law and secondary regulations to be enacted based on this Law.
regarding the real person notified by the data controller during the registration to the Registry for the communication to be established with the Institution,
d) Law: Law on Protection of Personal Data No. 6698,
e) Registration: The data controllers under the registration obligation must comply with the procedures and principles determined by the Regulation.
its notification accordingly,
f) Registration obligation: The obligation to register in accordance with the Regulation,
g) Registered e-mail (REM) address: Including the sending and delivery of electronic messages
the qualified form of e-mail, which provides legal evidence regarding its use,
ğ) Personal data: Any information relating to an identified or identifiable natural person,
h) Personal data processing inventory: The data controllers perform depending on their business processes.
personal data processing activities; personal data processing purposes, data category, transferred recipient group and data subject person
the maximum period required for the purposes for which personal data are processed and created by associating with the foreign
explaining the personal data foreseen to be transferred to other countries and the measures taken regarding data security.
inventory,
ı) Personal data retention and destruction policy: Data controllers must comply with the requirements for the purpose for which personal data is processed.
the policy on which they are based for the process of determining the maximum period of time and deletion, destruction and anonymization,
i) Processing of personal data: Fully or partially automatic or any data processing of personal data.
to be obtained, recorded, stored by non-automatic means, provided that it is part of the recording system,
to be preserved, modified, rearranged, disclosed, transferred, taken over, made available
All kinds of operations carried out on the data such as bringing, classifying or preventing its use,
j) Board: Personal Data Protection Board,
k) Institution: The Personal Data Protection Authority, which consists of the Board and the Presidency,
l) Registry: The Data Controllers Registry kept by the Presidency,
m) Data category: The data subject group or group where personal data are grouped according to their common characteristics.
personal data class of the groups,
n) Data subject person group: The category of the person whose personal data data controllers process,
o) Data controllers registry information system (VERBIS): Data controllers can apply to the Registry and
information technology created and managed by the Presidency, accessible over the internet, that they will use in other transactions.
system,
ö) Data controller: The data recording system that determines the purposes and means of processing personal data.
the natural or legal person responsible for the establishment and management of
p) Data controller representative: Data controllers who are not resident in Turkey, in Article 11 of this Regulation.
Legal person residing in Turkey or Turkey authorized to represent the minimum in the matters specified in the second paragraph of the article
natural person, citizen of the Republic of Turkey,
means.
(2) For definitions not included in this Regulation, the definitions in the Law are applied.
SECOND PART
Establishment, Administration, Oversight and Access to the Registry
Principles, procedures and principles
ARTICLE 5 – (1) The following principles, procedures and principles shall be complied with regarding the establishment, administration and supervision of the registry:
a) Data controllers must register with the Registry before starting to process personal data.
b) Data controllers who are not resident in Turkey, before starting data processing, the representative of the data controller
must be registered in the Registry.
c) The registry is kept open to the public. The Board may determine the scope of this principle, provided that the principle of publicity is ensured.
and has the power to set exceptions.
ç) The information to be disclosed to the Registry in applications to the Registry is prepared based on the Personal Data Processing Inventory.
d) In the disclosure obligation specified for data controllers in Article 10 of the Law,
In response to the applications of the relevant persons specified in the third article and the openness to be disclosed by the relevant persons.
In determining the scope of consent, submitted to the Registry and published in the Registry based on the personal data processing inventory
information is based.
e) Data controllers must ensure that the information submitted to and published in the Registry is complete, accurate, up-to-date and in compliance with the law.
responsible for it. Registration of data controllers in the Registry eliminates other obligations under the Law.
does not remove.
f) Without prejudice to the situations specified in Article 28 of the Law, in Article 16 of the Regulation
Based on the objective criteria specified, data controllers meeting certain conditions are registered by the Board in the Registry.
not be held liable; this does not remove the obligations of data controllers under the Law.
g) Registry-related transactions are carried out by data controllers over VERBIS.
ğ) For the purpose of processing the personal data submitted to the Registry by the data controllers and published in the Registry
the maximum time required; Deletion, destruction or anonymization of data controllers specified in Article 7 of the Law.
basis for the fulfillment of its obligations.
Establishment, administration and oversight of the registry
ARTICLE 6 – (1) The registry is created by the Presidency. Presidency, Creation, administration, up-to-date
for the purpose of keeping and preserving; Technical and administrative necessary for the establishment and operation of VERBIS
takes measures.
(2) The service unit responsible for the creation and administration of the Registry is the Data Management Department.
(3) The registry is supervised by the Board. quarterly by the Data Management Department.
The annual report, which is prepared periodically and whose scope will be determined by the Board, is submitted to the Board.
Access to the registry
ARTICLE 7 – (1) The Presidency shall provide the updated information in the Registry to be determined in accordance with the Board decisions.
publicly disclosed.
(2) Of the information contained in the data controllers registry, the following are disclosed to the public:
a) The name, address of the data controller, if any, the representative of the data controller and the contact person, and if received, KEP
address,
b) The purposes for which personal data can be processed,
c) The data subject group and groups and the data categories of these persons,
ç) Recipient and recipient groups to whom personal data can be transferred,
d) Personal data intended to be transferred to foreign countries,
e) The date of registration in the registry and the date the registration ends,
f) Measures taken regarding personal data security,
g) The maximum period required for the purpose for which personal data is processed.
THIRD PART
Beginning of Registration Obligation, Information to be Entered in VERBIS, Registration Application,
Renewal and Deletion of Registration
Beginning of registration obligation
ARTICLE 8 – (1) Data controllers must fulfill their registration obligations before starting to process personal data.
must bring.
(2) Data controllers who are not under the registration obligation and later become registration obligations,
They are registered in the Registry within thirty days following their obligation.
(3) Data controllers under the registration obligation, any de facto, technical or legal impossibility
If the registration obligations cannot be fulfilled due to
to fulfill their registration obligations, provided that they apply to the Authority in writing within 7 working days and state the reason.
They may request additional time from the Institution to fulfill their obligations. Institution, for one time only and in any case for thirty days.
may grant additional time.
Information to be transmitted within the scope of registration obligation
ARTICLE 9 – (1) The registration application made to the Registry contains the following information:
a) Regarding the identity and address information of the data controller, if any, the representative of the data controller and the contact person.
Information in the application form to be determined by the Board,
b) For what purpose the personal data will be processed,
c) Explanations about the data subject group and groups and the data categories of these persons,
ç) Recipient or recipient groups to whom personal data can be transferred,
d) Personal data intended to be transferred to foreign countries,
e) Measures taken in accordance with the criteria stipulated in Article 12 of the Law and determined by the Board,
f) The maximum retention period of personal data stipulated in the legislation or required for the purpose for which they are processed.
(2) Information to be disclosed to the Registry by data controllers in accordance with subparagraphs (b), (c), (ç) and (d) of the first paragraph;
Based on the Personal Data Processing Inventory, using the titles specified in VERBIS to the Registry via VERBIS
transmitted.
(3) Information to be disclosed to the Registry by data controllers in accordance with subparagraph (e) of the first paragraph; 12 of the Law
on VERBIS by using the titles specified in VERBIS to cover the issues specified in Article
It is transmitted to Sicily.
(4) The personal data to be disclosed to the Registry by the data controllers pursuant to subparagraph (f) of the first paragraph shall be provided in the legislation.
Information on the maximum retention period envisaged or required for the purpose for which they are processed, together with the data categories.
matched and reported to the Registry. The processing purposes of the data categories notified to the Registry by the data controller and these
The maximum storage periods required for their processing based on the purposes and the periods stipulated in the legislation
It may be different. In this case, if the maximum storage period is stipulated in the legislation, this period is not available.
Based on the longest period, a notification is made to the Registry for this data category. Necessary for the purpose for which personal data is processed
While determining the maximum storage period;
a) In the sector in which the data controller operates within the scope of the processing purpose of the relevant data category,
time customarily accepted,
b) Legal requirements established with the data subject and requiring the processing of personal data in the relevant data category.
the duration of the relationship,
c) The legitimate interest to be obtained by the data controller depending on the purpose of processing the relevant data category.
the period for which it will be valid in accordance with the law and the rules of honesty,
ç) The risk, cost and cost of storing the relevant data category depending on the purpose of processing.
the period during which the responsibilities will continue legally,
d) It is convenient to keep the relevant data category of the maximum period to be determined accurate and up-to-date when necessary.
is not,
e) Keeping personal data in the relevant data category as required by the legal obligation of the data controller
the time it has to,
f) To assert a right related to personal data in the relevant data category by the data controller.
the prescribed statute of limitations,
are taken into account.
(5) Data controllers, determining the maximum period required for the purpose for which personal data are processed,
for the compliance of the periods with the information specified in the personal data processing inventory and to monitor whether the maximum period has been exceeded.
They prepare a personal data retention and destruction policy and ensure the implementation of this policy.
(6) The titles and contents specified in VERBIS, the activities performed by the data controller, and
In case it does not fully cover the information required to be submitted to the Registry; The data controller also provides this information to VERBIS.
completes its notification to the Registry by entering the sections titled "Other" reserved for this purpose.
Registration application
ARTICLE 10 – (1) Data controllers can register by uploading the information specified in Article 9 to VERBIS.
deemed to have fulfilled its obligation.
(2) As stated in the third paragraph of Article 8, by the Institution, additional time has been given to them.
Data controllers must complete the registration application before this period expires.
Obligations of data controller, data controller representative and contact person
ARTICLE 11 – (1) In legal persons, the data controller is the legal entity itself. Legal entity residing in Turkey
Data controller obligations of persons within the scope of the Law, representation and representation of the legal entity in accordance with the provisions of the relevant legislation.
It is carried out by the authorized body or the person or persons specified in the relevant legislation. represent a legal entity
The authorized body, in relation to the obligations to be fulfilled in terms of the implementation of the Law,
can appoint a person. This assignment does not remove the responsibility of the legal entity in accordance with the provisions of the Law.
(2) Authorized body of a data controller who is not resident in Turkey for the appointment of a data controller representative
or the certified copy of the decision to be taken by the data controller representative during the registration application.
It is submitted to the institution.
(3) The decision to appoint a data controller representative shall be made in a way that covers the following issues as a minimum.
edited:
a) Notifying or accepting the notification or correspondence made by the Authority on behalf of the data controller,
b) To forward the requests directed to the data controller by the Authority to the data controller,
forwarding the next reply to the Institution,
c) If no other basis has been determined by the Board; 13 of the Law of the relevant persons
Receiving the applications to be directed to the data controller on behalf of the data controller in accordance with the first paragraph of the article
notify the person in charge,
ç) If no other basis has been determined by the Board; 13 of the Law to the persons concerned.
To transmit the reply of the data controller in accordance with the third paragraph of the article,
d) Performing the Registry-related works and transactions on behalf of the data controller.
(4) Legal entities residing in Turkey record their contact person information in the Registry during registration. Contact
person is not authorized to represent the data controller in accordance with the provisions of the Law and Regulation. contact person,
It provides communication regarding the response of the requests to the data controller.
(5) In public institutions and organizations, the contact person is to ensure communication with the Authority by the senior manager.
It is the head of department or higher manager determined for the purpose and registered in the Registry.
Ensuring communication
ARTICLE 12 – (1) Regarding the implementation of the Law, any data subject to be established by the Authority with the data controller
kinds of communication;
a) For legal entities residing in Turkey, through the identity, address or KEP address information reported to the Registry,
legal entity,
b) For real persons residing in Turkey, through the identity, address or KEP address information reported to the Registry.
relevant natural person,
c) For data controllers not residing in Turkey, the representative of the data controller notified to the Registry,
carried out by means of
Changes to registration information
ARTICLE 13 – (1) Data controllers are responsible for the changes in the information registered in the registry.
notifies the Institution of the changes within seven days via VERBIS.
Deletion of the registry record
ARTICLE 14 – (1) The data controller, regarding the deletion of the registry record, is sent to the Authority via VERBIS.
applies.
(2) If the activity requiring the registration obligation ends or disappears, the registration record is deleted. These records
It is accessible when requested, but kept in such a way that no changes can be made on it.
(3) Deletion of the Registry record eliminates the obligations of the data controller at the time it was registered in the Registry.
does not remove.
CHAPTER FOUR
Exceptions to the Registration Obligation
Circumstances to be exempted
ARTICLE 15 – (1) In terms of the personal data processing activities stated below, this
There is no obligation to register and notify the activities in the Registry:
a) The processing of personal data is necessary for the prevention of crime or for criminal investigation.
b) Processing of personal data made public by the person concerned.
c) With the authorized and authorized public institutions and organizations based on the authority given by the law for personal data processing.
Disciplinary action by professional organizations in the nature of public institutions with the execution of supervisory or regulation duties.
be necessary for the investigation or prosecution.
ç) The economic and financial interests of the State regarding the budget, tax and financial issues of personal data processing.
necessary for its protection.
Exception criteria
ARTICLE 16 – (1) The Board may make an exception to the registration obligation by considering the following criteria:
a) The nature of the personal data.
b) Number of personal data.
c) Purpose of processing personal data.
ç) Field of activity in which personal data is processed.
d) Transfer of personal data to third parties.
e) The fact that the personal data processing activity originates from the law.
f) The period of retention of personal data.
g) The data subject group or categories of data.
(2) The Board shall determine the scope of the exceptions determined within the framework of the criteria listed in the first paragraph and the application procedure and
has the power to make decisions in order to determine the principles. The Board publishes these decisions with appropriate methods.
announces to the public.
CHAPTER FIVE
Miscellaneous and Final Provisions
Administrative sanction
ARTICLE 17 – (1) Regarding those who violate the obligation to register and notify the data controllers registry
Administrative fine specified in subparagraph (ç) of the first paragraph of Article 18 of the Law is applied.
(2) The act of violating the obligation to register and notify with the data controllers registry,
and organizations and professional organizations in the nature of public institutions,
Upon notification, civil servants and other public officials and public institutions working in the relevant public institution and organization
Actions are taken against those who work in professional organizations in the nature of professional organizations in accordance with disciplinary provisions and the result is reported to the Board.
is reported.
Elimination of doubts
ARTICLE 18 – (1) Hesitations that may arise during the implementation of this Regulation and
to eliminate the deficiencies and direct the application, to determine the principles and standards and to establish the unity of application.
to make the necessary arrangements to provide the necessary information, to request all kinds of information and documents required in this regard,
The Board is authorized to make decisions within the framework of the provisions of the relevant legislation.
Force
ARTICLE 19 – (1) This Regulation enters into force on 1/1/2018.
Executive
ARTICLE 20 – (1) The President executes the provisions of this Regulation.

