Explore

Reading Mode

An Alert for Foreign Data Controllers in Turkey

17 July, 2020

On July 10, 2020 Turkish Personal Data Protection Board (“Board”) published summary of its decision numbered 2020/471 and dated June 23, 2020 (“Decision No. 2020/471”) stating that foreign companies who have representative offices in Turkey and proceed its data processing activities outside of Turkey may be subject to the Law on the Protection of Personal Data No. 6698 (“Law No. 6698”) and the obligation to register in the Data Controllers Registry Information System (“VERBIS”).

Highlights on Decision No. 2020/471

Prior to the Decision No. 2020/471, a foreign bank representative applied to the Board for clarification on whether the subject foreign bank is a data controller the under the Law No. 6698 and, accordingly, under the obligation to register in VERBIS. Pursuant to related legislation, foreign banks are entitled to apply to the Banking Regulation and Supervision Agency to establish their representative offices in Turkey. Even though such representative offices are not entitled to be engaged in banking services, they may conduct advertisement activities, market researches in favor of the foreign bank and report such information collected upon their activities to it.

It is understood from the Decision No. 2020/471 that the foreign bank, itself, is processing personal data of individuals in Turkey for its financing services, yet, its processing activities take place outside the jurisdiction of Turkey. In addition to the foreign bank’s processing activities, the foreign bank’s representative office also conducts advertisement activities and market researches in Turkey in favor of the relevant foreign bank. The Board states that data processing activities of the foreign bank and its representative office’s mentioned marketing operations in Turkey cannot be evaluated separately. Furthermore, the information collected upon the representative office’s advertisement activities and market researches may be transferred to the foreign bank to promote and benefit such bank’s operations. Therefore, the Board concludes that data processing activities of the foreign bank are strongly connected to the mentioned operations of its representative office in Turkey.

Furthermore, the Board justifies its reasoning in light of the Guidelines 3/2018 on the territorial scope of the Regulation (EU) 2016/679 (“GDPR”) and addresses the example of a company which operates outside the union, yet, has an office in the union for advertisement and marketing purposes to promote such company’s income. Moreover, the Board underlines that it would conflict with the essence of the Law No. 6698, if it was deemed that such foreign bank is exempted from the Law No. 6698 due to the mere fact that it is resident abroad and its processing activities take place outside of Turkey despite its continuous representative office. Consequently, the Board resolves that territorial scope of data protection regulations should be determined in a way that provides highest and widest level of protection to individuals, and such foreign bank which has a continuous representative office in Turkey shall be a data controller under the Law No. 6698 and obligated to register in VERBIS.

Background on VERBIS

VERBIS is a registration system that collects basic information on data processing activities of data controllers in Turkey. Pursuant to the Article 16 of the Law No. 6698, data controllers are required to register in VERBIS and provide basic information on their processing activities which is a)the purpose of the data processing, b) the data subject groups and data categories, c) recipient or recipient groups to which the data may be transferred, d)any personal data which may be transferred abroad, e)the data security measures taken, f)the maximum time for processing personal data (which must be in accordance with the purpose of the data processing). Some data controllers are exempted from the obligation to register (See our latest article on exemptions; http://herdem.av.tr/turkish-personal-data-protections-recent-exemption-for-registration-requirement).

Aslı Naz Ünlü

Recent Articles & Updates

Short Term Working Payments and Layoff Restrictions Extended in Turkey

05 August, 2020 a week ago

New Obligations for Social Media Platforms in Turkey

04 August, 2020 a week ago

Flashpoints in Tobacco Markets in Times of the COVID-19: Marketing Authorization for IQOS by FDA and Artificial Intelligence

31 July, 2020 2 weeks ago

Layoff Restrictions to be Extended until 2021 Summer in Turkey

29 July, 2020 2 weeks ago

EU-US Privacy Shield Ending: Future Strategies

29 July, 2020 2 weeks ago

Layoff Restriction Proposed to be Extended in Turkey

21 July, 2020 3 weeks ago

Submission Deadline for Ongoing Temporary Biocide License Applications Extended in Turkey

17 July, 2020 4 weeks ago

An Alert for Foreign Data Controllers in Turkey

17 July, 2020 4 weeks ago

A New Struggle for Hong Kong: U.S. to Treat as Same as China in Export Control Regime

16 July, 2020 4 weeks ago

Obligation to Inform by Data Controllers Matters in Turkey

14 July, 2020 4 weeks ago
Close