On July 10, 2020 Turkish Personal Data Protection Board (“Board”) published summary of its decision numbered 2020/471 and dated June 23, 2020 (“Decision No. 2020/471”) stating that foreign companies who have representative offices in Turkey and proceed its data processing activities outside of Turkey may be subject to the Law on the Protection of Personal Data No. 6698 (“Law No. 6698”) and the obligation to register in the Data Controllers Registry Information System (“VERBIS”).
Highlights on Decision No. 2020/471
Prior to the Decision No. 2020/471, a foreign bank representative applied to the Board for clarification on whether the subject foreign bank is a data controller the under the Law No. 6698 and, accordingly, under the obligation to register in VERBIS. Pursuant to related legislation, foreign banks are entitled to apply to the Banking Regulation and Supervision Agency to establish their representative offices in Turkey. Even though such representative offices are not entitled to be engaged in banking services, they may conduct advertisement activities, market researches in favor of the foreign bank and report such information collected upon their activities to it.
It is understood from the Decision No. 2020/471 that the foreign bank, itself, is processing personal data of individuals in Turkey for its financing services, yet, its processing activities take place outside the jurisdiction of Turkey. In addition to the foreign bank’s processing activities, the foreign bank’s representative office also conducts advertisement activities and market researches in Turkey in favor of the relevant foreign bank. The Board states that data processing activities of the foreign bank and its representative office’s mentioned marketing operations in Turkey cannot be evaluated separately. Furthermore, the information collected upon the representative office’s advertisement activities and market researches may be transferred to the foreign bank to promote and benefit such bank’s operations. Therefore, the Board concludes that data processing activities of the foreign bank are strongly connected to the mentioned operations of its representative office in Turkey.
Furthermore, the Board justifies its reasoning in light of the Guidelines 3/2018 on the territorial scope of the Regulation (EU) 2016/679 (“GDPR”) and addresses the example of a company which operates outside the union, yet, has an office in the union for advertisement and marketing purposes to promote such company’s income. Moreover, the Board underlines that it would conflict with the essence of the Law No. 6698, if it was deemed that such foreign bank is exempted from the Law No. 6698 due to the mere fact that it is resident abroad and its processing activities take place outside of Turkey despite its continuous representative office. Consequently, the Board resolves that territorial scope of data protection regulations should be determined in a way that provides highest and widest level of protection to individuals, and such foreign bank which has a continuous representative office in Turkey shall be a data controller under the Law No. 6698 and obligated to register in VERBIS.
Background on VERBIS
VERBIS is a registration system that collects basic information on data processing activities of data controllers in Turkey. Pursuant to the Article 16 of the Law No. 6698, data controllers are required to register in VERBIS and provide basic information on their processing activities which is a)the purpose of the data processing, b) the data subject groups and data categories, c) recipient or recipient groups to which the data may be transferred, d)any personal data which may be transferred abroad, e)the data security measures taken, f)the maximum time for processing personal data (which must be in accordance with the purpose of the data processing). Some data controllers are exempted from the obligation to register (See our latest article on exemptions; http://herdem.av.tr/turkish-personal-data-protections-recent-exemption-for-registration-requirement).
Aslı Naz Ünlü