Law on the Personal Data Protection numbered 6698 ("Law") was accepted on 24 March 2016 and entered into force, except for certain articles that are reserved, through publication in the Official Gazette dated 7 April 2016 and numbered 29677.
The purpose of this Law is to protect the fundamental rights and freedoms of persons and, in particular, the confidentiality of private life, and is to regulate the procedures and principles to be followed by natural persons and legal persons who process personal data, and their obligations pursuant to Article 1 of the Law. Pursuant to Article 16 of the Law, in order to effectively fulfill these purposes, the Chairmanship shall keep the record of the Data Controllers Registry ("Registry") that is publicly available under surveillance by the Personal Data Protection Board ("Board").
Within this scope, the general provisions regarding the Registry will be addressed, below, first. Thereafter, a recent decision of the Personal Data Protection Authority ("Authority") will be elaborated upon.
The Obligation to register with the Data Controllers Registry
As per Article 16 of the Law, the data controllers must fulfill their obligations as to the registration with the Registry before starting to process personal data. Likewise, according to Article 8 of the Regulation on the Data Controllers Registry ("Regulation"), which is stipulated and based on the same provision of the law, to determine and provide the application of the rules and procedures as to the formation of the Data Controllers Registry that will be kept by the Chairmanship, publicly, pursuant to the Law under the surveillance of the Board, and its administrations and the registration that will be made to the Registry, the data controllers must fulfill their obligation to the Registry before starting to process personal data.
According to these provisions, the data controllers that are not under obligation to register, but are obligated to register later on, shall file with the Registry within the thirty days following the date they became obligated.
In the event that the Data Controllers who are under obligation to register cannot fulfill their registration obligations due to a factual, technical, or legal impossibility, they shall apply to the Authority within 7 working days following the date when this impossibility arose, provided that they apply in writing, and with justification; and they may demand additional time. The Authority, one time only, may grant additional time, provided that it does not exceed thirty days.
The Exceptions to the Obligation of Registration
As mentioned, above, the data controllers must fulfill their obligations as to filing with the Registry, prior to the processing of personal data. Be that as it may, pursuant to Article 16 of the Law, the Board may allow exceptions to this obligation, by considering the objective criteria to be determined by the Board, such as the qualification of the personal data, its number, whether the processing derives from the law or transfer of the personal data to third parties.
The provisions, below, are stipulated under Article 16 of the Regulation, as well:
"The Board may bring exceptions to the registration obligation by way of considering the criteria below:
a) The qualification of the personal data;
b) The number of the personal data;
c) The purpose of processing the personal data;
d) The field of activity in which the personal data is processed;
e) The status as to the transfer of the personal data to third parties;
f) The fact that the processing activity derives from the laws;
g) The term of conservation of the personal data;
h) The personal group related to the data or data categories.
The Board is competent to render a decision in order to determine the scope and rules and procedures regarding the exceptions that are determined within the framework of the criteria indicated under the first paragraph. The Board shall publish its decisions in this respect through the adequate methods and shall announce them to the public."
The Decision of the Personal Data Protection Authority that brings Exceptions to the Obligation of Registration with the Data Controllers Registry
The Authority, based on the above-mentioned provisions, rendered a decision dated 02.04.2018 and numbered 2018/32, regarding the exceptions to the Obligation of Registration to the Data Controllers Registry. This decision is published in the Official Gazette dated 15.05.2018 and numbered 30422.
According to this decision, the above-mentioned persons are exempted from the obligation to register to the Data Controllers Registry:
* The persons who process the personal data, being a part of a data registration system with only non-automatic methods;
* The Notaries who operate pursuant to the Notary Law dated 18.01.1972 and numbered 1512;
* The persons who process the personal data with regard to the associations founded pursuant to Associations Law numbered 5253 and dated 04.11.2004, the foundations founded pursuant to Foundations Law numbered 5737 and dated 29.02.2008, and the syndicates that are founded pursuant to Syndicates and Collective Bargaining Agreements Law numbered 6356 and dated 18.10.2012; only regarding their own employees, members and donators, limited to their fields of activity, in conformity with their related legislation and purpose;
* The political parties that are founded pursuant to Political Parties Law numbered 2820 and dated 22.04.1983;
* The attorneys who work pursuant to Law on Advocacy numbered 1136 and dated 19.03.1969;
* The independent accountants and financial advisors and sworn-in certified public accountants who operate pursuant to Law on Independent Accountant and Financial Councillorship and Sworn-in Certified Public Councillorship numbered 3568 and dated 01.06.1989.
The above-mentioned data processors are exempted from the obligation to register with the Registry according to the Decision of the Personal Data Protection Authority dated 02.04.2018 and numbered 2018/32, regarding the Exception Brought to the Obligation of Registration with the Data Controllers Registry. That being said, it is important to note that the fact that these processors are exempted from the obligation to register with the Registry, does not imply that they are not required to fulfill the other obligations within the scope of the Personal Data Protection Law. In other words, these persons are also subject to the provisions under the Law. The exceptions are only related to the obligation of registration.1