Turkey’s data protection legislation on data controller registry to impact data controllers outside of Turkey


Turkey’s data protection legislation (TDPL) requires data controllers to notify the Turkish DPA of their processing activities. Unless exempt from the requirement, all data controllers (individuals and legal entities) who process personal data in Turkey must be registered with the Turkish DPA’s Register of Data Controllers Information System (VERBİS), prior to processing any personal data.

Data controllers which fail to fulfil this obligation may be subject to an administrative fine of an amount between TL 20,000–1,000,000 (approximately USD 3,600-180,000). Such fines will be issued at the discretion of the Data Protection Board and will be determined based on the facts of each specific breach.

Implications for non-Turkish controllers

The obligation to register under TDPL applies to data controllers based outside of Turkey as well as Turkish controllers. Consequently, natural and legal persons who are currently processing personal data but who are based outside of Turkey, are still obliged to comply with the obligation to register. The registration process is different for Turkish and non-Turkish data controllers. Data controllers located outside of Turkey will need to appoint a data controller representative, who must be a Turkish citizen resident in Turkey or a Turkish entity. The representative must complete the registration form available online, and submit it to the DPA. The representative will then appoint a contact person (irtibat kişisi) who must also be a Turkish citizen resident in Turkey (a natural person representative may appoint herself as the contact person). The contact person will submit the required information and complete registration with VERBİS.

Deadline for registration

The deadline for completing the registration process is fast approaching. Specifically, the following data controllers must complete their registration with VERBİS prior to the deadlines set out below:

  • Real and legal persons who have settled abroad (i.e. non-Turkish controllers) before 30 September 2019;
  • Workplaces that have over 50 employees yearly, or have financial balance sheet over TL 25,000,000 (approx. USD 4,500,000) before 30 September 2019;
  • Legal entities which have less than 50 employees annually and whose annual total financial statement is less than TL 25,000,000 but whose main business is processing sensitive personal data to register before 31 March 2020.

The CNIL publishes new guidelines on cookies and other similar technologies

US Supreme Court expands digital privacy rights in Carpenter v. United States

On 4 July 2019, the CNIL published new guidelines on cookies and other similar technologies, repealing its 2013 cookie guidance in order to align its position with the GDPR’s new requirements on consent. These guidelines will be supplemented during the first quarter of 2020 by sectoral recommendations aimed at providing practical guidance to stakeholders on how to collect consent.

Continue reading

One-Month Countdown to Pass CCPA Amendments Begins

Data Protection Report - Norton Rose Fulbright

On August 12, the California legislature returns after its summer recess. Starting with the Senate Appropriations Committee Hearing today, the legislature will now have approximately a month to continue the markups and send California Consumer Privacy Act (CCPA) amendments to the Governor’s desk for signature before the September 13 deadline.  As previously reported, any amendment that passes from the Senate will likely need to go back to the Assembly since many of them have been marked up significantly by the Senate. Below is a summary of the seven amendments that are moving forward and what they mean for businesses who are working on implementing a CCPA program.  Click here for our previous coverage of AB 25 (employee exception), AB 846 (customer loyalty program), and AB 1564 (consumer request methods). Continue reading

Website operators joint controllers with third-party plugin providers

Norton Rose Fulbright - Data Protection Report blog

On 29 July 2019, the European Court of Justice (ECJ) issued its judgement on Case C-40/17 (the “Fashion-ID” case). In its ruling, the ECJ held that operators of websites embedding Facebook’s “Like” button act as data controllers jointly with Facebook in respect of the collection and transmission to Facebook of the personal data of visitors to the relevant websites. In relation to these processing activities, the website operators must inform their website visitors about the data processing activities for which they act as a joint controller with Facebook, must establish a lawful basis for these processing activities and, where applicable, must collect relevant consent from the website visitor.

Continue reading

U.S. CLOUD Act and International Privacy

Norton Rose Fulbright - Data Protection Report blog

The U.S. Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”) is apparently the Goldilocks of the privacy world, according to recent statements issued by two international jurisdictions. The CLOUD Act’s requirements are “too hard” for Australian law, according to the Law Council of Australia, but the privacy protections are “too soft” for the European Data Protection Board and European Data Protection Supervisor. The current lack of any executive agreements between the U.S. and another jurisdiction under the CLOUD Act seems to indicate that the U.S. has not yet found a jurisdiction that is “just right” for the CLOUD Act. Continue reading

Cyber law firm of the year nomination

We are pleased to report that Norton Rose Fulbright has been shortlisted for cyber law firm of the year at the 2019 Insurance Insider Cyber Rankings Awards. Many thanks to everyone who has voted for us so far. The winner will be determined from the results of a wide-ranging survey of insurers and brokers and will be announced on 20 September 2019. We encourage our insurer and broker clients and contacts to respond to the survey if they have not already done so. Continue reading

Back At The Negotiating Table: CCPA Amendments Debate Continues

UK NIS Regulations impose new cybersecurity obligations (and a new penalties regime) on operators of essential services and digital service providers in the UK | Norton Rose Fulbright

In a 12-hour marathon hearing, the California Senate Judiciary Committee on July 9, 2019, debated, struck down, scaled back and put back on the negotiating table key amendments to the California Consumer Privacy Act (“CCPA”). Read below to find out what happened to the much-anticipated “employee exception” bill, “customer loyalty program” bill, and the bill to remove the toll-free number requirement. Continue reading

FTC to levy unprecedented $US5bn fine against Facebook

Data Protection Report - Norton Rose Fulbright

On Friday, July 12, 2019, the Wall Street Journal reported that Federal Trade Commission and Facebook reached a settlement to resolve Facebook’s privacy issues surrounding the Cambridge Analytica disclosure discovered last year. The settlement imposes a US$5 billion dollars on the tech giant, which represents roughly 9% of Facebook’s total yearly revenue and is the largest civil and privacy fine ever imposed by the FTC. The fine largely surpasses the FTC’s previous imposed fine in a privacy action, when the FTC fined Google US$22.5 million to settle claims it misrepresented privacy assurances to Safari users. Continue reading

Online advertising targeting : a CNIL priority for 2019

Norton Rose Fulbright - Data Protection Report blog

Often questioned about online advertising targeting by both the public and professionals, the CNIL released its action plan for 2019-2020 with a view to providing further details about the applicable advertising rules and to support stakeholders in their compliance with them. Continue reading