personal data protection and verbis registration obligations for foreign company branches and liaison offices located in turkey

28 August 2020

Personal Data Protection and VERBIS Registration Obligations for Foreign Company Branches and Liaison Offices Located in Turkey

The Law on the Protection of Personal Data (“KVK”), which has entered into force in 2016, has brought various obligations to real persons and legal entities to ensure that data security is achieved in international standards.
The KVK has defined personal data very broadly. Accordingly, even data items such as identification numbers, phone numbers, place, and date of birth, address and pictures collected from employees, service providers, customers or any other real person within the scope of operational activities will be evaluated as personal data within the scope of the legislation. Therefore, it may be evaluated that almost all liaison offices and branches are subject to the obligations indicated below.

 

VERBIS Registration Obligation of Data Controllers that Processes Data Through a Liaison Office or Branch


All data controllers are obligated to take the necessary administrative and technical measures and drafting mandatory documents specified in the KVVK; however, not all are required to register with the Data Controllers Information Registry ("VERBIS"). This has created some confusion for liaison offices and branches of foreign companies in Turkey.

The Personal Data Protection Board ("Board"), which is an independent regulatory authority established within the scope of KVK, has clarified this issue in a board decision dated 23 July 2019, and numbered 2019/255. The decision clearly indicates that data controllers located abroad that process personal data through a liaison office or a branch are required to be registered with VERBIS.

Due to the COVID-19 pandemic, the deadline for the VERBIS registration has been postponed to 30 September 2020. Data controllers who process data in Turkey through a liaison office or branch are required to register with VERBIS until the respective date.

 

Other Obligations of the Data Controller


Data controllers are required to take administrative and technical steps to ensure the safety of the personal data they process. These include the obligation to inform data subjects, carrying out data analysis, creating a data inventory, preparation of data governing documents (such as Personal Data Retention and Disposal Policy), ensuring erasure, destruction or anonymization of personal data, registering with the VERBIS, carrying out awareness trainings for employees and implementing other available measures.

 

Sanctions for Violation of the VERBIS Registration and Data Protection Obligations


The Board is authorized to impose administrative fines on persons and organizations that breach obligations stipulated in the relevant legislation. Some administrative fines determined under the KVKK are listed below:

  1. TRY 9.013 to TRY 180.264 for data controllers who do not fulfill the obligation of clarification,

  2. TRY 24.040 to TRY 1.802.636 for data controllers who do not fulfill the obligation of data security,

  3. TRY 45.066 to TRY 1.802.636 for data controllers who do not fulfill the Board’s decisions regarding procedures and principles,

  4. TRY 36.053 to TRY 1.802.636 for failure to register in VERBIS.

Moreover, the Turkish Criminal Code regulates several different crimes with respect to personal data. The crimes may be punishable with a prison sentence between 1 to 3 years. Compliance projects relating to the protection of personal data are likely to significantly decrease risks relating to the realization of these crimes.

 

Unforeseen Danger for Liaison Office Representatives and Branch Managers


The administrative fines imposed on data controllers located abroad are likely to be addressed to their liaison offices or branches in Turkey. In the event the data controller fails to fulfill its payment obligations, the respective administrative fine may be enforced on the personal assets of the representative of the liaison office or managers of the branch, in accordance with the Law on the Procedure for the Collection of Public Debt.

 

Conclusion


VERBIS registration is mandatory for foreign companies that process personal data from Turkey directly or through their liaison offices or branches. Significant administrative fines are determined in the law for the breach of these obligations. The deadline for VERBIS registration has been postponed to 30.09.2020. The registration process shall include analyses of personal data processed from Turkey, drafting personal data inventory, and drafting certain legal documents which can take up to 3 to 4 weeks.

 

Sign Up For The Newsletter Now

You can fill the form below to subscribe to our e-newsletter submissions.

I have read and accept the personal data protection law