Author: Prof. Dr. H. Murat Develioglu
Introduction
Law on the Personal Data Protection numbered 6698 ("Law") was accepted on 24 March 2016 and entered into force, except for certain articles that are reserved, through publication in the Official Gazette dated 7 April 2016 and numbered 29677.
The purpose of this Law is to protect the fundamental rights and freedoms of persons and, in particular, the confidentiality of private life, and is to regulate the procedures and principles to be followed by natural persons and legal persons who process personal data, and their obligations pursuant to Article 1 of the Law. Pursuant to Article 16 of the Law, in order to effectively fulfill these purposes, the Chairmanship shall keep the record of the Data Controllers Registry ("Registry") that is publicly available under surveillance by the Personal Data Protection Board ("Board").
Within this scope, the general provisions regarding the Registry will be addressed, below, first. Thereafter, a recent decision of the Personal Data Protection Authority ("Authority") will be elaborated upon.
The Obligation to register with the Data Controllers Registry
As per Article 16 of the Law, the data controllers must fulfill their obligations as to the registration with the Registry before starting to process personal data. Likewise, according to Article 8 of the Regulation on the Data Controllers Registry ("Regulation"), which is stipulated and based on the same provision of the law, to determine and provide the application of the rules and procedures as to the formation of the Data Controllers Registry that will be kept by the Chairmanship, publicly, pursuant to the Law under the surveillance of the Board, and its administrations and the registration that will be made to the Registry, the data controllers must fulfill their obligation to the Registry before starting to process personal data.
According to these provisions, the data controllers that are not under obligation to register, but are obligated to register later on, shall file with the Registry within the thirty days following the date they became obligated.
In the event that the Data Controllers who are under obligation to register cannot fulfill their registration obligations due to a factual, technical, or legal impossibility, they shall apply to the Authority within 7 working days following the date when this impossibility arose, provided that they apply in writing, and with justification; and they may demand additional time. The Authority, one time only, may grant additional time, provided that it does not exceed thirty days.
The Exceptions to the Obligation of Registration
As mentioned, above, the data controllers must fulfill their obligations as to filing with the Registry, prior to the processing of personal data. Be that as it may, pursuant to Article 16 of the Law, the Board may allow exceptions to this obligation, by considering the objective criteria to be determined by the Board, such as the qualification of the personal data, its number, whether the processing derives from the law or transfer of the personal data to third parties.
