Since the Law on Protection of Personal Data and other secondary regulations on the subject are relatively new in Turkish law, regulations on the subject may require some retouchings. Therefore, Personal Data Protection Authority (“Authority”) has made some amendments on April 28, 2019 on three different regulations namely;
1) Communique on the Principles and the Procedures to be in line with for Performing the Obligation to Inform (“Communique”),
- Subparagraph (f) under the article 3 of Communique has been amended changing the definition of data registry system to Registry system where personal data were processed according to certain criteria. Data registry system has been defined in same way in Law on Protection of Personal Data. In this way definition has become compact instead of very complex old version.
- Subparagraph (ğ) under the article 3 of Communique has been amended so that duties of the representative of data controller have been set forth such as receiving the correspondences from Authority, conveying the request by Authority to data controller etc.
- The sub paragraph (c) of article 5 is repealed. It was stating that in case the personal data is processed in different units of a data controller, each unit must fulfil the obligation to inform individually.
2) Regulation on Deletion, Destruction and Anonymization of Personal Data,
- In sub paragraph (e) of sub article 1 of article 4 of this Regulation, the definition of personal data processing inventory was widened, so that legal grounds for personal data process and the maximum storage period for personal data process are incorporated in the items that personal data processing inventory must include.
- Authority published in its website Guideline for Preparing Personal Data Processing Inventory. In the course of preparation of personal data processing inventory, this guideline will help you a lot. You can even find a sample inventory inside there.
3) Regulation on Data Controllers’ Registry
- Sub paragraph(ç) of sub article 1 of article 4 of Regulation on Data Controllers’ Registry has been emended so that definitions of contact person and the personal data processing inventory (same amendment as above) were modified. Notification of contact person to Authority is held by data controller itself if residing in Turkey, however if the data controller is not residing in Turkey then the representative of data controller shall notify the Authority for contact person.
- Data controllers who is mandatory to register in the Registry, are obliged to have a personal data processing inventory.
- Article 14 in same Regulation has been amended, in new version of provision; in case of changes in information provided to Registry, Data controller shall inform the Authority through VERBİS about changes within 7 days following the date that such changes taken place. Previously, it was not clear when the notification period begins.