1. General

The Personal Data Protection Board (the “Board”) has decided to impose administrative fines on Meta and WhatsApp separately on the grounds that they did not fulfill their obligation to register with the Data Controllers’ Registry (the “Registry”). The decision has not yet been published on the website of the Personal Data Protection Authority (the “Authority”). Due to the administrative fines applied to Meta and WhatsApp, we present our bulletin, which includes brief information regarding the obligation to register with the Registry, as well as evaluation the relevant penalty.

2. Data controllers who are under the obligation to register with the Registry

Pursuant to Article 16 of the Law on the Personal Data Protection Law No. 6698 (the “Law”), persons who process personal data must register with the Registry before starting data processing. The procedures and principles regarding the Data Controllers Registry are regulated under the Regulation on the Data Controllers’ Registry (the “Regulation”), and it is regulated in the Regulation that the procedures regarding the Registry should be carried out through VERBIS, an information system established by the Personal Data Protection Authority.

In addition, in Article 16 of the Regulation, it has been stipulated that the Board has the authority to determine the exceptions of the obligation to register with the Registry, with a decision to be taken. As a result of the decisions taken by the Board until today:  

(i) Data controllers residing in Turkey with more than 50 annual employees OR with total annual financial balance sheet of more than TL 25 million, and data controllers residing abroad;

(ii) Data controllers whose annual number of employees is less than 50 and whose annual financial balance sheet does not exceed TL 25 million, but whose main activity is to process special personal data, and

(iii) Public institutions and organizations data controllers

are obliged to register with the Registry through VERBIS and are not within the scope of the exception. Therefore, data controllers not included in the above scope (and some other data controllers excluded from the registration with the Registry due to the decisions taken by the Board) are exempt from registration with the Registry.

The Board decided on 11/03/2021 that the above-mentioned data controllers who are not within the scope of the exemption should be registered with the Registry until 31/12/2021 at the latest.  

2.1. Calculation of Annual Number Employees Criterion

The opinion of the Board on how to calculate the criterion of "annual number of employees" sought to determine the scope of exception for registration with the Registry is as follows:

“In order to calculate the annual number of employees, first of all, there must be a completed year and the number of employees reported in the Concise and Premium Service Declaration, which is given monthly by the data controller to the authorized public institutions and organizations, at least 7 of the 12 months within this completed year, must be taken into account.”

“For example, if a data controller has more than 50 employees in each of at least 7 of the Concise and Premium Service Declarations it has submitted to the Social Security Institution in 2022, the registration obligation will begin on 01.10.2022.”

2.2. Calculation of Annual Financial Balance Sheet Criterion

The opinion of the Board for calculating the criterion of "total annual financial balance sheet" sought to determine the scope of exception for registration with the Registry is as follows:

“First of all, there must be a completed year and the financial balance sheet information in the financial statements attached to the income or corporate tax return submitted annually by the data controller to the authorized public institution within this completed year should be taken into account. Accordingly, the total figure in the "active" or "debt" section of the balance sheet attached to the declaration of the data controller should be taken as a basis. These numbers must be equal.”

3. Registration with the Registry and Sanctions

Data controllers, who are determined to be under the obligation to register with the Registry after the calculations are carried out in line with the above explanations, are required to register with the Registration via VERBIS. Data controllers, who are not under the registration obligation and later become the registration obliged, must register with the Registry via VERBIS within thirty (30) days following their obligation.

It has been regulated that an administrative fine may be imposed by the Board on data controllers who do not fulfill this obligation despite being within the scope of registration and notification obligation to the Registry. The amount of administrative fine is re-determined each year, and the lower limit for 2023 has been determined as TL 119,428 while the upper limit for 2023 has been determined as TL 5,971,989.

4. Evaluation and Conclusion

As explained above, after the relevant legislation on the protection of personal data was enacted, the Board not only determined the data controllers who were exempt from registration to the Registry, but also extended the registration period for the data controllers who had to register with the Registry. It is seen that the Board has started to impose administrative fines on data controllers who do not fulfill their obligation to register with the Registry after the deadline of 31/12/2021. In this regard, it has been decided by the Board to impose an administrative fine of TL 2,665,000 (approximately 126,000 Euros) separately to Meta and WhatsApp on the grounds that they did not fulfill these obligations. The criteria on how to determine the number of administrative fines are not included in the relevant legislation, and data controllers may request information from the Board regarding which criteria are taken into consideration in this determination. When the Board decision on the penalty applied to Meta and WhatsApp is published, we will be able to reach more concrete data on the determination of these amounts. Judicial remedy may be sought against Board decisions, and it is always possible for data controllers who are subject to administrative fines to seek for judicial remedy, provided that it is within the time limit.

Kind regards,

For further information and inquiries please contact:

info@ozel-law.com

ÖZEL Attorneys-at-Law

This bulletin has been prepared on 30/03/2023 in order to share the legal developments in Turkish law. It does not include any legal advice nor guidance; for general information only.