Your Partner
in Legal Success
| Reading Time: 6 Minutes
The Announcement of The Turkish Personal Data Protection Board on Extension of The Deadline to Register With The Verbis System
The Turkish Personal Data Protection Board Announces Extension of The Verbis System Registration Deadline
Resolution No: | 2019/387 |
Subject: | Amendment in registration dates to Data Controllers’ Registry |
The Brief Summary of Personal Data Protection Board’s Resolution on The Dates With Regard to Registration to The Data Controllers’ Registry
Pursuant to Article 16 of the Code No. 6698 on the Protection of Personal Data, real persons or legal entities processing personal data shall register with the Data Controller’s Registry before processing.
Data Controllers’ Registry is maintained by the Personal Data Protection Authority in an open to public manner under the auspices of the Turkish Personal Data Protection Board (‘‘Board’’). The Data Controllers are obliged to enter and provide information to the so-called Data Controllers’ Registry Information System (‘‘VERBIS’’) concerning their processing personal data.
Since VERBIS is maintained publicly, it offers the real persons whose personal data has been processed to control their data; accordingly, VERBIS is a transparent and accountable system.
The Law imposes the obligation to register with VERBIS for real persons and legal entities processing personal data, and sanctions have been stipulated for those who fail to meet this obligation. However, the primary objective is to ensure transparency in personal data processing, to make sure the data controllers pay attention to comply with the Law and make the data processing in a disciplinary manner, providing accountability, to avoid haphazard processing of the personal data and to provide awareness and culture on data processing.
As a result of assessments made based on VERBIS, it has been observed that some of the Data Controllers believe that they meet the obligation only by sending the Application Forms to the Personal Data Protection Authority and accordingly fail to make notification. It is important to note that the contact person shall complete the notification after having access through the ‘Register’ button.
The obligation to register with the system and notification would not be finalized unless made through the system. As known, the obligation stipulated in Article 16 of the Code is registration and notification for the data controllers who are not within the scope exemption. In this regard, Data Controllers shall first access VERBIS and fill in the Application Form through the system, and afterwards deliver the Application Form to Board via courier, mail, in person or through KEP registered e-mail address. After submitting the Application Form, the Authority will send the Data Controller a username and password. The Data Controller shall notify the VERBIS system with this username and password.
On the other hand, it has been observed to meet the registration and notification requirement within the due course. The Data Controllers have made extensive and profound applications and notifications in recent days through VERBIS.
The primary objectives of the registration and notification requirement set forth at Code No.6698 for the Data Controller are to ensure;
- Transparency in data processing,
- Avoiding haphazard processing of the personal data and disciplining personal data processing activities,
- Increasing culture and awareness at all segments of the society on data processing, providing accountability against the data owners whose is data is being processed,
- Data Controllers comply with the Law,
- Registration of all Data Controllers to the VERBIS, except for the exempted ones.
As it could be understood from the previous objectives, registration and notification require registration with VERBIS in due course and accuracy and reliability of the updated information to be provided to VERBIS within the context of personal data processing activities.
Based on the reviews made at VERBIS on the recently provided notifications, it has been concluded that; the processed personal data does not reconcile with purposes of process, the receivers of the transmitted information, data owners, technical and administrative measures taken, sufficient measures to be taken for personal data with special character, the transmission of the data abroad, and the period for the preservation of data. It is also concluded that there are serious mistakes and non-compliance with the Code and Regulation.
It is understood that one of the reasons behind such mistakes is attempting to make a registration within the deadline set forth by the Board to avoid the sanctions stipulated in Article 18 of the Code.
There are certain provisions set out in Article 16 of the Code. It is stated that other procedures and principles related to Data Controllers’ Registry shall be set out by secondary legislation. Accordingly, the following subparagraphs have been outlined in Article 5 of the Regulation on Data Controllers’ Registry published at Official Gazette of Turkey dated 31.12.2017;
“ç) The Data Controllers who are obliged to register with VERBIS are also obliged to prepare a ‘‘Personal Data Processing Inventory’’ and information to be disclosed to the Registry shall be prepared based on Personal Data Processing Inventory.
d) Information published at the Registry based on Personal Data Processing Inventory shall be used in the duty of explanation imposed on the Data Controllers at Article 10 of the Code; in providing an answer to the queries of the relevant person and determination of the content of the open consent stipulated at Article 13 of the Code.
e) Data Controllers are responsible for accuracy, completeness, up to datedness and compliance with the Law of the information which is submitted to and published at the Registry.”
Accordingly, first and foremost, Data Controllers are obliged to prepare a Personal Data Processing Inventory including all the phases for data processing in meeting their Registry obligations to VERBIS and notification. In making the notification, instead of randomly, the entries shall be made based on the Personal Data Processing Inventory.
Besides, in accordance with Article 16 of the Code, which stipulates that changes in the information provided to Registry shall be immediately notified to the Authority and Article 13 of the Regulation on Data Controller Registry, which imposes notification to the Authority of all changes within a week through VERBIS, all the updating shall be completed within the set deadline.
Having reviewed the information and made an evaluation based on the information entered into the VERBIS system within the context of registration and notification requirement the Board has decided as follows;
a) Within the scope of registration with VERBIS and notification requirement; it has been decided to remind all Data Controllers that,
- Some of the Data Controllers has only submitted the Application Form. However, the requirement stipulated in Article 16 of the Code requires both registration and notification. Therefore it is mandatory to log into VERBIS through assigned username and password and completion of notification on personal data processing activity,
- The main objective of registration with VERBIS and notification is to ensure transparency in personal data processing, avoiding haphazard processing and disciplining the processing activity, increasing the culture and awareness in this area, providing accountability against the data owners to ensure the Data Controllers comply with the Law and registration of all the Data Controllers except for the ones who are granted with exemption,
- Registration with VERBIS and notification requirement should not be interpreted as only making Registry within the due course to avoid the sanction stipulated at the Law, and Registry and notification itself might be contrary to the Law,
- Having reviewed the recent notifications made to VERBİS, it is understood that the personal data does not coincide with purposes of the process, the receiver/receivers group, personal data owners, technical and administrative measures taken, sufficient measures, the transmission of the data abroad, and the time for the preservation of data. It is also concluded that there are serious mistakes and non-compliance with the Code and Regulation.
- Information submitted to VERBIS shall be accurate and updated, and the pertinent Data Controller has the responsibility for this information,
- The Data Controllers who are obliged to register with the Registry are also obliged to prepare a Personal Data Processing Inventory per the Regulation on Data Controllers’ Registry,
- Data Controllers are obliged to prepare Personal Data Processing Inventory first, including all the phases for data processing in meeting their Registry obligations to VERBIS and notification. In making the notification, instead of randomly, the entries shall be made based on the Personal Data Processing Inventory.
- Changes in the information registered to the Registry shall be immediately notified to the Authority within a week starting from the occurrence of the change.
b) In the light of the explanations provided above and taking into consideration the Data Controllers who made haphazard registration and notification without preparation of Personal Data Processing Inventory and the Data Controllers who did not complete the inventory preparation phase and as a result of which who would not be able to make the registration and notification within the set deadline; besides to correct the mistakes and rectify non-compliance with the Law immediately; according to the Provisional Article 1 of the Code No:6698, the Board has decided as follows,
- For the real person and legal entity Data Controllers, who have more than 50 employees annually or have a balance sheet sum of more than 25 million TRY per year, the deadline for registration with the VERBIS and notification requirement has been extended to 30.06.2020.
- For the real person and legal entity Data Controllers who are domiciled, incorporated abroad, the deadline for registration with the VERBIS and notification requirement has been extended to 30.06.2020.
- For the real person and legal entity Data Controllers who have less than 50 employees annually and have a balance sheet sum of less than 25 million TRY per year, but still having main activity as processing personal data in a special character, the deadline for registration with the VERBIS and notification requirement has been extended to 30.09.2020.
- For the public institution Data Controllers, the deadline for registration with the VERBIS and notification requirement has been extended to 31.12.2020.
c) It has also been decided to announce that Decision on the web page of the Personal Data Protection Authority and publish it at the Official Gazette of Turkey.
Source: <https://www.kvkk.gov.tr/Icerik/6631/Veri-Sorumlulari-Siciline-Kayit-Yukumlulugune-Iliskin-Kurulca-Belirlenen-Tarihler-Hakkinda-2019-387-Sayili-Kurul-Karar-Ozeti>.
Article Keywords: VERBIS, Verbis System, Extension of The Deadline to Register With The Verbis System, The Brief Summary of Personal Data Protection Board’s Resolution on the dates about registration to the Data Controllers’ Registry, The Announcement of The Turkish Personal Data Protection Board on Extension of The Deadline to Register With The Verbis System.
Related Article: Liabilities of Members of Board of Directors at Joint-Stock Companies Within The Context of Personal Data Protection Law in Turkey.