The Regulation on Data Controller Registry (the “Regulation“) was published in Official Gazette number 30286 on 30 December 2017 through Data Protection Authority (the “Authority”) and entered into force as of 01/01/2018.
The Data Controllers must register with the Data Controller Registry before processing personal data and within the term announced by the Personal Data Protection Board (the “Board”) as a rule according to the Regulation. Although, the Board is able to make exceptions to the obligation to register in “Data Controller Information System” (“VERBIS”) for some data controllers by considering certain key principles as detailed in the Regulation.
Within this framework, some data controllers are not obliged to register in VERBIS in accordance with the Board’s Decision dated 02/04/2018 and numbered 2018/32 which is published in Official Gazette number 30422 on 15/05/2018. Therefore;
- Data Controllers that process personal data only through non- automated means, provided that it is a part of any data recording system,
- Notaries,
- Associations, Foundations, Trade Unions (limited only to data processing activities for their members, employees, relatives and donators),
- Political parties,
- Attorneys at law,
- Independent accountant and financial advisor and certified public accountants,
are not obliged to register in VERBIS.
The most striking point in this list is the “Data Controllers that process personal data only through non- automated means, provided that it is a part of any data recording system” (“context”). Nowadays, personal data are processed by automated means in general. However, the data processed through non – automated means, transfer quickly to an electronic database in many places. Correspondingly, the “personal data processed by automatic means” and the “personal data through non- automated means, provided that it is a part of any data recording system” are protected by the Law on The Protection of Personal Data (the “Law”).
Therefore, the “personal data through non- automated means, provided that it is a part of any data recording system” is not completely excluded from the application of this Law. The crucial point herein is whether the data processed in non-automatic means is part of the data recording system. For example, the fact that an identity number data is written casually on a paper without any criteria, is not determined within the scope of the Law, however in case a personal data is systematically recorded in a file, this data recording shall be in the scope of the Law. Hence, it is necessary to understand this context as “manually processed personal data”. Under the circumstances, the data controllers that process “personal data only through non- automated means, provided that it is a part of any data recording system” are not obliged to register in VERBIS, however they have to follow all legal and technical procedures stipulated in the relevant legislation.
In the same way, the data controllers exempted from VERBIS, shall continue to fulfil other obligations (i.e. keeping personal data processing inventory, preparing personal data storage and destruction policy, etc.) imposed on it by the relevant legislation.
Regards,
CELIKBAS LAW OFFICE