The legal entities registered within Turkey must be also registered with Data Controllers’ Registry.
It has been a great area what was the applicable law for branches and liaison offices for Turkey registered entities that are based outside of Turkish jurisdiction. Here below you will find the relevant information on this matter.
In the Personal Data Protection Law numbered 6698, a data controller defined as “a person or legal entity responsible for defining the purposes and methods of processing personal data and establishing and managing the data entry system.” According to the decisions of the Turkish Personal Data Protection Board (numbered 2018/32, 2018/75 and 2018/87), the data controllers need to be registered with the Data Controllers’ Registry. Besides, it has always been a grey area whether the legal entities registered outside of Turkey and have the branches and liaison offices in Turkey are bind with the responsibilities stated as in the Personal Data Protection Law.
With the decision of Turkish Personal Data Protection Board (dated on 23 July 2019 numbered 2019/225), it is revealed that the Turkish branches of legal entities which are registered outside of Turkey have to be considered as data controllers. In other words, non-Turkey based legal entities’ branches are liable for defining the scope and purposes of data processing and the establishment & management of the data entry system. Subsequently, these branches of the legal entities established in Turkey must register with the Data Controllers’ Registry without any exemptions.
On the contrary, the liaison offices are not obliged to register with the Data Controllers’ Registry as the liaison offices are not considered as data controllers. The liaison offices can perform marketing and feasibility activities, conduct some studies in social and cultural field, make some preparations for mergers and acquisitions between companies, follow up the job opportunities closely and provide information to the central company; however, the liaison companies are not eligible to perform commercial activity.
The legal entities based outside of Turkey and undertaking personal data processing activities in Turkey directly or with their branches are considered as data controllers and must register with the Data Controllers’ Registry.
Please call our Turkish lawyers based in our Head office (London) to get further information. Our Turkish solicitors are all based in the United Kingdom and would be happy to help.