The legal entities registered within Turkey must also be registered with the Data Controllers’ Registry.
It has been a great area, which was the applicable law for branches and liaison offices for Turkish-registered entities that are based outside of Turkish jurisdiction. Below you will find the relevant information on this matter.
In the Personal Data Protection Law numbered 6698, a data controller is defined as “a person or legal entity responsible for defining the purposes and methods of processing personal data and establishing and managing the data entry system.” According to the decisions of the Turkish Personal Data Protection Board (numbered 2018/32, 2018/75 and 2018/87), the data controllers need to be registered with the Data Controllers’ Registry. Besides, it has always been a grey area whether the legal entities registered outside of Turkey and have branches and liaison offices in Turkey are bound by the responsibilities stated in the Personal Data Protection Law.
With the decision of the Turkish Personal Data Protection Board (dated 23 July 2019, numbered 2019/225), it is revealed that the Turkish branches of legal entities which are registered outside of Turkey have to be considered as data controllers. In other words, non-Turkey-based legal entities’ branches are liable for defining the scope and purposes of data processing and the establishment & management of the data entry system. Subsequently, these branches of the legal entities established in Turkey must register with the Data Controllers’ Registry without any exemptions.
On the contrary, the liaison offices are not obliged to register with the Data Controllers’ Registry as the liaison offices are not considered as data controllers. The liaison offices can perform marketing and feasibility activities, conduct some studies in the social and cultural field, make some preparations for mergers and acquisitions between companies, follow up the job opportunities closely and provide information to the central company; however, the liaison companies are not eligible to perform commercial activity.
The legal entities based outside of Turkey and undertaking personal data processing activities in Turkey directly or with their branches are considered data controllers and must register with the Data Controllers’ Registry.
Please call our Turkish lawyers based in our Head office (London) to get further information. Our Turkish solicitors are all based in the United Kingdom and would be happy to help.
