Following the enactment of the Law on the Protection of Personal Data (“Law”) in 2016, all natural and legal persons that meet certain requirements and thresholds stated under the Law should register themselves to the Data Controllers Registry (“VERBIS”) as a part of their personal data protection compliance. Indeed, many organizations such as NGOs working in humanitarian sector, who regularly process personal data (i.e. Syrian refugee’s name, address, gender, race) for their operations are required to ensure that they are in compliance with the Law so that their personal data processing activities are being conducted in orderly manner in Turkey.
Nonetheless, there has been some discussions around whether NGOs have such VERBIS registration obligation and whether INGOs that operate through their registered representative offices in Turkey fall under the scope of the Law as well as VERBIS registration obligation stipulated thereunder.
In April 2018 and in December 2019, the Personal Data Protection Board published decisions, which had limited the VERBIS registration exemption to Turkish associations, foundations and the unions who only process their employees’, members’ and donors’ personal data within the scope of their activity.
Personal Data Protection Board’s decision dated 02.04.2018 and numbered 2018/32
Personal Data Protection Board’s decision dated 26.11.2019 and numbered 2019/353
In April 2020, however, the Board published another decision and introduced a blanket exemption for all Turkish NGOs. In other words, associations (dernek) and foundations (vakıf), which are established in Turkey do not have VERBIS registration obligation; however, it is crucial to clarify that being exempted from the obligation to register with VERBIS does not necessarily mean that they do not have the obligation to ensure their organizations’ compliance with the data protection rules. Indeed, NGOs are strictly required to take the legal, technical and administrative measures to comply with the Law.
INGOs operating through their registered representative offices in Turkey, however are not exempted from VERBIS registration obligation. They need to first appoint a data controller representative who must be a Turkish legal entity or Turkish natural person; then, prepare and submit a personal data inventory that indicates data subjects, personal data types, processing purpose for each personal data and technical and administrative measures, which are being taken to comply with the Law.
Personal data protection compliance is highly significant and legally indispensable for sustaining NGOs’ and INGOs’ activities in Turkey and requires tailored approach for each organizations’ specific operations and processes. Indeed, organizations operating in humanitarian sector in Turkey, which mostly process personal data (name, ID numbers, gender, nationality etc.) of their beneficiaries (i.e. Syrian refugees) and transfer collected personal data abroad are required to immediately take necessary steps for complying with the Law – otherwise, they may face serious administrative fines and/or criminal charges depending on the gravity of their violation.