Companies with operations in Turkey should be aware of Turkey's new data protection law, which requires data controllers to register with the country's data protection authority (DPA) by the end of this year. 

This includes providing a detailed record of processing activities that is different from the records required under the EU general data protection regulation (GDPR). 

Failure to do so may result in fines of up to 1,470,583 Turkish lira (around $255,700 or €232,500).

Who falls under the registration requirements?

Although the data protection law does not explicitly set out its territorial application, it extends to data controllers established outside Turkey when 'persons in Turkey are affected'. That means that any data controller established outside Turkey will likely fall under the law if they offer goods or services – or targets persons – in the country.

There are exemptions for data controllers for smaller Turkish businesses and for certain processing activities. Notwithstanding their location, certain professionals like lawyers and political parties are also exempt. But beyond this, there are no exemptions for controllers established outside of Turkey. 

Registration with Turkey's DPA

Data controllers will have to notify Turkey's DPA of the categories of data subjects and recipients, the purposes of data processing, personal data transfer to third countries, processing periods and security measures. 

They will have to provide this information during the registration process and with the support of a Turkish citizen, who has to serve as a local contact.

After registration, data controllers will have to prepare a personal data processing inventory, which will contain similar – but more detailed – information. The inventory is like the records of processing activities that controllers must prepare under Article 30 of the GDPR, but is structured slightly differently (eg it covers extra categories of personal data).

Deadlines and fines

There are four registration deadlines. Data controllers: 

  • established outside of Turkey must register by 31 December 2019;
  • with more than 50 employees or an annual financial balance sheet total exceeding TRY25m must register by 31 December 2019;
  • whose main area of activity is processing special categories of personal data, notwithstanding financial size and number of employees, must register by 31 March 2020; and
  • that are public institutions must register by 30 June 2020.

Infringing the notification and registration obligations may lead to administrative fines of up to $250,000.