Serious Privacy
The PICCASO award winning Podcast, for those who are interested in the hottest field of human rights and laws on the digital frontier. Whether you are a professional who wants to learn more about privacy and privacy laws, data protection, GDPR or cyber law or someone who just finds this fascinating, we have topics for you from data management to cybersecurity, from social justice to data ethics and AI and digital identity protection. In-depth information on serious privacy topics including interviews with privacy leadership, privacy culture, serious discussions, and more.
This podcast, hosted by Dr. K Royal, Paul Breitbarth and Ralph O'Brien, features open, unscripted discussions with global privacy professionals (those kitchen table or back porch conversations) where you hear the opinions and thoughts of those who are on the front lines working on the newest issues in handling personal data. Real information on your schedule - because the world needs serious privacy.
Follow us on BlueSky (@seriousprivacy.eu) or LinkedIn
Serious Privacy
WEBINAR: 2020 Welcomes the new Turkish Data Protection Act: Is it a reflection of GDPR?
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
What do organizations need to do to comply with the Turkish Data Protection Act? What does the obligation to register all processing activities entail? And what are the risk of non-compliance? Recorded on 01/15/2020.
To download webinar slides, please visit: https://info.trustarc.com/WB-2020-01-15-TurkishDataProtectionActIsitareflectionofGDPR_RegPage.html
If you have comments or questions, find us on LinkedIn and Instagram @seriousprivacy, and on BlueSky under @seriousprivacy.eu, @europaulb.seriousprivacy.eu, @heartofprivacy.bsky.app and @igrobrien.seriousprivacy.eu, and email podcast@seriousprivacy.eu. Rate and Review us!
From Season 6, our episodes are edited by Fey O'Brien. Our intro and exit music is Channel Intro 24 by Sascha Ende, licensed under CC BY 4.0. with the voiceover by Tim Foley.
Hello and welcome to the Serious Privacy Podcast, where our goal is to get the information you need at a time that's most convenient to you. Now, one of the wonderful things we're doing is we're making sure our webinars are available via podcast. And this way you can go online and download the materials and claim your one hour of CPE credit, but you can listen to the podcast at a time that works for you. Now the link to the resources is down in the description. But just so you have it out loud, it is our website, trustart.com slash resources slash. Privacy on demand webcast. And webcast is plural. Those last four words, privacy on demand webcast, have hypens in between them. So please make sure you go get the materials. And this webcast is on the new Turkish data protection law. Is it the new GDPR? It's hosted by my co-host Paul Breitbarth, who is featuring three preeminent Turkish law experts. Take it away, Paul.
SPEAKER_05Good morning, good afternoon, good evening, wherever you may be, and welcome to this first Swessark Animity webinar for 2020. Today we will be discussing the new Turkish Data Protection Act. Albeit new, the legislation has, of course, been in force since 2016, but it now really becomes serious because of the notification requirement going into force later this year. It was actually already expected when we scheduled the webinar to be live by this time. So we wanted to make sure that you are well aware of all the compliance requirements under the Turkish Data Protection Act. And we'll also take a look at how it reflects to the GDPR. My name is Paul Breitbart, and I'm TrustTark and Nimity's Director for EU Policy and Strategy. I'm based at our office in The Hague in the Netherlands. And for those of you who are not familiar with me, I come from the Nimity side. And as you may be aware, TlusTark and Nimity have joined forces last November and will go forward as one company as of this year. I'm very happy to be joined by a number of Turkish friends to give you all the details on the webinar for uh on the Turkish legislation during this webinar. And I'll ask each of them, uh, Bora, Khan, and Haki, uh, to introduce themselves. Bora, please.
SPEAKER_03Thank you, Paul. Um, hi, this is Bora uh from Denton's Istanbul. Uh I'm a qualified lawyer in Turkey, and I'm the counsel dealing with regulatory and compliance issues in our Istanbul office. Uh, and I'm mainly involved in leading teams for data Turkish data protection compliance of our clients and also assisting our clients in their day-to-day questions about Turkish data protection rules.
SPEAKER_01Uh hi everyone, uh I am Kahan Dora. I am the head of IP and technology practice group in Istanbul Batek office. Um, I hold the certificate of the IPM and practicing personal data protection law since the last eight years in Turkey. Uh, we are also conducting uh compliance programs for our clients in Turkey and happy to be with you here. Hakke.
SPEAKER_04Thanks, Khan. Uh hi, this is Hakke. I'm a senior associate in the uh London Office of Tentons. Uh, so I'm duly uh qualified in both England and in Turkey. I had practiced law in Turkey between 2006 and 2017, and during the five last years of that time, uh I was the head of uh TNT and data privacy practices of another leading international firm. Uh and since January 2018, I am a senior associate in our data privacy team uh here based in the UK.
SPEAKER_05Thank you very much to all three of you. And indeed, uh it's good to note that this is indeed a trust arcanymity uh webinar, but we organize it in cooperation uh with Bentons and Basik Istanbul to make sure that you get the best understanding of the compliance requirements under the Turkish law. As I mentioned, Trust Arc Anonymity joined forces last November, um, and uh we will go forward with a combined platform of privacy solutions. We are currently hard at work in ensuring the integration of the two platforms takes place in the coming months, and we are starting to make sure that the frameworks on which our two platforms are based aligned with each other, and that work is close to being finalized. So then we're speaking about Nimity's privacy management accountability framework that I will talk a bit more about later in the webinar, but also TrustArt's privacy and data governance frameworks. On top of that, we will be offering various knowledge solutions. Those will remain under the NIMITI brand, and we will also support organizations around the world, both on the operational side and the intelligence side of their privacy and data protection compliance requirements. And then I'm speaking, among other things, about the data inventory, about cookie compliance and web monitoring, but also things like a privacy and risk profile, accountability assessments, and data protection impact assessments. Should you want to know any more about any of these points, feel free to reach out to us after the webinar, and we'd be happy to give you a demonstration. During today's webinar, we won't discuss product. We really want to make sure that you understand the needs under the Turkish Data Protection Act. So the Turkish colleagues will share with you the outlines, the main requirements under the Turkish Data Protection Act, and also explain what you need to do to comply. Also, we will make sure that you can compare the Turkish requirements with the General Data Protection Regulation as it applies in the EU. I'll also take a quick look in comparison with the California Consumer Privacy Act, and we'll tell you more about how to leverage your already existing privacy programs, for example, based on the GDPR for compliance. And of course, there is time for questions at the end of the webinar. Should you have any questions, feel free to use the GoToWebinar control panel, send us your questions, and then we'll try to give you an answer by the end of the webinar. If we are able to, of course, if your questions aren't too complex to discuss in a couple of minutes. Also good to note is that this webinar is being recorded for postponed viewing purposes. The recording plus a copy of the slides will be sent to all participants in the coming week. And you will be able then also to watch the webinar again on our website or to share it with colleagues who haven't been able to join today. So let's take a look at the Turkish Data Protection Act itself. Let's hear more about the content of the law that, as I mentioned, has been in force since 2016. Bora, I believe you are going to start us off with a background on the timeline. So the floor is yours.
SPEAKER_03Sure, Paul. Thank you. As Paul indicated, uh the Turkish data protection legislation was enacted in 2016. Um so although it is a relatively new legislation, it has been around for a while now. Uh, generally speaking, in an effort to harmonize the Turkish legislations with regulations with EU legislations, um, our certain legal textbooks are closely modeled after their EU counterparts. And uh the data protection privacy legislation in Turkey is one of them. But unfortunately, it's modeled after the previous directive rather than the GDPR. Um the Data Protection Act uh foresees uh or foresaw a transition period of two years following its enactment, um, during which the companies were expected to test and amend their data processing activities uh for them to be in line with the law. And the deadline um for uh that has passed on April 2018. So in fact, um if a company is not complying with the requirements of the law today, um it is violating the data protection laws. Uh apart from the usual compliance requirements like having disclosure statements and policy and procedures and et cetera, uh the law foresees a separate deadline for registration of data controllers to a public registry called Verbit. Uh I will give brief information about Verbit and the requirements of Verbit in later slides, but for now, uh the deadline for registration to Verbit was originally September 2019. And first the authority had extended the deadline to December 2019. And last month in the final days of the year, uh we got the second extension to June 2020. Given that uh this is the second time uh they're extending the deadline. We do not expect any further extensions. And finally, um the fine for violating the registration requirement ranges between um 5,000 euros uh and uh 275,000 euros. Um next slide, please.
SPEAKER_05Thanks, Sora. And I think uh uh Haki will now take us through the comparisons of the Turkish data protection law and the GDPR, both the similarities, but also most importantly, I guess, uh the uh differences in the two laws.
SPEAKER_04Yep, uh thanks, Paul. Yes, I I think uh we we just thought that it would be useful to give a bit of context uh and background to our guests who have who might have GDPR experience but who do not necessarily have much experience on the Turkish law. As uh Bora uh just uh mentioned, uh the law itself is modeled after the uh pre-GDPR law in the EU, which is Directive 9546. And uh when uh considering that I think uh when uh what this means is that on balance, uh I believe there are more similarities uh between the Turkish law and the EU data protection regime uh than there are differences. So uh, for example, if you look at core definitions, personal data uh to start with, uh, the definition of personal data is almost identical to the definition of personal data under uh the directive, and uh which uh makes it uh uh uh very similar to the definition under the GDPR. So it's just defined very broadly. Uh and uh similarly, uh again, uh when you look at the definition of controller and processor, they are almost identical as well. Uh so the Turkish law also draws a distinction between data controllers and processors in the same way the GDPR does. Uh, so the nature of your organization's obligations will depend on uh whether you are qualifying as a controller or a processor. But there is one material difference, I think, in terms of definitions uh that is worth mentioning, which is uh that the Turkish law does not uh contain any such term as joint controllership. I think Bora will discuss this later. Uh but uh what I can say is uh since there's no joint controllership, I think uh this is one issue that uh we do not need to uh really be concerned about, uh and it can come as a relief given how complicated this particular area of EU law has become. Uh so this is a relief. Uh and uh in terms of notice and content, so uh the uh uh uh obligation to provide privacy notices, uh it is very similar to the GDPR, but the language that needs to be included in the privacy notices are not identical uh to the ones to uh what is required under Articles 13 and 14 of the GDPR. So the uh Turkish Data Protection Authority is very clear in that a privacy notice drafted under GDPR is uh not a solution under uh the Turkish law. So you need to draft a specific uh Turkish law compliant privacy notice to comply with the Turkish law. Uh consent is another area which is similar, uh although uh the uh although the law itself is modeled after directive, uh the interpretation of the uh consent requirement is uh very similar to that of the GDPR. Uh so the consent is defined very similarly, uh it is it needs to be specific, freely given, and informed. Uh and in practice, uh the uh it is very difficult to obtain, uh, but uh in a way it is very easy to lose. Uh individuals can withdraw content at any time, and consent cannot be uh obtained uh in a blanket fashion within uh privacy notices. So if we uh move to the uh the next slide, I will discuss uh the non-special category data and data security later on, but I think it is worth mentioning the uh differences before that. Uh in terms of scope, I think one of the material, one of the most significant differences under Turkish law is that there is no provision in Turkish law which clarifies when and which companies the Turkish law will apply to. Uh so as we all know who uh have as we all of us who have dealt with GDPR most probably know there is Article 3 in GDPR, which states that the GDPR applies to organizations that are established in the EU, or if they are not established in the EU, the GDPR applies if they are offering goods or services to EU individuals or monitor EU individuals' behaviors. So there's no such uh clarification in the Turkish law. And uh this I think when you look at this the silence uh for me and uh many other practitioners uh in Turkey suggests that uh if your organization is processing uh personal data of Turkish individuals, then uh the presumption should be that the Turkish law is applicable, irrespective of where the processing takes place or of the circumstances in which the processing takes place. Uh and uh the Turkish authority actually provided some guidance on this. Uh, for example, in the context of data breaches, uh they said that the uh Turkish law would apply uh if the data breach affects Turkish residents uh and if data subjects are uh benefiting from the products and goods within Turkey, but I don't think they have made up their mind as to uh when the law will apply in uh many cases. For example, they just uh as recently as September 2019, uh, in a decision uh regarding a breach, data breach that happened at uh Facebook, uh the authorities stated in its decision, suggested that Facebook is responsible for the breach of personal data belonging to approximately 300,000 people who were using Facebook in Turkish. So uh the standard there was people who were using Facebook in Turkish, uh and the standard was not uh whether that service was being provided in Turkey or to uh individuals who are residing in Turkey. Uh so uh someone who is using Facebook, for example, my myself, I am a res I'm a resident of the UK, and I am using Facebook in Turkish. Would that mean that Facebook should apply Turkish law to me as well, even though that service is being provided in the UK? So uh when you look at the law, this is an area which I think is very unclear, uh, especially uh in comparison to what the GDPR says. Uh, and it's an area that needs to be monitored very closely. And I think Khan will also be touching on practical implications of this uncertainty when he is talking about the registration requirement. Uh I will not be talking about the other issues on the slides, for example, processing of special category data, cross-border data transfers, registration, data breach obligations, penalties, because we thought each of these areas uh deserves their own separate sections. Uh so I will be stopping here.
SPEAKER_05Okay, thank you very much, Haki. Um and I see already quite some questions coming in. Uh, we'll address those at the uh at the end of the webinar. So uh new laws also means new uh compliance requirements. Um, what is it that you need to do? Um, what are all the requirements to be taken into account? Um Khan, for that I'll pass the floor to you.
SPEAKER_01Yeah. Hi everyone again. Uh I just wanted to give you some uh challenges that we have encountered in Turkey during our compliance projects with our clients. Um these are some major issues uh that needs to be uh noted. Um first of all, um I just wanted to mention about the special categories of personal data. Uh special categories of personal data definitions uh is similar to the definition of sensitive personal data by GDPR. Uh one uh difference is uh also someone's equal and rating is uh constituted as uh special categories of personal data going to talk to. Um we think that that categories may to prevent any discrimination that may accurate from the possible relation between the equivalent or the rating of somebody and history religious beliefs and this is something different from the GDPR and also control to the talk data protection of GTPR examples of processing data. But uh there's a lot of things that examples in Turkey talking data protection of um and forces data controllers to open explored content. For example, um categories of product data can be processed. Or it is explicitly forced in by the law. So there are no other examples forced in in the law. It is more distributed. The proof of the process is limited. Financing of health of uh not only the proof is limited, but uh the the the one who will protest uh this kind of data is also limited. Uh they are the uh the one star under the difficulty commitment and also uh the auto rights institutions and organized organizations and protest data. So um doing our uh compliance projects. Uh we have uh this is the big difficulty for the employers in Turkey. Um this is a big great great optical for protecting health data of employees. Uh-regation employee employers are obliged to take the court of their employees to health data in a 13 level. However, uh none none of these employees are considered as authorised organization by the law. And they are they can actually they can not uh protest that health data and the lack of uh strateges in Turkish Turkish law. Leads employers to have a the um the consent of the uh their employers employees but you know um consent is not every time uh legally valid um uh considering the relation between the employer and the employee so such an um solution uh actually is maybe not a solution um this is one of the challenges in Turkish uh law uh if we can proceed to the other slide uh there is another important topic in Turkey right now is the cross-border data transfers um um similar to GDPR personal data may be transferred outside of Turkey either by obtaining the explicit consent of the subject or by uh conducting the processing actively based on other legal bases um such as like performance of a contract or legitimate interest uh however in order to transfer the data to another country based on such legal basis other than uh consent um this country should be accepted as one of the countries that are uh that has adequate level of protection for personal data uh and Turkish DPA is authorized to announce uh the adequate countries however uh until now uh uh due to several political reasons Turkish DPA has not yet announced any country as adequate country and when we uh when we search the DPA's guidelines um they say that uh every country is inadequate so you need to uh follow the other uh rules in the law in order to be in line with the law uh and in this day in this case we have two options it it seems to get the explicit consent of the data subjects before uh transferring the data outside of Turkey or uh to obtain approval from the Turkish DPA and sign a uh confidentiality commitment with the party who who you want to send the data um but these options are also problematic because as I said explicit consent is not always valid uh like the employee employee relation or the data subject may meet withdraw its consent anytime in this case if you are a company and if you if your IT systems are outside of Turkey or if you are using a cloud service outsource of which is uh which the data centers are outside of Turkey in that case you will be in a situation uh where um there is a risk for your business continuity because uh if one of your employees withdraws its uh consent then you will not be able to keep its uh uh data outside of Turkey in your IT systems or in your headquarters and um in other cases some of the data subjects may not uh prefer to give you consent in this case also there's a risk of business continuity and um also if you choose uh the explicit consent as a legal basis um then uh when the adequate countries are announced you will not be able to switch your legal basis to other legal basis uh um and this will be a uh you know uh this will be a problem for the uh data controller um the other option is to take the the DPA's approval Turkish DPA's approval but um actually uh we heard that there are this is not official but we heard that there are some uh applications to dpa for cross-border transfers but they didn't uh we haven't heard any official reply to these applications and we don't know uh how will be the DPA's decision for such an application um so also uh this may trigger several risks and if dpa says you cannot transfer and then again uh you need to make an investment in Turkey for IT systems or your business continuity will be uh jeopardized um this is um therefore we we actually recommend our clients to take their uh own risk and um a risk management approach to these risks uh can be followed and for example well this is an interesting decision of Turkish DPA uh they uh a company was using Gmail as its email service uh provider and uh DPA Turk DPA considered this as a cross-border data transfer and um however they didn't apply an administrative fine to this company but they announced this uh publicly um and uh right now at the moment we can um there are uh there are fines that applied by Church DPA but they didn't apply any fine about this uh cross-border transfer at the moment basically the data transfer situation is still very complex if I understand you correctly Khan yeah this is the apart from explicit consent there is basically no way to get data out of Turkey yeah that's right that's right and then it's good to realize that also the other way around of course the European Union has not made an assessment yet of the Turkish data protection law to find whether or not it is uh it is adequate from the EU perspective to also from the EU to Turkey um you would still need to make use of any of the traditional transfer instruments like the standard construction clauses, possibly uh finding corporate rules but even then if you uh have to have the data flowing back and forth between the two countries um it will become uh very difficult so let's hope that the Turkish authorities will quickly decide on a fixed process and a fixed timeline uh for providing their approval and including all the requirements or indeed starting to make some decisions on uh adequacy level exactly Paul I agree with you uh this is really uh a risky um situation at the moment and um um if you want we can proceed to the next slide uh for the differences in the content of information notices um actually uh as Hack mentioned uh there are some um slight uh differences between the information notice requirements um the legal basis of processing should be separately listed uh in the information notices but it is not just uh mentioning the uh it is not sufficient to uh mention the legal basis also uh you need to uh give a reference to the related article of Turkish data protection law um um also contrary to the GDPR data controllers do not need to mention uh retention periods or their retention criteria for each type of uh data uh for uh their uh information notices in Turkey um and also uh there are uh slight differences in the data subject rights um in turkey uh data portability and access rights are not considered as data subject rights you know that uh these rights have been uh regulated by the GDPR so they they were not also recognized in the uh previous directive so uh so in parallel with the directive in Turkey right now data subjects has no data portability or access rights um and um another difference uh is model clauses i mean uh turkish data protection uh board has announced uh its own model clauses uh it is different uh it's actually uh actually um their wordings are different than the uh wordings of gdpr or european ones uh so when you are uh drafting a uh intercompany agreement uh or when you are drafting uh a commitment uh confidentiality commitment letter from a uh party who is resident uh outside of turkey you need to take on into consideration uh these model clauses um and um a third one i didn't show this in my presentation but um it is not a difference uh but uh in according to Turkish law um data controllers who are subject to registration to varies this data registration portal uh you need to prepare the uh data inventory and also you need to uh prepare and announce internally a data retention and distraction policy uh and also uh you need to prepare and uh put in the force a data incident response plan uh internally um you know in GDPR this is a uh part of accountable accountability principle but in Turkey these are uh legal requirements uh explicitly uh foreseen by the uh regulations and my last slide will be the Turkish DPA's recent activities and enforcement poll can we proceed if you don't have anything to add can we we can but before we do I'm I'm still a bit um uh still a bit amazed about the the difficulties regarding the uh the cross-border data transfers um you mentioned that there will be model clauses that are being prepared or have been prepared um so if you use those would then you still need to get the consent of the individual or the consent of the DPA or if you implement those cross-border data transfer clauses would that be sufficient?
SPEAKER_03Actually if you have the model clauses uh anyhow you need to get the permission of the DPA um and um um in in case of explicit concept of the data subject you don't need this model clauses actually okay so what what would be your advice for now for for data transfers just rely upon explicit consent or don't try it at all um actually um uh good question and very tricky question uh Paul but uh in my one solution that we can't mention just do it and and and hope for the best uh yeah wait and see yeah yeah this is uh wait and see is a uh it's can can be an approach uh but um uh as I mentioned maybe um a risk uh management approach would be uh beneficial here uh to uh to assess which uh which of which data uh and data processing activities uh are related with this cross-border transfer can you limit them or um uh and preparing uh due to this accountability principle you can prepare your documentation and your decision and uh also uh in cases where you can easily get uh explicit consent from the data subjects and this this can be the uh easiest way uh but as as I told uh it is not the best way to go every time um so for each client and for maybe each uh data processing activity it should be um considered uh separately I would say thank you so yes let's take a look at enforcement because there the THTPA seems already to be quite active right exactly I mean uh it is interesting but they are very active uh actually they have the uh touchdPA uh has been established uh in January 2017 um board is entitled to investigate any violation upon complaint or ex officio limited with the scope of the breach if board is aware of such breach by itself so actually uh if there is no complaint they don't they don't take um uh actions if they are not not aware of such uh any breach so this is uh something uh I think uh positive uh for uh for the uh for the companies uh who are active in Turkey um the board is actually not obliged to announce all its administrative acts or actions uh but they have announced their activity report for 2018 last year uh so percentage uh this report um it seems that they have received like 310 applications and uh finalized 38 of them in 2018 uh among these 38 applications they have ruled to impose penalty of around 1005000 euros so it is not that you know they were not active in 2018 but then everything has changed in 2019 now the board is uh has increased its activities majorly uh although the activity report for 2019 has not been published yet the board had has published summaries of certain inspections and penalties uh these penalties are imposed upon violations such as data breach and uh database leaks uh use of public data with other purposes than publication uh sending spam messages etc and major penalties imposed by the board are uh are the ones imposed to Facebook and uh merriet um in one of the Facebook cases um errors occurred in the Facebook API and VUS features and application developers have uh merely gained access to user data um and in merriet case third parties have gained access to a list of Marriott's guests including their phone numbers so these were the uh highest uh fines that uh applied by the Turkish DPA last year um it is around 2000 K Euros um and another interesting issue is uh board is announcing some of the data breaches uh in its website and clearly stating the name of the relevant data controller and this eventually affects the reputation of the uh such uh companies uh for is for instance board prefers several times to announce data breaches that have been reported by several reputable Turkish banks additionally even data controllers report any breach to the board uh we have seen that board still issued administered fines to such companies due to lack of technical measures or being late for such uh notification to the DPA um so uh they are they are quite active uh uh last year and we assume that they will be active uh for for this year also um the the maximum penalty amount uh has uh updated it is around 200 000 euros at the moment um but this is the maximum and the amount of the penalty uh applied by the board may differ according to the uh severity of the violation and its effects on the data subjects um so uh Paul uh this is this is the highlights from my site uh if you have thank you very much Khan and now we pass on uh back to Bora um to discuss fair but um uh the registration uh requirement uh that you will have to comply with if all goes well by 30 June 2020 because just to confirm no further extensions right Bora um for now yes we can I mean it's very uh likely that there's not going to be any further extensions this is the second time that they're extending the uh deadline um so Verbis um what is Verbis um Verbis is a publicly available data registry for data controllers um what needs to be registered to Verbus uh Verbis is a simple version of the detailed inventory that the companies are required to have under the uh law the detailed inventory contains all data processing activities data categories legal grounds retention periods etc data transfers etc uh but where for verbus the controllers um need to register only limited information um uh out of their uh detailed inventories um and the the information that needs to be registered to Verbus uh is should be based on data categories. Um as I mentioned previously the deadline for registration has been extended um twice uh so so uh it's likely that June 2020 um is will be the last extension um at this point I should note that um the registration requirement is a distinct requirement from having an inventory um so even if you're exempt from registration requirement you should have a data inventory you should still have a data inventory um and the registry itself and the registration requirement is a unique feature of the uh Turkish data protection regime when compared to GDPR uh however we keep hearing rumors that there might be amendments to the law to bring it in to bring it more in line with GDPR that said those amendments um whether they would have an impact on the registration requirement remains to be seen um if we can move on to the next slide I might talk about um the joint the the the frequent questions that we get about virus registration um as I explained in the previous slide the the registration requirement is for data controllers uh so one of the questions that we frequently get is the uh position of non-Turkish data controllers and before moving on to the non-Turkish data controllers I should first of all mention that um for local data controllers um there are certain exemptions from the registration requirement um so if you employ less than 50 employees and your balance sheet total is below 25 million Turkish liras which is approximately 3.8 million euros uh as of today um you're exempt from the registration requirement but uh unfortunately there are no exemptions for non-Turkish data controllers um so this creates the question especially for multinational companies that have a subsidiary in Turkey and that share the same data processing and IT infrastructure with their Turkish subsidiary um so we have raised the this question uh or this issue vis-a-vis the uh Turkish DPA uh but currently their position is uh like we don't have um joint controllership under the the legislation right now and therefore both of the subsidiary and its parent are separate data controllers and both of them need to be registered separately uh with the wireless um and another uh frequent question that we receive is the status of liaison of liaison offices and branch offices in Turkey um uh so the Turkish legislation requires data controllers to be legal persons and um the separate legal personality of branch offices and liaison offices in Turkey is uh a controversial subject however um the DPA resolved this controversy for data protection purposes and uh they ruled that regardless of the legal personality of the liaison office or branch office uh they can still be data controllers um so if the Turkish liaison office or branch Of it has any processing activities in Turkey, it also needs to be registered with the uh Werbus as of today. Um, Paul, this is all I have for uh Werbus and it's uh the the frequent questions that we encounter.
SPEAKER_05Thank you. Thank you very much. Um that is very helpful. And just as a reminder, um indeed organizations doing business in Turkey will need to get that registration um up and running in the coming months uh to make sure that uh that your data processing in Turkey is legal, um leaving aside for the moment the uh the continued struggle with international data transfer. So you've heard about the highlights of the Turkish Data Protection Act. Of course, there is there is dozens of detailed uh uh elements in in the legislation as well. For those, I would refer to the text of the law and to your own council or the council of the people on the call today for further details. Um, what we try to do is give you a basic understanding of what it is that the Turkish law expects from organizations that want to process personal data, that want to do business in Turkey going forward. And obviously, when you need to comply with legislation, um there are many elements that you need to fulfill. Um, Turkey is a member of the Council of Europe, has been contributing also to the development of Convention 108 and Convention 108 Plus, um, which now also contains an accountability requirement. And that also means that there will be a need to continue to demonstrate compliance to the Turkish authorities, to your business partners in Turkey, to your business partners outside of Turkey if you're established in Turkey yourself. Um and I always like to refer back to a quote from uh the Office of the Privacy Commissioner of Canada and the Office of the Information and Privacy Commissioners of Alberta and British Columbia, um, who in a joint report spoke about being an accountable organization. And basically they state that you must have in place appropriate policies and procedures, promoting good practices, meeting the requirements of the legislation, and that as a whole, you would need a privacy management program, especially if you are subject to multiple laws around the world, whether that is GDPR, CCPA, the Brazilian law, the Indian law that is coming up, or indeed the Turkish law that we've been discussing today, what you will need is a demonstrable capacity to comply to, at a minimum, with the requirements of those laws, and ideally have a privacy management program at the higher level. And at NIMITI and at Rustark, we have been doing a lot of work in order to help organizations demonstrate their accountability. I think many of you will have uh seen the Nimity Privacy Management Accountability Framework before, and that framework provides the backbone of a privacy management program. Many of you have been working with it already from a GDPR perspective, have implemented privacy management activities to make sure that you can demonstrate compliance with GDPR, but you can actually leverage that work to also deal with the Turkish Data Protection Act. If you look at the mapping of the Turkish law, you see that at a category level, almost all of the categories that you had need to implement for the GDPR, whether that is maintaining a governance structure or maintaining indeed that personal data inventory, developing your privacy policies. All of those are relevant for both the GDPR and the Turkish law. Does that mean that you can um uh can copy your GDPR privacy policies one-on-one for the Turkish law? No, as you heard Khan, Bora, and Haki already say, there are some differences. So you will need to look at the outliers, you will need to look at um the delta between your the GDPR and the Turkish law, or the other laws on which you have based your privacy program. But there is a lot of work that can be repurposed. And if you have that accountable privacy program set up on the basis of principles, on the basis of uh privacy management activities, uh general frameworks, instead of just on uh the specific principles of the law, um you will be able to reuse a lot of that information also to comply with the Turkish legislation. Um, and in the end, it all is about making sure that you uh that you can tell the story behind your program, why you have made certain decisions, how you have come to certain conclusions. And as we also heard during uh during the comments on the Turkish law, not everything is crystal clear yet, whether that is on uh on the requirements for consent, when it could be valid, when not, on the requirements for the contracts, for international data transfers. In some situations, it's just not clear yet what the expectations of the supervisory authority are. And that also means that at some point you will have to take a decision, this is the way we are gonna act for now, until the moment we hear otherwise, and then also document that decision to make sure that you can actually start going forward and doing your work. So one accountable program can help you deal with that multitude of requirements and can certainly also help to deal with the Turkish Data Protection Act. And of course, when you already have your GDPR data inventory in place, that can be a massive help to also build the inventory for the Turkish Data Protection Act and then support also your registrations in Verbis. So with about 10 minutes to go, um, I suggest that we move to the questions. There have been many, many questions, and I see two main concerns from uh the people listening into the webinar today. Um, the first is related to international data transfer, the second is related to uh to Verbis and the registration. Um, Bora, I'm getting back to you first on the registration in Verbis. Um, because uh um uh for a lot of uh people listening in, um it is still not completely clear if they have to register uh in Verbus or not. Um, can you confirm that if you are a non-Turkish company doing business in Turkey, um, that uh you uh need to do the registration, um, and also uh whether that uh registration requires a local representative.
SPEAKER_03Thank you, Paul. Yes, I mean if you're a data controller, um if you process data and then in Turkey, um yes, you need to uh be registered with Verbis right now. Um and as for your uh second question, uh yeah, um you need to have a uh representative, and um that can be legal real or legal person. Um and if if that's a uh legal person, uh it needs to have a contact person registered to Verbis. Um and that contact person um is a real person, uh that contact person can be um uh an employee of the company.
SPEAKER_05And that person, I assume, would also need to master the Turkish language because all communication on Verbis will be in Turkish, right?
SPEAKER_03Yes, exactly. And Verbis has a kind of uh web-based um interface, so you log into that and you you uh put in the relevant um details of your uh data processing, um, and it's all in Turkish.
SPEAKER_05Okay. And this applies to data related both to your customers and your employees.
SPEAKER_03Exactly. Okay. You need to register based on data categories. Um depending on the data that you receive from customers and um employees, you need to uh register uh the data obtained from both of them.
SPEAKER_05Okay. So yes, the threshold is is pretty low if you are not established in Turkey. Um and you do business in Turkey, even if you're up from outside, even if you're just having your website in Turkey, but processing personal data, um, you will likely have to register and you need that local representative. Very good to know. Thank you for that. Um, coming back to the uh to the international data transfers, do you expect that things like binding corporate rules um uh will be uh will be accepted for cross-border transfers in the future?
SPEAKER_01Uh Paul, um actually um Turkish DPA is at the moment working on that. Uh at the moment it is not uh they are not accepting uh binding corporate rules. Um but uh they are working on it as far as we heard it. Uh and actually due to this uh adequate country issue, you know, this would be a good uh solution for the uh international uh companies who are uh who have uh activities in Turkey actually, and we are expecting um uh such a decision of the board uh within 2020.
SPEAKER_05Okay, so at least there is hopefully light at the end of the tunnels. Um another question that that came in that I must say I also don't see an easy way out, but how can companies use common IT solutions such as Salesforce or HR systems at the moment?
SPEAKER_01Um yeah, um this is what we encounter uh in most of the uh global companies. Uh they are using uh this kind of uh platforms uh which all the countries can access and uh access to the data. Um cross-border transfer and uh most of them are um uh also the you know the HR departments are in a matrix uh management organization they are reporting uh to the HR regional HR departments or managers or the head of the HR in the uh headquarters and also the uh industry. Uh they can be the data controllers also. Um that's uh that's why we need uh what we recommend to our uh clients is uh we need first of all we need to um whether the headquarters or the regional management is the companies group companies other group companies are data controllers in that case. Um or if they are just data processes in that case or providing the system they need to attest and it's just uh uh prosper to data then they need to uh det är inte get a constant of the uh data in all for the toy that content is not stowed in my opinion. And uh DPA approved the second uh option uh that it seems that it doesn't work right now in Turkey. So again, uh uh um at the moment uh most of the companies that unfortunately are still using these uh applications and uh uh wait and see approach, they are most of them are using wait and see approach, or they are trying to get consent from their uh employees. These are the uh two options at the moment, uh I would say, Paul.
SPEAKER_05Thank you. Appreciate your honesty. Um the the next question I think is for you. Um does pseudonymized uh data, especially pseudonymized research data, um, would that be considered as personal data under the Turkish Act or by the DPA?
SPEAKER_04Um Hi Paul, yes. Uh I I think uh, you know, the definition of personal data is very similar. Uh so uh, you know, in and under GDPR, pseudonymized data is personal data. Uh so given that the Turkish Data Protection Authority uh follows uh the uh EU definition, the interpretation of the EU definition of personal data very closely, uh we should uh presume that pseudonymized data is personal data to the extent a personal uh to the extent an individual can be uh identified, uh, or is that is identifiable from that data. But uh just to mention uh uh there's no definition of pseudonymization under Turkish law.
SPEAKER_05Okay, thank you for that. And maybe Bora, final question uh for you because we are quickly running out of time. Um what about the enforcement strategy of the Turkish CPA? Do they uh only work on the basis of complaints? Are they proactively selecting data controllers and processors to inspect? And if so, are they just coming from verbs or can they go anywhere?
SPEAKER_03Um right now uh they are not doing it proactively. They are doing reactively, and they're only responding, as far as we can see, they're only responding to uh complaints that they receive. Uh but as I told you, verbit registration um is the requirement, and they would be able to see whether you're exempt from uh verbit registration or not, um, because they they are in uh close connection with uh tax authorities so that they can get your uh balance feed, and uh they are in close connection with social security institutions so that they can get your number of employees. So um after the registration deadline has passed, uh they might uh switch to a more proactive approach, uh, especially for various registrations.
SPEAKER_05So that is what we can indeed expect for the seven second half of 2020. Well, that wraps up the time that we have today. Um thank you very much for uh listening in. I know we haven't been able to answer all of your questions, and certainly we are not able to give you satisfactory answers to all of the questions, especially in relation to international transfers. Um, if you would like to learn more how trustarch anymiti can help you deal with uh compliance in Turkey or in other jurisdictions, um, please reach out to us via the information on screen. And if you require further legal information on the Turkish legislation, please reach out to the lawyers you heard today, either at BATIAC or at Dentons. Um they work together. Um, so um uh please reach out to them directly. Um we will take another look also at the uh at the questions that we received and see where we will be bra where we will be able to provide an answer to you in writing. Um just so you know, we are working on the webinar schedule for TrustStark for the remainder of 2020. There will be many more webinars to come, uh, and in any case, also the quarterly updates that you are used to from Nimity, whether that is on the uh on the European Union, on uh the United States, or other regions, they will come back shortly. Um, so keep track of our website if you would like to be informed uh on uh webinar updates. For now, you could edit in.
SPEAKER_06Thank you very much for attending uh the webinar today and have a great rest of your uh of your day.
