Regulation on the Registration of Data Controllers

The Regulation on the Registry of Data Controllers (the “Registry Regulation”), the draft of which was submitted for public comment last week, was published in the Official Gazette on 30 December 2017 and entered into force on 1 January 2018.


The Registry Regulation applies to any real or legal person who is responsible for determining the purposes and means of processing personal data (“Data Controllers”) and it sets forth the principles and procedures for the establishment of the official Registry of Data Controllers (the “Registry”) as well as the obligation of Data Controllers to be recorded in the Registry as envisaged under the Code on the Protection of Personal Data No. 6698 (the “Data Protection Code”). Understanding of and compliance with the Registry Regulation is essential, given that failure to fulfill the obligation to register may result in administrative fines of between TRY 20,000 and TRY 1,000,000.

According to the Registry Regulation, Data Controllers are obliged to sign up with the Registry before they begin processing personal data. The Registry will be established and operated by the Personal Data Protection Institution (the “Institution”) and supervised by the Personal Data Protection Board (the “Board”).


For full copy of the alert, please click here.