Recent Development
The Turkish Data Protection Board (“Board”) evaluated the data controller status of the local branches and liaison offices of foreign legal entities in its recently published decision no. 2019/225 (“Decision”) dated July 23, 2019 and published on the Turkish Data Protection Authority’s (“Authority”) website on October 7, 2019.
What Does the Decision Say?
The Board received an application requesting its opinion on whether foreign legal entities and their local branches and liaison offices may be evaluated as data controllers. The Board evaluated that foreign legal entities who are conducting personal data processing activities, directly or through their branches, should be considered data controllers.
With regards to local branches, the Board first assessed the legal status of a branch, considering the relevant articles of the Turkish Commercial Code, the Law No. 5174 on the Turkish Union of Chambers and Exchange Commodities and Unions and Chambers, the Banking Law and the Regulation on the Trade Registry. In light of this assessment, the Board underlined that, even though a branch does not have a separate legal entity, it has the capacity to conduct commercial actions on its own and must be registered with the trade registry. In this regard, the Board stated that a branch may act independently in terms of data processing activities.
Additionally, the Board also referred to Article 4 of the General Data Protection Regulation (GDPR) and highlighted that having a legal entity is not a requirement under the GDPR to be a data controller. In this regard, branches may be considered local data controllers separately from the foreign legal entities if they are responsible for determining the processing purposes and methods, and building and maintaining personal data recording systems. In this event, if branches meet the requirements of employing more than 50 employees a year or an annual balance sheet above TRY 25 million, they may be obliged to enroll in the Data Controllers Registry system, the VERBIS, separately from the foreign data controller legal entity.
With regards to liaison offices of foreign legal entities, the Board stated that liaison offices working with the purposes of communication, feasibility assessments, social and cultural works, preparation for mergers and acquisitions, as well as conducting marketing and advertising, and monitoring business opportunities in the country they are situated and informing the headquarters about these. As a result, considering that liaison offices are not branches, the Board concluded that liaison offices are not data controllers and they do not have VERBIS registration obligation.
Conclusion
Data controllers that do not fulfill their obligations under Article 18 of the Data Protection Law regarding the VERBIS registration and notification, may be subject to the administrative fines foreseen in the legislation. Therefore, data controllers must finalize VERBIS registrations by the December 31, 2019 deadline.