Within the scope of the Turkish Personal Data Protection Law No. 6698 (“Law”) and secondary legislation, various obligations regarding natural or legal person data controllers who process the data of real persons within the framework of their activities are regulated. According to the Law, the data controller is defined as “natural or legal person who determines the purposes and means of the processing of personal data, and who is responsible for establishment and management of the filing system”.

In this context, the following will be explained:

• with respect to scope of the Law, The Regulation on the Data Controllers Registry No. 30286 (“Regulation”), and Guidelines published by the Personal Data Protection Authority (“Authority”), the obligation of designating a data controller representative by non-resident legal entities operating in Turkey,
• in light of the relevant decision of the Authority[1], their branches and liaison offices, to determine whether they have the title of data controller and must register in the Data Controllers Registry Information System (“Registry”).

In terms of legal entities residing abroad,

• One of the obligations stipulated in the legislative framework is that data controllers residing abroad designate a legal person residing in Turkey or a natural person who is a citizen of the Republic of Turkey as their representative. The methods and principles for designating a data controller representative are specified in the Regulation and the Authority’s decisions.
• In parallel with this regulation, pursuant to Article 27 of the European Union General Data Protection Regulation (“GDPR”), data controllers (or data processors) established outside the European Union (“Union”) have an obligation to specify an authorized representative within the Union in written form.
• In accordance with the Regulation,
• The data controller representative is a natural person or legal person authorized to represent a data controller residing abroad at a minimum level.
• Within the scope of the minimum level, the representative is responsible for
• receiving or accepting the notification or correspondence from the Authority on behalf of the foreign data controller,
• forwarding the requests directed by the Authority to the data controller,
• forwarding the response from the data controller to the Authority,
• receiving the data subject applications on behalf of the data controller and forward them to the data controller,
• conveying the data controller’s response to the data subject and
• carrying out the Registry-related tasks and transactions on the data controller’s behalf.
• Data controllers residing abroad must register with the Registry through a data controller representative before starting data processing.
• A certified copy of the decision taken by the authorized body or person regarding the designating of the data controller must be submitted to the Authority with a wet-ink signature during the application for registration in the Registry.
• There is no specific sanction to be implemented under the Law if a representative is not appointed. However, if the representative fails to execute the above-mentioned duties and obligations, the data controller may face an administrative punishment if the relevant person applies for the Authority’s complaint procedure.

In terms of branches of legal entities residing abroad in Turkey, the Authority has taken into account the following criteria while determining the data controller title:

• The data controller, who is a natural or legal person, is required by the Law to register with the Registry. According to the applicable legislation, branches do not have their own legal personality. However, branch offices should be managed separately of the headquarters because they are independent in external affairs and have the authority to conduct commercial transactions on their own,
• The Authority has taken into account that being a legal person is not a necessity for holding the title of data controller (or data processor) in the context of Article 4 GDPR. As a result, the matter was interpreted in line with the European data protection legislation, in which the concept of data controller is comprehensively regulated.
• In relation to the territorial scope, the Authority noted that the concept of “establishment” is pointed out as the criterion sought for businesses outside the Union to be subject under the GDPR as a data controller (or data processor). The fact that branches are registered as domestic commercial businesses under Turkish law satisfies this criteria in this case.
• As a result, it has been concluded that branches that act independently from the center in terms of personal data processing processes and that determine the purposes and means of processing personal data are to be considered as data controllers separately from legal entities residing abroad, and if they meet the other necessary conditions, they have the obligation to register in the Registry.
• As a result, the Authority decided branches that act independently from the headquarters in terms of personal data processing operations and determine the purposes and means of processing personal data are to be considered data controllers separately from legal entities residing abroad. Therefore, they must register with the Registry if they meet the other necessary conditions.

In terms of liaison offices of legal persons residing abroad in Turkey,

• On the grounds of their legal qualifications, liaison offices carry out various activities of foreign-law-based businesses in Turkey, provided that they do not engage in commercial activities. Communication, feasibility, marketing, and so on. These are the units that carry out their tasks in order to conduct research, update the headquarters, and keep track of job prospects.
• In this regard, liaison offices do not have the title of data controller. Therefore, they are not required to register with the Registry according to the Authority.

[1] Personal Data Authority Authority, Date: 23/07/2019,  Decision No.: 2019/225, https://kvkk.gov.tr/Icerik/5545/2019-225; Access Date: 12.03.2022