Contact IstanbulCPA to learn about the liabilities of your liaison office in Türkiye under the Turkish Personal Data Protection Law.
Turkish Data Protection Legislation, Law no. 6698 on the Protection of Personal Data (the "Law") came into force on April 7, 2016. Personal data of natural persons resident in Türkiye, which were formerly secured by the Turkish Constitution, started to be protected under this legislation. The framework of personal data, liabilities of natural persons and legal entities, and other issues related to personal data have been outlined in this Law.
Within this context, one of the obligations the data controllers have is to register with the Data Controllers' Registry Information System ("VERBIS") and to notify the registry as per Article 16 of the Law.
The Law defines a data controller as "the natural person or legal entity who determines the purposes and means of personal data processing and is responsible for the establishment and management of the data recording system". A data controller can be a legal person resident in Türkiye or in abroad. Türkiye resident data controllers may also conduct their activities under headquarters abroad.
In order to be considered a data controller, a legal entity that is resident in Türkiye and affiliated to a headquarters abroad must determine the data processing means and purposes and be responsible for the set-up and management of the data registry system, independent in its external affairs and separated in management activities and place.
An organization being independent in external affairs means it has the authority to independently carry out transactions that headquarters can conduct whereas separation of management describes that an organization must have separate management from the headquarters that is authorized to carry out commercial operations.
In the light of the information given above, whether the liaison offices are obliged to protect personal data and to register with VERBIS as data controllers can be determined taking these into consideration:
According to the 1st paragraph of Article 6 of the Regulation for Implementation of Foreign Direct Investment Law No. 4875, the Ministry is authorized to grant permits and extend such permits to companies established in accordance with the laws of foreign countries to open liaison offices in Türkiye, provided that they do not carry out commercial activities in Türkiye.
As the above-mentioned paragraph states, liaison (representative) offices do not meet the conditions of independence and management separation as their foundation purposes are to facilitate communication, conduct feasibility studies, handle some social and cultural activities, make preliminary preparations for company merge and transfer, promote and advertise, and closely follow the business opportunities in the country and inform the headquarters about them, rather than to conduct commercial activities. Therefore, there is no such obligation as VERBIS registration for them.
This issue is clearly stated in the Personal Data Protection Authority decision dated 23/07/2019 and numbered 2019/225.
However, VERBIS registration is only one of the various obligations imposed within the Law, with the main purpose to prevent unlawful processing of personal data and illegal access to personal data, and to store personal data to ensure security by taking necessary administrative and technical measures. Since taking the measures introduced by Law are not solely data controllers' responsibility, liaison offices, too, are obliged to comply with the Law and carry out all activities accordingly.
On the other hand, legal entities resident in abroad where the liaison office is affiliated are directly responsible for the data processed by the liaison office. Within this context, these data controllers have the liability to comply with the Law and register with VERBIS by appointing a data controller in Türkiye. You can read the detailed information in our article here.
You can contact us to receive support or obtain more information regarding the Turkish Personal Data Protection liability of liaison (representative) offices.