THE TURKISH PERSONAL DATA PROTECTION BOARD ANNOUNCES THE DECISION ON FOREIGN LEGAL ENTITIES !
7 October 2019
The Turkish Personal Data Protection Board (the “Board”) has released the decision on their web site today about the foreign legal entities', foreign legal entities branches’ and liaison offices’ data controller title.
The Turkish Personal Data Protection Law No. 6698 defines a data controller as “Natural or legal person who determines the purposes and means of the processing of personal data, and who is responsible for establishment and management of the filing system.”. Therefore, a foreign entity will have the title of the data controller as soon as it processes personal data, and the obligation to register to the “Data Controllers Registry” will start.
About the foreign legal entities’ branches in Turkey, the branches do not have legal entity according to Turkish law. However, the data controller must be a natural or legal person. So, the branches of foreign entities in Turkey should not have a data controller title.
On the other hand, according to the Turkish Commercial Code No.6102, “Branches of commercial enterprises the headquarters of which are not based in Turkey will also be registered with the trade registry in the place where these branches are located and published.”
In addition, article 3 (1) of the EU General Data Protection Regulation (GDPR) is as follows:
“This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.”
According to this provision, it does not matter whether the branch/liaison office in the European Union itself handles data. A foreign company shall be subject to the provisions of the GDPR if it processes data within the framework of its branch office/liaison office in the EU.
In conclusion, even though the branches do not have a legal entity, there is an obligation to register these branches as they are domestic branches. Also, according to Article 4 of the GDPR, to become a data controller, having a legal entity is not criteria.
Based on those facts, the Board decided foreign legal entities’ branches in Turkey must have a data controller title under Turkish data protection legislation, and they will be under obligation to register to the Data Controllers Registry.
Lastly, the foreign legal entities’ liaison offices in Turkey, (which do not operate commercial activities in Turkey); these offices are established for communication, feasibility research, conducting some studies in social and cultural fields, making preparations for mergers and acquisitions between companies, promotion, and advertising, closely monitoring the business opportunities in the country and informing the central company about these issues. Because of this situation, these offices do not have a data controller title, and an obligation to register to the Data Controllers Registry.
You can find the text of the decision (in Turkish) here.
Should you have any queries and/or remarks, please do not hesitate to contact us.
 According to the Board’s Decision, dated 19/07/2018 and numbered 2018/88; data controllers, whose “annual employee number is more than 50 or annual financial statement amount is more than 25 millions Turkish Liras shall be under the obligation to register to the Data Controllers Registry.