The Personal Data Protection Board (“Board“) published its decision (“Decision“) on exemptions from registration to the Data Controllers’ Registry (“Registry“) in the Official Gazette on May 15, 2018.
What Does the Decision Say?
The decision is based on Article 16(2) of the Law No. 6698 on the Protection of Personal Data (“Data Protection Law“), which states, “The Board may introduce certain exemptions to the registration obligation considering objective criteria such as the category and amount of personal data processed, that processing is stipulated in the laws or transfer of data to third parties.”
According to the Decision, the following are exempt from the registration obligation:
- Those who process personal data only by non-automated means provided that it is part of a structured filing system.
- Notaries operating under the Notary Law.
- Associations established under the Law on Associations, foundations established under the Law on Foundations, and unions established under the Law on Unions and Collective Labor Agreement that process personal data only in line with the relevant legislation and purposes limited to their field of activity, and process personal data only in relation to their employees, members, and benefactors.
- Political parties founded under the Law on Political Parties.
- Attorneys operating under the Law on Attorneyship.
- Certified Public Accountants and Sworn-in Certified Public Accountants operating under the Law on Certified Public Accountants and Sworn-in Certified Public Accountants.
Data controllers must assess whether or not they fall within one of the above exemptions.
Data controllers that are exempt from the registration obligation must still comply with the Data Protection Law. In addition, data controllers that must be registered with the Registry must prepare a personal data processing inventory and personal data retention and deletion policy.