The Turkish Personal Data Protection Authority (“DPA“) published a summary of its decision issued in response to a request as to whether a foreign bank with a representative office in Turkey might be deemed a data controller within the scope of the Law No. 6698 on the Protection of Personal Data (“DPL“), and whether the bank might be obliged to register with the data controllers’ registry (VERBIS). The DPA confirmed that the foreign bank would be a data controller under the Data Protection Law and would therefore be obliged to register with VERBIS.
The DPA’s full announcement is available online here (in Turkish).
What Does the Decision Say?
The DPA referred to the prohibitions under Turkish laws preventing representative offices of foreign banks from providing banking services while indicating that representative offices are still allowed to conduct communication and marketing activities for the foreign banks. The DPA then provided the following points and arguments:
Consequently, the DPA determined that the foreign bank is a data controller under the DPL and is obliged to register with VERBIS due to the bank’s permanent existence in Turkey through its representative office.
The DPA confirmed once more that the application of the Turkish data privacy regulations and the requirements therein are not limited to the borders of Turkey; and that the DPL, its secondary legislation and the DPA’s authority might have extraterritorial application if the processing relates to individuals in Turkey. The DPA also clarified that having a representative office in Turkey is a clear indication of the foreign entity’s status under the DPL as a foreign data controller.
Please stay up to date with further developments through the Esin Attorney Partnership Coronavirus Helpdesk.