The Turkish Personal Data Protection Authority (DPA) has introduced the concept of data protection officers with the Communiqué on the Procedures and Principles Regarding the Personnel Certification Mechanism (“Communiqué”). The Communiqué regulates the process for certification of a data protection officer.
The DPA’s Communiqué regarding certification as a data protection officer was published in the Official Gazette dated 6 December 2021 and entered into force on the same date. The Communiqué regulates the training, examination and certification processes of data protection officers. The Communiqué is available online here (in Turkish).
What is a data protection officer?
As per the Communiqué, a data protection officer is defined as a “natural person who is entitled to use the title of data protection officer by successfully passing the exam,” and it is stipulated that data protection officers have sufficient knowledge in terms of personal data protection legislation in addition to their certification program.
The concept of data protection officers is also regulated within the scope of the General Data Protection Regulation (GDPR), which requires data controllers who meet certain conditions to have a data protection officer. Under the GDPR, data protection officers need to have expert knowledge in the field of personal data protection and need to be able to fulfill their obligations under the GDPR.
Unlike the GDPR, the Communiqué does not regulate the concept of data protection officers in detail. The Communiqué neither imposes any obligation on data controllers regarding the appointment of a data protection officer nor stipulates the duties of the data protection officer. The Communiqué, however, states that having a data protection officer within the data controller and/or data processor will not eliminate the obligations of the data controller and the data processor arising from LPPD. In this context, while it is currently not clear whether the Turkish DPA will follow an approach similar to the GDPR in terms of data protection officers, it is possible that the appointment of a data protection officer will arise as an additional obligation to the obligations of data controllers under the LPPD.
What is the process for becoming a data protection officer?
In order to become a data protection officer, individuals must participate in certain training sessions and obtain relevant certifications. Individuals who meet the training/certification requirements will be entitled to take the exam. The individuals who successfully pass the exam become data protection officers. Organizations accredited by the Turkish Accreditation Agency within the scope of the (TS) EN ISO/IEC 17024 standard will be authorized to certify those who are successful in the exam. The data protection officer certification is valid for four years.
With the Communiqué, the concept of a data protection officer is introduced to the LPPD for the first time. Individuals who have passed the necessary examination and training process in accordance with the Communiqué will be able to become data protection officers. In this respect, all relevant companies that process personal data must follow the DPA’s announcements and regulations on data protection officers.