The Personal Data Protection Board (“DPA”) in Turkey once again extended the deadline for mandatory registration on the Data Controllers Registry on December 27, 2019. For data controllers with more than 50 employees or annual balance sheet higher than TRY 25 million, and data controllers residing abroad, the new deadline is June 30, 2020. Regulation on Data Controllers’ Registry (“Regulation”) requires that data controllers who reside abroad should be registered with the Data Controllers’ Registry through a representative prior to processing personal data. Yet, it may not be perfectly clear when a processing by such controllers would be in the scope or not. This brings the issue of the extraterritorial effect of Turkish Personal Data Protection Law (“Law”) or practice of the DPA in that sense. Although the wording of the Law can be considered quite vague with extensive coverage, the Law does not have explicit extraterritorial provisions similar to the provision on territorial scope like Article 3 of the General Data Protection Regulation (“GDPR”). Nevertheless, the effect of the GDPR on Turkish DPA is seen. The Law, guidance documents and decisions of the DPA do not provide detailed examples of circumstances that make clear whether the Law would apply on an extraterritorial basis. Based on the general wording of the Law, the DPA appears to accept that it would apply on such basis at least under certain situations.
One of the arguments concerning the extraterritoriality of the Law may be that the Law was mainly prepared based on EU Directive 95/46/EC which did not include an express extraterritoriality provision. Regardless, some recent decisions of the DPA include references to the GDPR not to EU Directive 95/46/EC.
The DPA’s Decision No. 2019/225 reviews the registration of foreign legal entities, and branches and representative offices of such entities. The reference to the GDPR is in the second section, which focuses on branches of foreign legal entities, and it refers to the provision of the GDPR Art.3/1 (relating to entities established in the EU). The DPA mainly discusses ‘establishment’ concept for branches and the definition of the controller under the GDPR, and opines that data controllers who reside abroad and process data in Turkey directly or via their branches should be registered with the Data Controllers’ Registry. Representative offices of controllers who reside abroad, on the other hand, are exempted from the registration. Further decisions of the DPA with various examples would shed light on the issue.
The foregoing affirms the GDPR’s effect on legislation and interpretation of relevant authorities in jurisdictions other than the EU and that we would very likely see intricate developments on privacy legislation and practice in 2020.