RECENT DEVELOPMENTS REGARDING DATA PROTECTION OFFICER
The data protection officer regulated within the scope of the General Data Protection Regulation ("GDPR") that came into force within the European Union is not directly included in the Personal Data Protection Law No. 6698. On the other hand, pursuant to the By-Law On Data Controllers Registry (“VERBIS By-Law”) published on 30 December 2017, it is envisaged that data controllers shall appoint a data controller representative and/or contact person in certain circumstances.
Communiqué on the Procedures and Principles Regarding the Personnel Certification Mechanism (“Communiqué”) issued by the Personal Data Protection Authority (“Authority”), was published in the Official Gazette numbered 31681 dated 6 December 2021, in order to eliminate conflicts experienced in this regard and to appoint the person responsible for the compliance of data controllers with the personal data protection legislation. You can access the full text from https://www.resmigazete.gov.tr/eskiler/2021/12/20211206-4.htm.
Contrary to the GDPR, detailed regulations regarding data protection officer are not included in the Communiqué. In this regard, the Communiqué does not impose any obligation on data controllers regarding the appointment of a data protection officer, and no regulation is made regarding the duties of the data protection officer. However, it has been stated that employing a data protection officer within the data controller and/or data processor will not remove the responsibility of the data controller and the data processor arising from the law on the protection of personal data.
What is the Description of Data Protection Officer?
Under the Communiqué, data protection officer has been defined as “the real person who acclaimed the title of data protection officer by succeeding in the examination” and who have been regulated as persons of enough knowledge regarding protection of personal data legislations, within the scope of data protection officer certification programme.
How to Become A Data Protection Officer?
In order to become a data protection officer, firstly, the participation ceritificate must be acquired by completing the education program which terms and conditions have been regulated by Authority. After achieving this participation certificate, the persons succeed in the examination could be a data protection officer. The Institutions which have been accredited by Turkish Accreditation Agency under the standard of (TS) EN ISO/IEC 17024, have the authorization to document the persons who succeeded in the examination and would have the right to use the title of data protection officer. The certification issued at the end of this process, shall be valid for a 4-year period.
What is Certificate Tracking and Verification Information System?
Pursuant to the Communiqué, the Certificate Tracking and Verification Information System (“SERTABIS”), a public system, has been established to conduct the certification process in a transparent and effective manner, and to question the scope and duration of certified persons and certificates.
With the Communiqué, regulations have been made on data protection personnel for the first time under the law on the protection of personal data. Although there is no clear understanding whether the concept of data protection personnel is addressed in any case similar to the GDPR, it may be possible to arrange the presence of data protection personnel as an additional obligation under the Personal Data Protection Law in the future. Therefore, we advise data managers to exercise due diligence and to closely follow the notices and regulations of the Authority for data protection personnel of all relevant companies that process personal data.