Two different countries, two different laws, two different systems. Here is a quick review of two different systems of data controllers' registration, with regards to the UK's Data Protection Act 2018 and Turkey's Personal Data Protection Law no.6698.

​

Situation in the UK:

 

Data Protection Act 2018 of the UK works in harmonisation with the GDPR, whereas Turkey's Data Protection Law is adopted from the EU's 95/46/EC Directive prior to enactment of the GDPR.

​

One could expect parallel applications in these countries, for both local laws are in connection with the EU acquis. Be it different cultures or different law systems, UK and Turkey have rather different perspectives as regards to data controllers registration systems, in addition to other data protection rules and implementations.

​

In the UK; data controllers are obliged to register with the supervisory authority of the UK, the Information Commissioner's Office ("the ICO") and to pay the "data protection fee" within a legal timeframe. Amount of data protection fees depend on some thresholds and requirements set forth in the DPA 2018.

The ICO reminds data controllers of the registration and fee requirement. It also mentions the fines for noncompliance (i.e. £4000).

​

The registry is open to public and one may search of a person or organisation registered with the ICO by completing some information via ICO's website (ie. https://ico.org.uk/ESDWebPages/Search)

 

In order to determine which data protection fee applies to an organisation or person, the information requested by the ICO's system must be declared thereto correctly.

​

The system is stable and consistent. No extension is required nor foreseen as per today.

​

Situation in Turkey:

​

In Turkey, on the other hand, the data controllers are not obliged to pay a data protection fee. However the registry system has more steps than the system in the UK which cause some complications. 

​

First, data controllers (that meet the conditions declared by the Turkish Data Protection Authority) must have access to the system which requires a password to be delivered from the Authority in writing. This procedure hence logging in to the system might take more than a week, therefore the data controllers need more than such period to finalise their registration.

 

This is not where the registration is completed. Data controllers are also obliged to declare their data protection purposes and some other information (i.e. data categories, data subject categories, categories of transferees, etc.) to the Data Controllers' Registry Information System ("VERBIS"). VERBIS is open to public - the only similarity with the ICO system, we might say.

 

There are four groups of data controllers that are obliged to do VERBIS declaration, hence four different deadlines.

 

These deadlines, however, were postponed second times.

 

The first deadline for the first group of data controllers was September 30, 2019. ​By reason of some hesitations and some other technical and organisational reasons, the Authority extended the deadlines by 3 months (i.e from September 30, 2019 to December 31,2019 for the first group of data controllers).

 

This extension was expected to help data controllers finalise their compliance periods; however that was not the case in reality. Hesitations (and resistance) of data controllers continued and the compliance projects were mostly paused or slowed down. As the time passed and the deadline came close, some of the data controllers rushed for a VERBIS registration without completing their data inventories-which was against the regulations which set forth VERBIS registrations should be based on data inventories.

​

Considering wrongful VERBIS registrations and other incorrect applications, on December 27, 2019, only 4 days before the due date of the first group of data controllers, the Data Protection Authority postponed the date for VERBIS registrations again, by 6 months this time.

 

This second extension is welcomed as a relief by most of the data controllers, whereas there are several opinions which emphasize (and we agree) that this extension shall not be seemed as a reason to pause the compliance projects as happened before.

​

What's the Difference?

In the UK, there is quite a simple registration procedure for data controllers. Although some amount of data protection fee is legally required, effectiveness of the system is stable and consistent. The matter is taken seriously by all sectors.

 

In Turkey, on the other hand, by most of the sectors, the whole registration procedure is deemed as cumbersome and impractical. It is not possible to say that the time extensions help data controllers finalise their compliance programs. On the contrary, such decisions of the Authority previously caused data controllers to pause all compliance programs until the last few days. There are opinions stating that such applications diminish the severity of and the trust in the law and the Authority itself. 

​

Final Opinion

​

It is of particular importance that the main focus must be on the data protection compliance programs as a whole, rather than merely the registration procedure. The data protection professionals shall enlighten their clients on the importance of data protection law and their impacts rather than focusing on the registration procedures. After all, the liabilities do not start or end with data controller registrations.

​

​