1. General Overview

Pursuant to Article 16 of the Code Numbered 6698 on the Protection of Personal Data1, real persons or legal entities processing personal data shall register with the Data Controller's Registry before any processing.

Article 3 of the said Code defines the Data Controllers as real persons or legal entities who are responsible to set out the objectives of processing persona data, establishment and management of data registration system within the meaning of Law. In practice, for the  Joint Stock Companies, the company itself is deemed as Data Controller and is obliged to get registered at the so called (''VERBIS'') Data Controllers' Registry Information System.

According to recent announcement of Turkish Personal Data Protection Board2 on extension of the deadline to register with the Data Controllers' Registry "VERBIS" system dated December 27,2019, the Board has provided the reasoning behind such extension for registration, besides elaborated on what is actually expected from the Data Controllers to honor the Law and avoid sanctions stipulated in the Law. As a side note, for Joint Stock Companies; which have more than 50 employees annually or have a balance sheet sum of more than 25 million TRY for per year, the deadline for registration with the VERBIS and notification requirement has been extended to  30.06.2020.

To obey the law, Data Controllers are obliged to make an entry and provide information to the so called Data Controllers' Registry Information System (''VERBIS'') with regard to personal data being processed by them. The Board has also stressed the importance of accuracy and reliability of the updated information to be provided to VERBIS within the context of personal data processing activities.

In addition to Code No. 6698 on the Protection of Personal Data, to fully comply with the personal data protection requirements, special attention must be paid to the procedures and principles  set out at i) Regulation on Data Controllers' Registry published at Official Gazette of Turkey dated 31.12.2017 and ii) Regulation on Deletion, Destruction and Making Anonymous of Personal data published at the Official Gazette dated October 28, 2017, respectively.

Among others, one of the important provisions set forth at the said secondary legislations is that Data Controllers who are obliged to register with VERBIS are also obliged to prepare  a Personal Data Processing Inventory and information to be disclosed to the VERBIS shall be prepared based on that Personal Data Processing Inventory. In determining whether i)duty to disclose and full representation to the personal data owner has been met and ii) open consent of the data owner has been obtained, the Personal Data Processing Inventory prepared by the Data Controllers is also taken into account. As stated above, Data Controllers are responsible for accuracy, completeness, up to datedness and compliance with the law of the information which are submitted to and published at the Registry.

  1. Criminal Liability of Board Members of Joint Stock Companies  

At Section 5 of the Code Numbered 6698 on the Protection of Personal Data Code, the type of wrongdoing in the form of felonies and misdemeanors have been defined in detail, in case of breach of the law. Article 17 of the Code defines the felony and stipulates that, for the crimes involving personal data, relevant articles of Turkish Criminal Code Numbered 5237 which are Article 135 to Article 140 shall apply. In addition, in case the Data Controller fails to erase, destroy or make anonymous the personal data within due course, Article 138 of the Turkish Criminal Code shall apply.   

When we take a close look at the referred Articles of Turkish Criminal Code; Article 135 of the Turkish Criminal Code reads as; any wrongdoer shall be subject to sanction starting from one year up to 3 years of imprisonment in case the personal data is illegally recorded.

Article 136 regulates illegal taking and dissemination of personal data, and the sanction stipulated for violation of the said Article is imprisonment starting from two years up to four years.

Article 137 regulates aggravating factors the existence of which in committing the crime will lead to increase in the punishment up to half of the originally imposed sanction.

Article 138 specifically regulates destruction of data and imposes on the person in charge to destruct the data when required and the consequence of non-obedience is imprisonment starting from one year up to two years.

According to Article 139, in almost all the crimes within the context of personal data protection,  the Prosecutor acts automatically  for investigation without any need  for criminal complaint  of a third party. 

Finally at Article 140 of Turkish Criminal Code, for the legal entities such as Joint Stock Companies, the proper sanction shall be imposed by taking into account  the unique character associated with being a legal entity and structure.

Having reviewed the pertinent provisions of Protection of Personal Data Code and Turkish Criminal Code, it is fair to jump into the conclusion that, the Legislator attaches specific importance on the protection of personal data and therefore set forth severe sanctions in   case of any violation.

When it comes to corporations such as in the case of a Joint Stock Companies, which are in the form of legal entity, the Data Controller is designated as the company itself within the meaning of the law, therefore, the Company rather than the shareholders will face and be subject  to criminal and  monetary sanctions stipulated at the law.

The responsible organ of the Joint Stock Companies is the Board of Directors, which can bind and represent the company3, and with regard to criminal liability, proving culpability element(existence of mens rea, actus reus and concurrence ), the  members of the Board of Directors do have personal criminal liability for the crimes set out at the Personal Data Protection   Code and Turkish Criminal Code. However, the Board, with a clear division of labor among themselves like obtaining a board resolution or issuance of internal directive to that end  might confer upon and delegate certain duties with regard to protection of personal data to one of the Board of Directors members or other professionals within the company. In the absence of such delegation, all of the Board of Directors members might be held liable when it comes to criminal liability. 

  1. Administrative Sanctions- Misdemeanor  

Article 17 of the Code defines the misdemeanor and specifies the acts that lead to administrative fines. Accordingly;

- Any data controller who fails to meet the duty to disclose and full representation stipulated at Article 10 of the Code shall be punished with an administrative fine in the range of 5.000TRY to 100.000 TRY

-  Any data controller who fails to meet the duty to ensure data security stipulated at Article 12 of the Code shall be punished with an administrative fine in the range of 15.000TRY to 1.000.000 TRY

-  Any data controller who fails to fulfill the decisions of the Personal  Data Protection Board stipulated at Article 15 of the Code shall be punished with an administrative fine in the range of 25.000TRY to 1.000.000 TRY

-  Any data controller who fails to register with VERBIS and meet the notification requirement stipulated at Article 16 of the Code shall be punished with an administrative fine in the range of 20.000TRY to 1.000.000 TRY.

When it comes to administrative fine, it should be noted that, it is a public debt, therefore the member of Board of Directors are also personally liable for the debt, unless it is fully satisfied from the assets of the Joint Stock Company in the first place. It is important to note that, the only obligation of the shareholders of the Joint Stock Companies is against the Company itself which is making the committed capital payment in full,  which also means the shareholders do not have any responsibility for the public debts incurred in Joint Stock Companies. However, if a shareholder also holds a position as the member of Board of Directors at Joint Stock Companies, it does incur personal liability for the administrative fines imposed by the Personal Data Protection Board.

Accordingly, to avoid completely the risk of facing any criminal and civil liability in Joint Stock Companies,  the shareholders usually opt for recruiting professionals who would hold a sit  at the Board of Directors and decide on the delicate matters, or alternatively delegate certain powers to third parties by virtue of well pleaded Board of Directors Resolution or Internal  Directives which inexplicitly indicate the persons in charge on specific matters.

Footnotes

1  Published at Official Gazette of Turkey dated 07.04.2016 and numbered 29677

2 The full text can be  reached from the following address  https://www.kvkk.gov.tr/Icerik/6631/Veri-Sorumlulari-Siciline-Kayit-Yukumlulugune-Iliskin-Kurulca-Belirlenen-Tarihler-Hakkinda-2019-387-Sayili-Kurul-Karar-Ozeti

3 According to Article 365 of the Turkish Commercial Code,  the Joint Stock Company is managed an represented by the Board of Directors of the Company

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.