Introduction

The Personal Data Protection Board (the "Board") has determined the persons to be exempt from registering to the Data Controllers Registry with its decision dated 2 April 2018 and numbered 2018/32 (the "Decision"). The Decision was published in the Official Gazette dated 15 May 2018 and numbered 30422.

Legal Basis of the Decision

Pursuant to Article 16/2 of the Law on the Protection of Personal Data numbered 6698, published in the Official Gazette dated 7 April 2016 and numbered 29677 (the "Law"), natural and legal persons are required to be registered with the "Data Controllers Registry"- a publicly available registry maintained by the Personal Data Protection Authority - in order to lawfully process personal data.

The Law gives the Personal Data Protection Authority the power to introduce class exemptions to this registration requirement based on objective criteria such as "characteristics and the amount of data to be processed, whether or not data processing is based on any law, and whether data will be transferred to third parties".

List of the Exemptions

The Decision exempts the following classes of persons from the requirement to register with the Data Controllers Registry:

  • Persons who process personal data solely through non-automated means a part of a data recording system;
  • Notaries operating under the Notary Law dated 18 January 1972 and numbered 1512;
  • Associations established under the Law on Associations dated 4 November 2004 and numbered 5253, foundations established under the Law on Foundations dated 20 February 2008 and numbered 5737, unions established under the Law on Unions and Collective Labour Agreement dated 18 October 2012 and numbered 6356 in relation to data processed in respect of their own employees, members and donors for purposes within the bounds of their respective legislation and field of activity;
  • Political parties established under the Law on Political Parties dated 22 April 1983 and numbered 2820;
  • Attorneys practising under the Law on Attorneys dated 19 March 1969 and numbered 1136; and
  • Certified Public Accountants and Sworn Certified Public Accountants practising as per the Law on Certified Public Accountants and Sworn Certified Public Accountants dated 1 June 1989 and numbered 3568.

Conclusion

All persons who process personal data as part of their business or profession should assess whether they qualify for any of the class exemptions introduced by the Decision. If not, they should ensure that they have fulfilled any applicable registration formalities with respect to the Data Controllers Registry before starting or continuing to process any personal data.

It is important to note that all the registration exemptions introduced by the Decision do not mean that exempt persons will not be treated as "Data Controllers" and exempt persons will still need to observe all other legal requirements applicable to Data Controllers.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.