The practice of protection of personal data, which came into our lives with the publication of the Law on the Protection of Personal Data No. 6698 (“KVKK”) in the Official Gazette dated April 7, 2016 and numbered 29677, has been shaping by the secondary legislation and the decisions of the Personal Data Protection Board. It is possible to argue that KVKK, which can be described as a framework law, has been expanded with the secondary legislation created under the effect of the European Union General Data Protection Regulation (“GDPR”), which came into force in 2018.
In this context, the first regulation was made regarding the concept of “data protection officer” which was not included in our legislation before. The Communiqué on the Procedures and Principles Regarding the Personnel Certification Mechanism (“Communiqué”) entered into force after being published in the Official Gazette on December 6, 2021.
In Article 37 of the GDPR, it is mandatory to designate a data protection officer by data controllers if they meet certain conditions. According to Article 37, the controller and the processor shall designate a data protection officer in any case where:
the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10.
However, the data protection officer, which is subject to the Communiqué, is not a concept included in the KVKK, and the designation of a data protection officer is not an obligation for data controllers. The most similar provision to the data protection officer in KVKK is the obligation to “appoint a senior manager to ensure coordination regarding the implementation of the law” brought to public institutions and organizations by the 5th paragraph of the Provisional Article 1. However, the concept of “data protection officer” is not used here, nor is there a detailed explanation.
The Communiqué contains regulations on certification activities to be carried out by personnel certification bodies accredited in accordance with the (TS) EN ISO/IEC 17024 standard and authorized by the Personal Data Protection Authority (“Authority”). Accordingly, the ones who receive the certificate of participation, which will be given to those who complete the training program, the procedures and principles of which are determined by the Communiqué, will be able to become data protection officers if they are successful in the exam specified in the Communiqué.
Although detailed regulations are not made with the Communiqué, the public announcement about the Data Protection Officer Certification Program was published on the website of the Authority on December 7, 2021. It specifies the principles about the application, evaluation of candidate applications, examination and certification method.
Data protection officers will be deemed to have sufficient knowledge in terms of personal data protection legislation within the scope of the program they are certified, but the data protection officer will only be able to use this title for a period of 4 years, which is determined as the validity period of the certificate.
However, it is also stated in the Communiqué that having a data protection officer within the data controller and/or data processor does not remove the obligations of the data controller and the data processor arising from KVKK.
With the publication of the Communiqué, many question marks arose in the minds. There is no certain provision on who can be a data protection officer yet. Aside from the discussions about whether to have a law school graduate as a requirement, it is not yet clear which data controller groups will be under obligation of designate a data protection officer.
In the last days of the VERBIS registration period for all data controllers with registration obligations, we are faced with a new concept which is not included in our legislation before. Although there is no clarity on whether the concept of data protection officer will be regulated similarly to GDPR or not, considering that the GDPR is followed in the Board decisions and secondary regulations, designation of a data protection officer can be an obligation for certain data controllers under the KVKK soon. We will see how the application will take shape with new regulations and legislative changes in the upcoming period.