Evaluations on the Communiqué on the Procedures and Principles Regarding the Personnel Certification Mechanism

The Personal Data Protection Authority (‘Authority’) introduced a certification mechanism and published the Communiqué on the Procedures and Principles Regarding the Personnel Certification Mechanism (‘Communiqué’) in the Official Gazette dated 06.12.2021.

According to the Communiqué, after the certificate of participation to be given to those who complete the training programme organised by the Personal Data Protection Board (‘Board’), candidates who apply for the certification exam within 4 years and are successful in the exam will be entitled to receive the title of ‘data protection officer’.

Data protection officer means the person who works to protect the data within the data controller, although it is tried to be similar to the title called Data Protection Officer (‘DPO’) under the European Union General Data Protection Regulation (‘GDPR’). At this point, there are more differences than similarities between the DPO of the GDPR and the data protection officer of the Authority.

Anyone who participates in certification programmes and succeeds in the exams to be held will be entitled to the title of data protection officer. In fact, we can say that the certificates issued by some private companies are regulated by this issue of the Official Gazette.

The first institution to take action to become a data protection officer, the Turkish Accreditation Agency (‘TÜRKAK’), will determine the training institutions that will provide the training and conduct the exams. Thus, some training centres will become authorised to train data protection officers. Personnel certification bodies accredited by TÜRKAK in accordance with (TS) EN ISO/IEC 17024 will be authorised to certify those who pass the certification exam.

With this move of the Authority, it is aimed to create data protection officers with ISO standards in Turkey.

The validity period of the certificates will be 4 years following the announcement of the exam results and data protection officers will be able to use their titles only during the validity period of their certificates. The requirement of 4 years may be seen as a tacit statement by the Authority to the data controllers that a single project on the protection of personal data is not sufficient and that currency is vital for compliance.

The data protection officer shall be deemed to have sufficient knowledge in terms of personal data protection legislation within the scope of the programme in which he/she is certified. In addition, it is stipulated that the personnel certification body must also have the necessary and sufficient personnel, resources, physical, technical and administrative infrastructure in order to avoid any deficiencies and disruptions during certification activities.

The employment of a data protection officer within the body of the data controller and/or data processor will not eliminate the responsibility of the data controller and data processor to comply with the Personal Data Protection Law No. 6698 (‘Law’) and the relevant legislation.

Certificate Tracking and Verification Information System (‘SERTABIS’) is a system that will be managed by the Authority and is open to the public in order to ensure transparent and effective maintenance of certification. SERTABIS contains the information contained in the certificate of attendance, information on personnel certification bodies and changes in their status, information on certificate holders, dates of examinations conducted within the scope of the programme, as well as information on certificate dates, certificate numbers, certificate validity periods and certificate statuses of those who succeeded in the examination.

Pursuant to Article 16 of the Communiqué on sending information and documents to the Authority, the Authority may request all information and documents from the relevant parties within the scope of the programme. The question that comes to mind at this point is to what extent it is correct that an authority that advises data controllers to minimise data and imposes administrative sanctions otherwise, does not resort to such a method in its own practices. The period foreseen for the documents requested from the parties is set as fifteen days, and the qualifications such as ‘all information and documents’ make it impossible to make preparations in the background considering the time period and cause delays even at the birth of the Communiqué.

Another situation that is contradictory and left open is that in cases where the authorisation of the personnel certification body is cancelled, it is not specified what sanctions will be imposed on the persons to whom that body has awarded the title of data protection officer.

‘Those who have received a certificate of attendance within the last 4 years prior to the date of the examination or who have a valid data protection officer certificate and who meet the conditions specified in the programme are entitled to apply for the data protection officer certificate examination.’

Pursuant to Article 11/1 of the Communiqué, in order to apply for the exam, those who have received a certificate of attendance/ hold a valid certificate within 4 years prior to the date of the exam are required. In this case, it is understood that it will be assumed that some of the organisations currently providing this service have the valid certificate. As a result of the evaluations made, no explanation was made regarding the validity of the title of the data protection officers who took the exam and qualified for the title in case the authorisation of the institutions that can provide the ‘valid certificate’ is subsequently cancelled.

As seen before, the Board will be expected to make certain explanations and clarifications on the relevant issues, and de facto practices will need to be followed.

Data Protection Officer vs. Data Protection Officer

DPO is a concept regulated under the GDPR, which entered into force in the European Union in May 2018. The purpose of this regulation is to ensure the appointment of a person who will be responsible for the compliance of data controllers with the legislation. The GDPR imposes an obligation on data controllers that meet certain criteria to appoint a data protection officer and addresses the duties and obligations of the data protection officer in detail.

The primary role of the DPO is to ensure that his or her organisation processes the personal data of its staff, customers, suppliers or other persons (data subject – data subject) in accordance with the data rules.

Article 37 of the GDPR requires the appointment of a DPO in European Union institutions and organisations. Contrary to popular belief, it is not the size of the company that is decisive for the legal obligation to appoint a DPO, but the core processing activities, defined as those necessary for the company to achieve its objectives. If these core activities involve large-scale processing of sensitive personal data or a wide-ranging form of data processing specifically directed against the rights of data subjects, the company is required to appoint a DPO. On the other hand, public authorities are always obliged to appoint a DPO, except for courts acting under their jurisdiction.

If there is no legal obligation, companies may voluntarily appoint a DPO to assist with data protection compliance (for example, as recommended by the French data protection authority CNIL).

Companies have two options to fulfil their obligation to appoint a DPO. Either an employee is named as DPO or an external, external DPO is appointed. It is important to ensure that an internal DPO is not exposed to a conflict of interest due to his/her duties in the IT or Human Resources department or in senior management and that he/she is also self-monitoring.

Regardless of which option is chosen, a DPO should provide specialised professional knowledge of data protection legislation and technical safeguards security, depending on the complexity of the data processing and the size of the company. The duties and qualifications of the DPO are detailed in Art. 39 GDPR.

The UK provides for the appointment of a DPO if the addressee is a public body or organisation or carries out certain types of processing activities; the relevant DPO helps to advise on Data Protection Impact Assessments (DPIA) and act as a point of contact for data subjects and the Information Commissioner’s Office (ICO).

The Law enacted in 2018 did not foresee a DPO, and the title of contact person, which was not mentioned in the Law but regulated in the Regulation on the Data Controllers‘ Registry within the scope of the Data Controllers’ Registry Information System (‘VERBIS’) applications in Turkey and whose use has become widespread, was designed to meet the title of DPO in GDPR applications. As mentioned in the UK example, the contact person was seen as the person who was held responsible to both the data subjects and the data protection authority (the Authority) and who would be the first contact person in the first communication.

As can be seen, the title of Contact Person has the characteristic of being the first person to be addressed and contacted against the data subjects and data protection authorities as stipulated in the GDPR. However, the most important difference from the DPO is that the requirement of having specialised knowledge on data protection and providing this information is not sought. With the current regulation, it can be said that the DPO practice in Turkey is only intended to complete the deficiency regarding the point requiring expertise and will not have any responsibility at the point of communication, since contact persons are assigned for this responsibility.

It is observed that the requirement for public institutions and organisations to appoint a DPO, without exception, is not included in the Communiqué.

In the recital of Article 37 of the GDPR, it is stated that not only public institutions and organisations but also private sector persons performing public functions (for example, companies providing public transport, road, water and energy supply) are included in this obligation.

The relevant Communiqué does not include the obligation to appoint a data protection officer and leaves it ambiguous. We believe that these issues will be clarified in time with the development of the implementation of the Communiqué.

Data Protection Officer Certification Programme

The Data Protection Officer Certification Programme (‘Programme’) regarding the certification activity to be carried out by the Authority within the scope of the Communiqué was prepared and published on the website of the Authority on 07.12.2021.

The purpose of the relevant programme is ‘to evaluate the applications of the candidates applying to the Personnel Certification Body authorised by the Authority, to conduct and evaluate the exams, to certify or re-certify the Data Protection Officer or Data Protection Officer candidate and to determine all the principles regarding the certification method’.

The suspension and/or cancellation of the certificates of data protection officers who hold a certificate, which we have tried to explain above, is regulated in this Programme.

Accordingly; (i) upon the data protection officer’s own request, (ii) if it is determined that the data protection officer has made an untrue statement although he/she does not meet any of the necessary conditions, (iii) if it is determined that he/she has used the document in a malicious or misleading manner, (iv) when a decision is taken against the data protection officer by the Authority or the relevant courts after the evaluation of the complaint, (v) if it is determined that the document has been tampered with, the conditions are foreseen with the principle of limited number (numerus clausus).

As an application requirement for the data protection officer certificate exam, those who have graduated from faculties of domestic universities or foreign universities, provided that the equivalence of the diploma is approved by the Higher Education Council, which provide at least four-year undergraduate education, who have received a Certificate of Participation within the last 4 years prior to the date of the exam or who have a valid Data Protection Officer Certificate.

When the exam subjects are examined, it is observed that international legislation in the field of Personal Data Protection is also included, and in this context, it is also sought to have knowledge about GDPR, Convention No. 108 and Directive 95/46/EC in order to have a certificate.

CONCLUSION

It has been determined that the Communiqué focuses on the certification process of the data protection officer and there are deficiencies in the explanations regarding the meaning of the title.

The primary objective has been to eliminate the information pollution and wrong practices in the consultancy services on the protection of personal data rather than determining the position of the data protection officer in the systematic of the legislation.

Therefore, it has become a necessity rather than a requirement to explain the issues mentioned in both the Communiqué and the Programme issued accordingly.

In this article, we have tried to briefly explain the relationship between DPO and Data Protection Officer, the contact persons who have played a role in the practice so far and the GDPR practices. Since the Communiqué includes the qualification of being able to provide expert information sought within the scope of the GDPR in the determination of data protection officers as ‘having sufficient knowledge’, the lack of any regulation for lawyers who are legal notion producers and the loss of rights that may be experienced at this point could not be included in this article since it is necessary to examine more widely. However, we believe that the relevant regulation should be regulated with certain procedures and principles for lawyers as soon as possible.

In this respect, we submit our information text regarding the Communiqué, which we wish to ensure that the data protection legislation of our country and the living culture leap forward, to the attention of all ecosystem stakeholders.