The Communiqué on the Procedures and Principles Regarding the Staff Certification Mechanism (‘Communiqué’) entered into force upon its publication in the Official Gazette dated 06.12.2021 and numbered 31681. Article 5 paragraph 3 of the Communiqué titled ‘General Principles’ stipulates that ‘The procedures and principles regarding the participation certificate shall be determined and announced by the Board.’ Accordingly, the procedures and principles regarding the participation certificate were determined by the Personal Data Protection Board (‘Board’) Decision dated 23.12.2021 and numbered 2021/1296.

The Communiqué, which you can access in our article dated December 2021, referred to the Data Protection Officer (‘DPO’) similar to the Data Protection Officer (‘DPO’) definition in the European Data Protection Regulation (‘GDPR’) regulations and paved the way for the acquisition of the relevant title in Turkey. Since we have mentioned the differences between the two concepts in our previous article, we will not elaborate on them in detail here, but for the sake of remembrance, it will be sufficient to state that having the title of data protection officer is subject to less stringent conditions.

In parallel to this, with the Public Announcement dated 10.12.2021, the Board stated that the definition of Data Protection Officer was confused with the concept of DPO, that it differs from the definition of DPO, which is not included in the local legislation, and that it is regulated as a separate concept. In this announcement, it was underlined that the relevant persons are not experts, but are considered to have sufficient knowledge of the Law on the Protection of Personal Data.

In Article 5/2/f of the Communiqué, the issue regarding the participation certificate is regulated as ‘The participation certificate does not provide the opportunity to use the title of data protection officer and to operate as a data protection officer.’ It is understood that the relevant document is a stage that must be provided before obtaining the title of data protection officer.

With the Decision No. 2021/1296, it can be said that the basic training to be given by the training institution and the training minutes that have certain minimum elements will be kept, and with the Certificate of Participation to be given to those who are successful in the exam to be held after the basic training, it can be said that the requirement element to take the data protection officer exam will be met. It is stated that the basic training will be organised theoretically according to the methods determined by the Personal Data Protection Authority and the subjects in Annex-1 of the Decision. Participants who have the right to take the exam organised after the basic training three times are expected to achieve 70% success. In case of failure three times, the basic training must be taken again. It is stipulated that if the participants exceed the 20% absenteeism limit, the participation certificate will be cancelled even if it has been issued.

When the subjects specified in Annex-1 are examined; It is noteworthy that ‘International legislation in the field of protection of personal data (Convention No. 108, Directive 95/46/EC, GDPR)’ is not listed, unlike the theoretical exam subjects published with the Public Announcement on Certification dated 07.12.2021.

It is stated that the persons to be exempted from the basic training and examination will be determined by the Board and it is regulated in Article 10 titled ‘exceptions’ that the Board will issue the certificate of attendance to these persons. At this point, the fact that there is no explanation regarding professional lawyers can be interpreted as the Authority’s attitude that ‘anyone can be a data protection officer’, and it is a matter of curiosity whether lawyers will be considered within the scope of the exception.

However, considering that not all lawyers are specialised in the Personal Data Protection legislation, we are of the opinion that it would constitute a proportionate practice for candidates not to need a certificate of attendance but to be subjected to an exam in the two-stage system.

In conclusion, it is observed that the grey area discussions, which are expected to be clarified with the relevant regulation, are tried to be eliminated and the secondary regulations will continue, and similar to the fate of the Personal Data Protection Law, time and certainty are needed for the implementation of the complementary elements of the data protection officer practices.