The “Data Protection Officer” institution was introduced with the Communiqué on the Procedures and Principles Regarding the Personnel Certification Mechanism from the Personal Data Protection Authority published on 06.12.2021 in the Official Gazette.
With this Communiqué, the Authority aims to establish a new legal institution as a Data Protection Officer in Turkey (TS) in accordance with the EN ISO/IEC 17204 standard. In this context, the conditions and obligations of being a Data Protection Officer are regulated in the relevant Communiqué. A specific program is envisaged to become a data protection officer.
- Those who graduate from faculties of at least four years of undergraduate education from domestic universities or foreign universities, provided that the diploma equivalence is approved by the Higher Education Council, can apply for the Data Protection Officer Certificate exam. In addition, those who have obtained a Certificate of Participation in the last 4 years before the exam date or have a valid Data Protection Officer Certificate can also apply.
- Within the framework of the law and relevant legislation, a Data Protection Officer Certificate is given to those who meet the requirements for obtaining a certificate and pass the exam.
- The Certificate of Participation is the document given by the Institution to those who have completed the basic training process, the procedures and principles of which are determined by the Personal Data Protection Board. Those who are successful in the exam among those who have received the participation certificate will be able to become a data protection officer.
- Those who pass the exams and are successful are entitled to receive a certificate that they are data protection officers in accordance with the (TS) EN ISO/IEC 17024 standard.
- Within the scope of this communiqué, the validity period of the issued certificates has been regulated as 4 years from the announcement of the exam results.
- The data protection officer will be deemed to have sufficient knowledge of the legislation on the protection of personal data within the scope of the program for which they are certified.
In addition, in order to ensure that the certification activity is carried out impartially, transparently and effectively by the Personal Data Protection Authority, the personnel certification body and Certificate Tracking and Verification Information System will be established in order to query the scope, dates, numbers, validity periods of the certificates, as well as the information of the personnel certification body, as well as the declaration of the certificate holders.
Evaluation
When the conditions of being a Data Protection Officer are examined, it would be a much more positive in the short term to bring poeple who have graduated from Faculties of Law or have a master’s/doctorate in the field of informatics instead of those who have graduated from faculties that provide at least four years of undergraduate education. Some problems may arise if data protection officers who do not graduate from the Faculty of Law or do not specialize in this field are deficient in relevant basic concepts, general and basic principles, personal data processing and destruction, measures to be taken and sanctions to be applied, etc.
In addition, it would be appropriate to measure the proficiency and effectiveness of the candidates and to evaluate whether they are suitable for this task, with an oral interview along with the 80-question theoretical exam.