Contact in Turkey
Turkey: +90 212 922 1519
UK: 0800 098 8033
US: +1 415 651 8449

Data Protection Laws in Turkey

Data controllers –all foreign firms and individuals, who are processing personal data in Turkey, must comply with the data protection regulations regardless of whether they reside in and outside of Turkey. Very few data controllers are aware that they may be held liable for not complying with those rules.

As part of the compliance procedure, one of the frequent questions we receive relates to the VERBIS registry requirements before the Data Controllers’ Registry.

 

What is VERBIS Registry Requirement?

In Turkey, data controllers –real and legal persons processing personal data must register with the Data Controllers’ Registry (VERBIS) before processing personal data. VERBIS is a registration system where data controllers need to be registered to and record the data processing activities they are engaged with.

 

To whom does it apply?

The Law is introduced a registry requirement for:

-Local data controllers that have more than 50 employees, and actively more than TRY 25 million on their balance sheets.

-Data controllers residing abroad as long as they process personal data in Turkey.

– Data controllers that have less than 50 employees in a year or an annual balance sheet below TRY 25 million, whose main business activity is processing sensitive personal data.

 

What are the obligations as to the Data Controllers’ Registry?

Preparing a Data Inventory: Typically, data controllers must prepare a personal data inventory –a guideline which indicates what type of personal data will be used, stored, processed and transferred by the data controller. In particular, data controllers must make a category of the personal data and a list of their operations, determine the purposes and legal grounds of the processing activities, the recipients, international transfers, data security measures and the maximum time for processing personal data

In case of any change in the information listed above, such change needs to be notified to the Authority to keep the record up to date.

Appointing a Representative/Contact Person: Data controllers residing in Turkey must appoint a contact person. Turkish subsidiaries of foreign companies must also appoint a contact person as long as such subsidiaries process personal data in Turkey. Data controllers residing outside of Turkey must appoint an authorized representative. The contact person and the representative that will be appointed by the foreign data controller must be Turkish. This provides the base for accurate selection, tipically in the person of a Data Protection Lawyer in Turkey.

 

What is the deadline for registrations?

The deadline is 31.03.2021 for data controllers that have less than 50 employees in a year or an annual balance sheet below TRY 25 million, whose main business activity is processing sensitive personal data.

The deadline was originally 30.09.2020 for (1) the real or legal person data controllers that have more than 50 employees in a year or an annual balance sheet above TRY 25 million or an annual balance sheet above TRY 25 million (approx. USD 4 million) and (2) the data controllers residing outside of Turkey. The Personal Data Protection Board stated in its latest announcement that the deadline has been extended for VERBIS registrations because of the COVID-19 outbreak. Though, the Board did not specify a new deadline for the registrations.

Ultimately, data controllers who fail to fulfill their obligations to register with the VERBIS are facing huge administrative fines up to TRY 1,802,640 (app. EUR 200.000) as of 2020.

What to do?

It is very important that the foreign companies and individuals who are processing personal data in Turkey must complete their VERBIS registrations by the relevant deadlines to ensure that their businesses are compliant with the law.

You may be interested in the following service...

Client testimonials

"I found them to be very reliable and responsive when providing their service."

Abu Bokkor (Jun 29, 2020)

Data Protection

Available in the following locations: .

* If your local town is not listed, a lawyer from our nearest office will be happy to assist you.

Location

1Who is this Service for?

With the arrival of the General Data Protection Regulation (EU) 2016/679, businesses across the world have been forced to scramble to ensure they are compliant. While currently emphasis is being placed on the management of personal data by large multinational tech companies, companies of all sizes are required to comply.

The data of individuals is the subject of the GDPR protection and consequently the impact is felt across an organization who processes their personal details: identifying who is the data controller, how data is obtained and its lawfulness of processing, technical and organizational measures to be taken in order to ensure data security, the DPO role within a company, how to manage a right request from the data subject, how to protect the confidential data managed by a processor, data protection impact assessment, how long data records can be retained, identifying special categories of data, etc.

2What does this service consist of?

  • Initial discussion with an English-speaking lawyer specialising in Data Protection to understand the scope of your business and likely measures that you will need to implement to ensure compliance
  • A report detailing policies that will need to be implemented to ensure compliance
  • Assistance with implementation including drafting of policy documents, employee training and 3rd party contracts.
  • Ad hoc advice
Support services

3Free Support Services Included

When combined with the free and innovative Advocate Abroad support services you can be sure that you are obtaining completely transparent legal services from registered and regulated English-speaking lawyers abroad.These support services include:

  • Verification of the regulatory status of your professional.
  • Fees as recommended by the Local Professional Body
  • Fees specified in advance and legally guaranteed.
  • Service levels agreed in advance and guaranteed.
  • All professionals must hold professional indemnity insurance.
  • Professionals' proficiency in English monitored.
  • Continuous quality controls and reviews.

Why choose Advocate Abroad?

AdvocateAbroad.com Message
Established more than
10 years ago
Present in 20
European Countries
Over 30,000 client enquiries
successfully managed