Data Protection Laws in Turkey

Data controllers –all foreign firms and individuals processing personal data in Turkey, must comply with the data protection regulations.
Article Published: 27 Sep, 2020, Updated: 08 Oct, 2023 under Limited Company Set-up Service

Data controllers –all foreign firms and individuals, who are processing personal data in Turkey, must comply with the data protection regulations regardless of whether they reside in and outside of Turkey. Very few data controllers are aware that they may be held liable for not complying with those rules. As part of the compliance procedure, one of the frequent questions we receive relates to the VERBIS registry requirements before the Data Controllers’ Registry.  

1. What is verbis registry requirement?

In Turkey, data controllers –real and legal persons processing personal data must register with the Data Controllers’ Registry (VERBIS) before processing personal data. VERBIS is a registration system where data controllers need to be registered to and record the data processing activities they are engaged with.  

2. To whom does it apply?

The Law is introduced a registry requirement for: -Local data controllers that have more than 50 employees, and actively more than TRY 25 million on their balance sheets. -Data controllers residing abroad as long as they process personal data in Turkey. - Data controllers that have less than 50 employees in a year or an annual balance sheet below TRY 25 million, whose main business activity is processing sensitive personal data.  

3. What are the obligations as to the data controllers’ registry?

Preparing a Data Inventory: Typically, data controllers must prepare a personal data inventory –a guideline which indicates what type of personal data will be used, stored, processed and transferred by the data controller. 

In particular, data controllers must make a category of the personal data and a list of their operations, determine the purposes and legal grounds of the processing activities, the recipients, international transfers, data security measures and the maximum time for processing personal data In case of any change in the information listed above, such change needs to be notified to the Authority to keep the record up to date. 

Appointing a Representative/Contact Person: Data controllers residing in Turkey must appoint a contact person. Turkish subsidiaries of foreign companies must also appoint a contact person as long as such subsidiaries process personal data in Turkey. Data controllers residing outside of Turkey must appoint an authorized representative. 

The contact person and the representative that will be appointed by the foreign data controller must be Turkish, often the same Turkish lawyer selected by the company owners to set up the company.

4. What is the deadline for registrations?

The deadline is 31.03.2021 for data controllers that have less than 50 employees in a year or an annual balance sheet below TRY 25 million, whose main business activity is processing sensitive personal data. The deadline was originally 30.09.2020 for 

  1. the real or legal person data controllers that have more than 50 employees in a year or an annual balance sheet above TRY 25 million or an annual balance sheet above TRY 25 million (approx. USD 4 million), and
  2. the data controllers residing outside of Turkey. The Personal Data Protection Board stated in its latest announcement that the deadline has been extended for VERBIS registrations because of the COVID-19 outbreak. 

Though, the Board did not specify a new deadline for the registrations. 

Ultimately, data controllers who fail to fulfil their obligations to register with the VERBIS are facing huge administrative fines up to TRY 1,802,640 (app. EUR 200,000) as of 2020. 

What to do? It is very important that the foreign companies and individuals who are processing personal data in Turkey must complete their VERBIS registrations by the relevant deadlines to ensure that their businesses are compliant with the law.

Our Accountants

Cansu, Accountant in Aydin...
Cansu and colleagues provide legal consultancy services to domestic and foreign individuals, companies, institutions and foundations in the fields of private law and public law and in many different sectors. Their services are provided in both Turkish and English, operates with client-oriented and international perspective based on the principal of proficiency, efficiency and accessibility.
Cansu helped me with a supplier issue in Izmir. She communicated directly with the supplier and explained to me my various options, both legal and otherwise. She is professional and advised me on the appropriate course of action to take.
Siobhan Dunphy
Siobhan Dunphy
28 Nov 2023
24 completed cases
Speaks languages Speaks TurkishSpeaks English