Data Protection Laws in Turkey

Data controllers –all foreign firms and individuals processing personal data in Turkey, must comply with the data protection regulations.
Article Last Updated: 08 Oct, 2023 under Limited Company Set-up Service

Data controllers –all foreign firms and individuals, who are processing personal data in Turkey, must comply with the data protection regulations regardless of whether they reside in and outside of Turkey. Very few data controllers are aware that they may be held liable for not complying with those rules. As part of the compliance procedure, one of the frequent questions we receive relates to the VERBIS registry requirements before the Data Controllers’ Registry.  

1. What is VERBIS Registry Requirement?

In Turkey, data controllers –real and legal persons processing personal data must register with the Data Controllers’ Registry (VERBIS) before processing personal data. VERBIS is a registration system where data controllers need to be registered to and record the data processing activities they are engaged with.  

2. To whom does it apply?

The Law is introduced a registry requirement for: -Local data controllers that have more than 50 employees, and actively more than TRY 25 million on their balance sheets. -Data controllers residing abroad as long as they process personal data in Turkey. - Data controllers that have less than 50 employees in a year or an annual balance sheet below TRY 25 million, whose main business activity is processing sensitive personal data.  

3. What are the obligations as to the Data Controllers’ Registry?

Preparing a Data Inventory: Typically, data controllers must prepare a personal data inventory –a guideline which indicates what type of personal data will be used, stored, processed and transferred by the data controller. 

In particular, data controllers must make a category of the personal data and a list of their operations, determine the purposes and legal grounds of the processing activities, the recipients, international transfers, data security measures and the maximum time for processing personal data In case of any change in the information listed above, such change needs to be notified to the Authority to keep the record up to date. 

Appointing a Representative/Contact Person: Data controllers residing in Turkey must appoint a contact person. Turkish subsidiaries of foreign companies must also appoint a contact person as long as such subsidiaries process personal data in Turkey. Data controllers residing outside of Turkey must appoint an authorized representative. 

The contact person and the representative that will be appointed by the foreign data controller must be Turkish, often the same Turkish lawyer selected by the company owners to set up the company.

4. What is the deadline for registrations?

The deadline is 31.03.2021 for data controllers that have less than 50 employees in a year or an annual balance sheet below TRY 25 million, whose main business activity is processing sensitive personal data. The deadline was originally 30.09.2020 for 

  1. the real or legal person data controllers that have more than 50 employees in a year or an annual balance sheet above TRY 25 million or an annual balance sheet above TRY 25 million (approx. USD 4 million), and
  2. the data controllers residing outside of Turkey. The Personal Data Protection Board stated in its latest announcement that the deadline has been extended for VERBIS registrations because of the COVID-19 outbreak. 

Though, the Board did not specify a new deadline for the registrations. 

Ultimately, data controllers who fail to fulfil their obligations to register with the VERBIS are facing huge administrative fines up to TRY 1,802,640 (app. EUR 200,000) as of 2020. 

What to do? It is very important that the foreign companies and individuals who are processing personal data in Turkey must complete their VERBIS registrations by the relevant deadlines to ensure that their businesses are compliant with the law.

Our Lawyers

Kübra, Lawyer in Istanbul ...
Kubra is a partner in her law firm which has offices in Istanbul and Izmit. Kubra and her firm focuses primarily in the areas of Corporate Law, Inheritance and Family Law. Her firm also regularly advises on Litigation (labour law, debt recovery, breach of contract, liability and corporate conflicts ), She also represents multinational corporate clients on regulatory compliance matters, particularly in the areas of corporate, trade and customs and real estate property matters. she is a registered arbitrator and a sworn translator and interpreter.
At our first meeting, Kubra explained to me the whole process and the options we had as her client. She grasped the objectives that I wanted to attain, and then she laid out the plans and recommendations as well the cost associated with legal assistance. This demonstrates her ability to understand the area in which she operates. Furthermore, during the legal proceedings, I often got updated through her assistants that I believe is the key to form a good relationship between client and lawyer. In sum, I am pleased that I found Kubra through Advocate Abroad, and recommend Kubra to anyone who is seeking legal assistance in property disputes.
Hashim Sheerani
Hashim Sheerani
26 Mar 2024
51 completed cases
Speaks languages
Call Us
Email Us
Loading form...

Call us Now

Office hours: 9am - 9pm CET Monday - Friday