Data controllers –all foreign firms and individuals, who are processing personal data in Turkey, must comply with the data protection regulations regardless of whether they reside in and outside of Turkey. Very few data controllers are aware that they may be held liable for not complying with those rules. As part of the compliance procedure, one of the frequent questions we receive relates to the VERBIS registry requirements before the Data Controllers’ Registry.
1. What is VERBIS Registry Requirement?
In Turkey, data controllers –real and legal persons processing personal data must register with the Data Controllers’ Registry (VERBIS) before processing personal data. VERBIS is a registration system where data controllers need to be registered to and record the data processing activities they are engaged with.
2. To whom does it apply?
The Law is introduced a registry requirement for: -Local data controllers that have more than 50 employees, and actively more than TRY 25 million on their balance sheets. -Data controllers residing abroad as long as they process personal data in Turkey. - Data controllers that have less than 50 employees in a year or an annual balance sheet below TRY 25 million, whose main business activity is processing sensitive personal data.
3. What are the obligations as to the Data Controllers’ Registry?
Preparing a Data Inventory: Typically, data controllers must prepare a personal data inventory –a guideline which indicates what type of personal data will be used, stored, processed and transferred by the data controller.
In particular, data controllers must make a category of the personal data and a list of their operations, determine the purposes and legal grounds of the processing activities, the recipients, international transfers, data security measures and the maximum time for processing personal data In case of any change in the information listed above, such change needs to be notified to the Authority to keep the record up to date.
Appointing a Representative/Contact Person: Data controllers residing in Turkey must appoint a contact person. Turkish subsidiaries of foreign companies must also appoint a contact person as long as such subsidiaries process personal data in Turkey. Data controllers residing outside of Turkey must appoint an authorized representative.
The contact person and the representative that will be appointed by the foreign data controller must be Turkish, often the same Turkish lawyer selected by the company owners to set up the company.
4. What is the deadline for registrations?
The deadline is 31.03.2021 for data controllers that have less than 50 employees in a year or an annual balance sheet below TRY 25 million, whose main business activity is processing sensitive personal data. The deadline was originally 30.09.2020 for
- the real or legal person data controllers that have more than 50 employees in a year or an annual balance sheet above TRY 25 million or an annual balance sheet above TRY 25 million (approx. USD 4 million), and
- the data controllers residing outside of Turkey. The Personal Data Protection Board stated in its latest announcement that the deadline has been extended for VERBIS registrations because of the COVID-19 outbreak.
Though, the Board did not specify a new deadline for the registrations.
Ultimately, data controllers who fail to fulfil their obligations to register with the VERBIS are facing huge administrative fines up to TRY 1,802,640 (app. EUR 200,000) as of 2020.
What to do? It is very important that the foreign companies and individuals who are processing personal data in Turkey must complete their VERBIS registrations by the relevant deadlines to ensure that their businesses are compliant with the law.
