Norton Rose Fulbright - Data Protection Report blog


Turkey’s data protection legislation (TDPL) requires data controllers to notify the Turkish DPA of their processing activities. Unless exempt from the requirement, all data controllers (individuals and legal entities) who process personal data in Turkey must be registered with the Turkish DPA’s Register of Data Controllers Information System (VERBİS), prior to processing any personal data.

Data controllers which fail to fulfil this obligation may be subject to an administrative fine of an amount between TL 20,000–1,000,000 (approximately USD 3,600-180,000). Such fines will be issued at the discretion of the Data Protection Board and will be determined based on the facts of each specific breach.

Implications for non-Turkish controllers

The obligation to register under TDPL applies to data controllers based outside of Turkey as well as Turkish controllers. Consequently, natural and legal persons who are currently processing personal data but who are based outside of Turkey, are still obliged to comply with the obligation to register. The registration process is different for Turkish and non-Turkish data controllers. Data controllers located outside of Turkey will need to appoint a data controller representative, who must be a Turkish citizen resident in Turkey or a Turkish entity. The representative must complete the registration form available online, and submit it to the DPA. The representative will then appoint a contact person (irtibat kişisi) who must also be a Turkish citizen resident in Turkey (a natural person representative may appoint herself as the contact person). The contact person will submit the required information and complete registration with VERBİS.

Deadline for registration

The deadline for completing the registration process is fast approaching. Specifically, the following data controllers must complete their registration with VERBİS prior to the deadlines set out below:

  • Real and legal persons who have settled abroad (i.e. non-Turkish controllers) before 30 September 2019;
  • Workplaces that have over 50 employees yearly, or have financial balance sheet over TL 25,000,000 (approx. USD 4,500,000) before 30 September 2019;
  • Legal entities which have less than 50 employees annually and whose annual total financial statement is less than TL 25,000,000 but whose main business is processing sensitive personal data to register before 31 March 2020.