Norton Rose Fulbright - Data Protection Report blog


We previously reported that Turkey’s data protection legislation (TDPL) requires data controllers to notify the Turkish DPA of their processing activities. Unless exempt from the requirement, all data controllers (individuals and legal entities) who process personal data in Turkey must be registered with the Turkish DPA’s Register of Data Controllers Information System (VERBİS), prior to processing any personal data.


The Turkish DPA announced yesterday that the requirement to register has been postponed for some controllers until the year end. Specifically, the following data controllers must now complete their registration with VERBİS prior to the deadlines set out below:

  • Real and legal persons who have settled abroad (i.e. non-Turkish controllers) before 31 December 2019;
  • Workplaces that have over 50 employees yearly, or have financial balance sheet over TL 25,000,000 (approx. USD 4,500,000) before 31 December 2019;
  • No change has been made to the deadline for legal entities which have less than 50 employees annually and whose annual total financial statement is less than TL 25,000,000 but whose main business is processing sensitive personal data. These entities will still need to register before 31 March 2020.

For more information on the implications of this legislation for non-Turkish controllers, please see our previous blog post.