As you might recall, the Regulation on Data Protection Registry was published by the Data Protection Board (“DPA”) literally on the last days of 2017 and entered into force as of 1 January 2018. This was the main piece of legislation regarding the registry system applicable for data controllers. The online registration system is called VERBIS and is expected to be live and running as of October 2018.

On August 18, 2018, just before the Bayram Holidays (Eid), the DPA announced the registration dates for four different data controller groups and as well as the additional list of exemptions from the registration.

Accordingly, the registration obligation will first start as of October 2018 for (i) the companies with more than 50 employees or annual balance sheet total of at least 25 million TL and (ii) foreign data controllers.

Who is exempt?

The DPA first announced the list of exemptions for registry on 15 May 2018. That list included

  • those processing personal data as part of a filing system but by not automated means
  • associations, foundations, and unions, to the extent they process personal data of their employees, members, participants and donors within the scope of the relevant legislation and in compliance with their scope of work
  • lawyers, notary public, certified public accountant and sworn financial advisors
  • political parties

On 18 August 2018, the following was added to this list:

  • Legal entity or real person controllers that have less than 50 employees and a sum of annual balance sheet amounting less than TRY 25 million and do not engage in the processing of sensitive data as their core business activity. 
  • Mediators
  • Customs brokers authorized under Customs Law No. 4458

What does this mean?

It means that if you are not exempt, you must register with the Data Controllers Registry before the deadlines:

Type of Data Controller

      Starting Date


Data controllers having more than 50 employees or annual balance sheet total of more than 25 million TL

      1 October 2018

30 September 2019

Data controllers residing abroad

      1 October 2018

30 September 2019

Data controllers having less than 50 employees and annual balance sheet total of less than 25 million TL but their main field of operation is processing of sensitive (special categories of) data.

      1 January 2019

31 March 2020

Data controllers that are governmental institutions and organizations

      1 April 2019

30 June 2020

What is needed to register?

  • All data controllers must have a correspondent for managing the relations with the DPA. If you are a Turkish company, the correspondent will be the Company ’s board authorized to represent and act for the Company, an authorized person or board identified by the legislation or a representative the Company appointed to fulfill and handle Company’s data protection liabilities. If you are a foreign company processing Turkish person’s data in Turkey you must APPOINT A REAL PERSON/LEGAL ENTITY REPRESENTATIVE as a correspondent.
  • You must prepare a personal data processing INVENTORY.
  • You must determine WHY you are processing personal data.
  • You must identify TO WHOM YOU TRANSFER the personal data you are processing.
  • You must verify what type of SECURITY MEASURES you are taking and make sure that you comply with the law and the criteria determined by the DPA.  
  • You must determine your MAXIMUM RETENTION PERIODS based on data categories. Also, you must prepare a policy and set your principles for retention and neutralization (See http://www.ozbek.av.tr/data-privacy-blog/deletion-destruction-or-anonymization-of-personal-data/ for additional information.

Get ready & find your rep!

You should have prepared already your data inventory, data processing policy and your retention and neutralization policy. If you didn’t do so until to date, you should include these to the top of your to-do list for Q4.

If you are not a Turkish company but doing business in Turkey and processing personal information you need to appoint a representative to liaise your relations with the DPA. Don’t forget, if you fail to do it, you may be fined up to TRY 1,000,000.