Selin OZBEK CITTONE
Attorney at Law / Managing Partner, Dual qualified lawyer (Turkey and England & Wales)
08 October 2018
VERBIS IS LIVE!
Turkish Data Controllers Registry’s online system VERBIS is live!
The Regulation on Data Controller Registry (“RDCR”) was published on December 30, 2017, and came into force on January 1, 2018. Data controllers, who are not exempted by the Data Protection Board (“Board”), can now start their registry with the Data Controller Registry system called VERBIS. (See our article at https://www.ozbek.av.tr/data-privacy-blog/obligation-to-register-with-data-controllers-registry-begins-on-1-october-2018/ for requirements and exemptions.
Type of Data Controller
Data controllers who have more than 50 employees or an annual balance sheet total of more than 25 million TL
1 October 2018
30 September 2019
Data controllers residing abroad
Data controllers who have less than 50 employees and an annual balance sheet total of less than 25 million TL but their main field of operation is the processing of sensitive (special categories of) data
1 January 2019
31 March 2020
Data controllers that are governmental institutions and organizations
1 April 2019
30 June 2020
There are different entries for Turkish and foreign data controllers. Guidelines for registry explains the process step-by-step. You may see the fundamental requirements to register in our previous informational note: https://www.ozbek.av.tr/data-privacy-blog/obligation-to-register-with-data-controllers-registry-begins-on-1-october-2018/.
1st Step – Confirmation
For confirmation, the data controller (through its signatory authorized personnel), shall fill out an application form by clicking the “Register” (‘Kayıt Olun’ in Turkish) button. There, the data controller has to choose if it is a domestic person, a foreign person or a public institution, which all require different forms to fill out.
For instance; a foreign data controller has to provide the following information:
After the form is filled out, if the representative has a KEP address, the form will be sent through that address. However; if the representative does not have any KEP address, the form has to be signed, stamped and sent to the Data Protection Board by physical mail. If the data controller has been verified, it will receive a user ID and password to be able to enter VERBIS.
2nd Step – Registration
For the registration, the data controller, its representative or point of contact will enter its username and password onto the website. Afterward, the data controller will be directed to a form, where he/she will input the information of data categories, processing purposes, transferee groups, retention periods, data subject groups, information that will be transferred abroad and data security measures are taken. After the registry is completed, it will be public and may be accessed by anyone using a search bar with related keywords.
Currently, there is only a Turkish guideline and no information of an entry yet. While it is a very important step for the data protection compliance in Turkey, it might still be in its early stages and some data controllers might want to wait and observe VERBIS’s progress in the upcoming months.