Home

Internal

Global

Contact

de|en|it

Rödl & Partner Italy: 2024 turnover grows to a record level of 33.3 million euros |

Worldwide

We use cookies to personalise the website and offer you the greatest added value. They are, among other purposes, used to analyse visitor usage in order to improve the website for you. By using this website, you agree to their use. Further information can be found in our data privacy statement.

New Data Controllers’ Registry Exemption

published on 22 October 2025 | reading time approx. 2 minutes

Under the Turkish Data Protection Law (KVKK), data controllers must register with the Data Controllers’ Registry (VERBIS) when certain conditions are met. Key determinants include the annual number of employees, annual balance-sheet total and whether the data controller’s main activity involves processing sensitive personal data. Also, data controllers not established in Türkiye must still appoint a Turkish representative as a point of contact. VERBIS is a public register and serves transparency.

Personal Data Protection Board introduced an additional exemption from VERBIS registration with a decision published in the Official Journal on October 1, 2025: "Data controllers whose main activity is the processing of sensitive data are now also exempt from mandatory VERBIS registration if the annual number of employees is less than 10 and the annual balance sheet total is less than 10 million Turkish liras."

Who is affected?

Small organizations whose main activity is “special” data processing, which until now were required to register solely because of their core activity, may be exempt from registration if they fall below the new thresholds.

Does the obligation of Registration to VERBIS remain in place?

Yes. The registration obligation remains in place but still depends on thresholds (annual number of employees, annual balance sheet total) and certain activity profiles. VERBIS is and will be the public-register for transparency.

Is it sufficient in Türkiye, for a GDPR-aligned data controller, to register only in VERBİS?

No. The fact that a data controller processing data in and/or from Türkiye is GDPR-compliant is not legally sufficient. When personal data are processed in and/or from Türkiye, such process of personal data must be carried out in accordance with the legal framework of the KVKK and the data controller must comply with the requirements of the law and fulfil the obligations.

To-Do Checklist for VERBIS

Check thresholds:

Annual number of employees (50 or more);
Annual balance total (100 million Turkish Liras or more);
Main activity is processing sensitive data: annual number of employees (10 or more) and annual balance-sheet total (10 million Turkish Liras or more),

Adjust registration status: Not registered yet? Check whether the exemption applies for you;
Keep KVKK-compliant documentation consistent: Prepare/adjust information text, internal guidelines, personal-data inventory, policies, deletion concepts and security measures;
Keep sanctions in view: Administrative fines are adjusted annually.

DATA PROTECTION BITES

Read all releases »

author

Contact Person Picture

Börteçine Gültekin

+90 212 3101 434

Send inquiry

RÖDL & PARTNER TURKEY

Discover more about our offices in Turkey. Read more »