Turkey: Registry of Data Controllers’

Although Turkey signed the Convention 108 on 28 January 1981, there has been no law enacted as required by the Convention until the adoption of Personal Data Protection Law. Personal Data Protection Law is drafted in conformity with the Directive 95/46/EC of the European Parliament and of the Council which was in force in 2016. However, when the Directive was replaced by GDPR in 2018, Turkey did not revise the Personal Data Protection Law accordingly and therefore the provisions of the Personal Data Protection Law currently in force in Turkey differ from the GDPR.

One significant difference of many is the obligation of Data Controllers’ Registry (VERBIS). According to Personal Data Protection Law and related regulations, data controllers are obliged to register to VERBIS under the following conditions. 

Data controllers:

Entry in the registry requires the data controllers to specify the category of personal data processed, the reason for the processing of such personal data, from which category of recipients the personal data was collected, if the data is transferred (both domestically and abroad), for how long the data will be processed and when it will be deleted/destroyed, as well as the security measures taken for the protection of the processed personal data. For the avoidance of doubt, the data controller is not required to enter any personal data in the registry only the category of the processed personal data. 

If the Data Controller is not resident in Turkey, but fulfils the conditions for registration in the Registry, a representative of Turkish nationality shall be appointed. The representative may be a Turkish legal entity or a Turkish natural person and shall act only as the contact person for the data controller without assuming further liability.  

The registry is controlled and managed by the Data Protection Authority online and is open to the public. It aims to make the processing of personal data transparent and accessible to the public. This way, as the data subjects will be able to review which of their data might be processed more easily and, in the event of a breach, the data subjects will be able to report it more quickly to the Data Controller and keep it accountable.

If the Data Protection Authority receives a complaint against the data controller or becomes aware of an unlawful act, an investigation may be initiated accordingly. In this regard, Data Protection Authority has the right to request information and documents from the data controller and to examine them on site and/or online. 

In the event that an unlawful act is identified as a result of a breach by the data controller, a penalty may be imposed up to an amount of 9.463.213,00 Turkish lira (as of 05/01/2024). The penalty amounts are updated every year. However, as far as we know, since the obligation of registering in the Data Controllers’ Registry, no sanctions have been imposed on a data controller yet for the failure of non-registering.