top of page

Data Privacy Rules in Turkey

The Data Protection Board of Turkey has recently provided more details on how data privacy regulations should be carried out and has given more time for mandatory registration with the data controllers' registry (VERBIS).



The Data Protection Board of Turkey has emphasized the importance of accurate and complete registration with the data controllers' registry (VERBIS) under the Data Protection Law (DPL) numbered 6698. Due to numerous incomplete or unnecessary registrations, the deadline for registration has been extended until 30 June 2020 for Turkish-resident data controllers with more than 50 employees or a balance sheet total over TRY 25,000,000 (approx. EUR 3,750,000) and for data controllers resident outside Turkey. The purpose of VERBIS registration is to increase transparency and any changes or updates in the information provided must be notified to VERBIS within seven days. The Board also emphasized that registration should be based on a data inventory prepared by the data controllers. Registration without a prepared data inventory does not meet the requirements of data privacy legislation.


The Data Protection Board of Turkey has recently been asked if branches of non-resident legal entities located in Turkey should be registered with VERBIS for personal data processed in Turkey. The Board has concluded that these branches should be registered with VERBIS if they act as data controllers. However, the issue is complicated by the fact that under Turkish law, branches are not considered legal entities but under the legislation, data controllers should be either an individual or a legal entity. The Board has adopted a more functional definition following the approach of the General Data Protection Regulation (GDPR) which defines a data controller as a natural or legal person, public authority, agency or any other organization that alone or jointly with others determines the purposes and means of personal data processing. Therefore, the definition of data controller under the GDPR is more flexible and focuses on the determination of the purposes and means of data processing.


To learn more information, please reach out to us and we will be happy to assist you.





bottom of page