Pursuant to Article 16 of Law No 6698 on the Protection of Personal Data (the "Law"), data controllers who process personal data by automated means and who meet certain criteria are obliged to register in the Registry of Data Controllers ("VERBIS") and establish a personal data processing inventory before starting to process data. VERBIS is a registration system that collects information on the data processing activities of data controllers in Türkiye.

On 1 August 2024, the Turkish Data Protection Authority (the "DPA") announced the findings resulting from its investigations conducted with respect to compliance of companies to the requirement to register with VERBIS, along with related statistics on administrative fines imposed for non-compliance.1 This client alert is intended to remind both Turkish and foreign data controllers of the VERBIS registration requirement, the procedures to be followed and the administrative fines imposed for non-compliance.

WHO MUST REGISTER WITH VERBIS?

VERBIS is a publicly accessible registration system managed by the DPA, where data controllers meeting certain criteria are obliged to register and disclose information about their data processing activities as per Article 16 of the Law.

The relevant thresholds and criteria were established by the DPA decision dated 11 March 2021 and numbered 2021/238, as follows:

Turkish legal entities or individuals with more than 50 employees, or with annual financial statements totalling more than TRY 100 million (as of 25.07.2023 in accordance with the re-evaluation decision).

Turkish legal entities or individuals with less than 50 employees per year, or with annual financial statements totalling less than TRY 100 million (as of 25.07.2023 in accordance with the re-evaluation decision), whose scope of activity includes the processing of sensitive personal data.

These thresholds (i.e. 50 employees and a turnover of over TRY 100 million) do not apply to foreign data controllers who process personal data in Türkiye, meaning that such data controllers must register with VERBIS regardless of headcount or turnover.

It must be noted that the Law does not have a territorial scope of application. The Law applies indeed to anyone processing Turkish-originated data, regardless of whether they are located in Türkiye or abroad.

ADMINISTRATIVE FINES FOR FAILING TO REGISTER WITH VERBIS

In an announcement published on 21 April 2022, the DPA stated that the deadline to register with VERBIS expired on 31 December 2021. From that date, administrative sanctions may be imposed ex officio on data controllers who fail to register and notify VERBIS, despite the obligation to do so. The sanctions are the fines specified in Article 18/1 of the Law. The lower limit of the administrative fine for failing to register with VERBIS for 2024 is TRY 189,245, while the upper limit is TRY 9,463,213.

In its announcement of 1st of August, the DPA said that it conducted VERBIS examinations pursuant to Article 18 of the Law against approximately 130,600 data controllers, identifying that around 16,350 data controllers had failed to meet this obligation.

As of 1st of August, these examinations led the DPA to impose administrative fines totalling TRY 503,935,000 on data controllers located in Türkiye and abroad who failed to fulfil their VERBIS registration obligation. The fines were based on an algorithm table calculated according to annual financial statements' assets.

STEPS TO BE FOLLOWED FOR COMPLIANCE

Data controllers must first prepare a personal data inventory mapping the data processing activities of the data controller. A thorough review of data processing activities must be made in order to determine the purposes of the data processing activity, the category of personal data processed, the data recipients, data retention periods, cross-border data transfers, administrative and technical data security measures taken by the company and legal grounds for data processing. All the information shared on the VERBIS platform will be derived from the data inventory and uploaded electronically.

Data controllers who register with VERBIS must also appoint a contact person to establish communications between the data subjects and the data controller. Foreign data controllers must also appoint a data controller representative, who can be a Turkish resident legal entity or a Turkish national individual. The representative should be appointed in a resolution of the corporate body of the foreign data controller and needs to be notarised and apostilled. The representative acts as a point of contact for the data controller in relation to its dealings with the DPA and the data subjects. If a legal entity is appointed as the representative, an individual must also be appointed by the foreign data controller as the contact person.

CONCLUSION

Registering with VERBIS is essential for the sake of ensuring proper regulatory compliance of both Turkish and foreign data controllers processing personal data in Türkiye. Failure to meet the abovementioned requirements can result in significant administrative fines.

Turkish companies should regularly verify on a yearly basis whether they meet the thresholds and conditions for VERBIS registration. Foreign companies that process personal data from Türkiye should take the necessary steps to comply with the Law and register with VERBIS as soon as practically possible.

