ARTICLE
6 June 2025

Verbis Registration Obligation Under The Law On The Protection Of Personal Data

KC
Kilinc Law & Consulting

Contributor

Kilinç Law & Consulting established by Levent Lezgin Kilinç currently operates in Istanbul, Izmir and London. Our firm, provides services to clients in a wide range of complex matters including Project Finance, Corporate Law, M&A, Energy Law, Dispute Resolution, Maritime Law, IP Law, International Transactions as well as Litigation of the disputes.
In today's world of accelerating digitalization, protecting individuals' personal data and securing the privacy of private life has become one of the priority issues in the protection of fundamental rights and freedoms...
Turkey Privacy

1. Introduction

In today's world of accelerating digitalization, protecting individuals' personal data and securing the privacy of private life has become one of the priority issues in the protection of fundamental rights and freedoms. In Turkey, the basis of the legal regulations in this area is the Law No. 6698 on the Protection of Personal Data ("Law"), which entered into force after being published in the Official Gazette dated 07.04.2016 and numbered 29677.

Pursuant to Article 16 of the Law, a Data Controllers' Registry has been established in order to publicly audit personal data processing activities, transparently identify data controllers and enable data subjects to exercise their rights effectively. This registry is carried out through the Data Controllers Registry Information System ("VERBIS"), an information infrastructure accessible via the internet. The VERBIS system ensures that data controllers submit the necessary notifications to the Personal Data Protection Authority ("Authority") before starting personal data processing activities, and ensures the applicability of the principles regarding the obligation to disclose and data security measures.

The obligation to register with the Registry is not only a formal procedure, but also a structural tool that serves to fulfill the accountability, transparency and compliance obligations of data controllers. Within this framework, the Regulation on the Registry of Data Controllers ("Regulation") regulates in detail the procedures and principles regarding the registration obligation of data controllers and provides for administrative sanctions in case of breach of the obligation pursuant to Article 18 of the Law.

In this article, the legal basis of the VERBIS system, the scope and duration of the registration obligation of data controllers, the personal data inventory preparation process, and the exceptions and administrative sanctions that may be imposed in case of violations within the framework of the Personal Data Protection Board ("Board") decisions will be discussed in a holistic manner.

2. Basis and Scope of VERBIS Registration Obligation

Under the Law, natural or legal persons who determine the purposes and means of processing personal data and who are responsible for the establishment and management of the data recording system are defined as data controllers. Natural or legal persons who process personal data in line with the instructions of and on behalf of the data controller are considered as data processors.

Pursuant to Article 16 of the Law, natural and legal persons who process personal data as data controllers are obliged to register with the Registry of Data Controllers within the period determined by the Board before starting data processing. As a matter of fact, pursuant to Article 8 of the Regulation, it is mandatory for data controllers under the registration obligation to apply through VERBIS before they actually start data processing.

At this point, it should be noted that the obligation to register with VERBIS belongs only to data controllers; data processors do not have any notification or registration obligation in terms of transactions within this scope.

On the other hand, the VERBIS registration obligation covers data controllers resident in Turkey, as well as natural and legal person data controllers who are not resident in Turkey but carry out personal data processing activities in Turkey. Legal person data controllers resident in Turkey are also obliged to appoint a contact person and enter the information of this person into the system during VERBIS registration. Legal person data controllers who are not resident in Turkey, on the other hand, are obliged to submit to the Authority a certified decision stating that they have appointed a data controller representative and to carry out the transactions through this representative.

However, the Law authorizes the Board to make exceptions to the obligation to register with the registry. In the application of the said exception; objective criteria to be determined by the Board such as the nature and number of personal data processed, the fact that the data processing arises from the Law or the status of transfer to third parties are taken into consideration.

3. Exemptions from VERBIS Registration Obligation

As stated under the previous heading, although it is essential for data controllers engaged in personal data processing activities to register with VERBIS before starting data processing, the Board is authorized to exempt certain data controllers from the obligation to register with VERBIS under the provisions of the Law and the Regulation. In this context, the Board has determined objective criteria for the data controllers to be exempted from the registration obligation with its various decisions. These criteria are (i) The nature of the personal data (ii) The number of personal data (iii) The purpose of processing the personal data (iv) The field of activity in which the personal data is processed (v) The transfer of personal data to third parties (vi) The lawfulness of the personal data processing activity (vii) The period of retention of personal data (viii) The data subject group or categories of data (ix) The annual number of employees or annual financial balance sheet total of the data controller.

In this context, pursuant to the Board's Decision dated 06.07.2023 and numbered 2023/1154, the data controllers exempted by the Board from the obligation to register with VERBIS are as follows.

  • Those who process data by non-automatic means, Notaries, Associations and Foundations, Lawyers, Political Parties, Certified Public Accountants and Sworn-in Certified Public Accountants, Mediators, Natural or legal persons whose number of employees is less than 50 and whose annual financial balance sheet total is less than TRY 100.000,00, whose main activity is not private personal data

All data controllers outside the above-mentioned scope are under the obligation to register with VERBIS. Therefore, it is of great importance for data controllers to carefully evaluate whether they fall within the scope of the obligation and to remember that the exception status can only be determined in accordance with the Board decisions.

4. Registration Period in VERBIS

Article 8 of the Regulation on the Data Controllers' Registry sets the deadline for all data controllers who process personal data and are not exempted by the Board decision to fulfill their obligation to register with VERBIS. According to the aforementioned article, data controllers must register with the registry before they actually start processing personal data.

However, pursuant to the Board Decision dated 11.03.2021 and numbered 2021/238, it was initially announced that data controllers with more than 50 employees or a total annual financial balance sheet exceeding TRY 25 million must register with VERBIS between 01.10.2018- 31.12.2021. Later, with the Board Decision dated 06.07.2023 and numbered 2023/1154, data controllers whose annual number of employees is less than 50 and annual financial balance sheet total is less than TRY 100 million and whose main activity is not processing special categories of personal data were included in the scope of the exception.

For data controllers who were not obliged to register until 31.12.2021 in accordance with the Board's decisions, but became obliged later, they must fulfill their registration and notification obligation to VERBIS within 30 days from the date they became obliged to register in accordance with Article 8 of the Regulation.

In this context, for example, a data controller who becomes liable for the first time with a financial balance sheet asset value exceeding TRY 100 million as a result of the Corporate Tax Declaration for the year 2024, must register to VERBIS within 30 days from the date of the declaration.

5. Preparation of Personal Data Inventory and VERBIS Notification

In order for data controllers to fulfill their obligation to register with VERBIS, they must first prepare a Personal Data Processing Inventory by conducting a detailed analysis of the personal data they process. As a matter of fact, pursuant to Article 5 of the Regulation, data controllers who are obliged to register with VERBIS are obliged to create this inventory. In this context, all information to be reported to VERBIS should be prepared on the basis of this inventory.

Personal data inventory is a structural document that associates the personal data processing activities carried out by the data controller depending on its field of activity and business processes on the basis of elements such as legal reason, purpose of processing, data subject group, data category, recipient group and retention period.

Pursuant to Article 9 of the Regulation, the information to be notified to the Data Controllers Registry must include the following elements:

  • Identity and contact information of the data controller and data controller representative, if any,
  • Purposes of processing personal data,
  • Data subject groups and their data categories,
  • Recipient or groups of recipients to whom personal data may be transferred,
  • Personal data foreseen to be transferred abroad,
  • Technical and administrative measures taken regarding personal data security,
  • Maximum retention period required for the purpose for which personal data are processed.

This information must be entered into the system completely and accurately under the headings defined on the VERBIS screen. In addition, the reported information must be in full compliance with the personal data inventory. For example, the retention period for a certain category of data must be included in both the inventory and the VERBIS system in the same way.

In case of any inconsistency between the information reported to VERBIS and internal records during the audits conducted by the Authority, the data controller may face administrative sanctions. Therefore, the preparation of the inventory is not only a technical process; it is also a process that gives rise to legal liability.

In addition, the personal data inventory is the main reference source not only for the VERBIS registration process, but also for the fulfillment of other obligations under the Law, such as the obligation to inform, the evaluation of data subject applications, the determination of data security measures and the establishment of retention-destruction policies.

On the other hand, data controllers are personally responsible for ensuring that the information they submit to VERBIS and published in the Registry is accurate, up-to-date and lawful. In case of any change in any of this information, the changes must be notified to the Authority without delay. In addition, the registry is deleted in the event that the activities requiring the registration obligation are terminated. However, this deletion does not eliminate the obligations of the data controller for the period of registration.

6. Sanctions to be Applied in Case of Violation

Under the Law, data controllers may face administrative sanctions in case of breach of the obligation to register with VERBIS or in case of providing false or incomplete information during registration. The legal basis for these sanctions is clearly regulated in Article 18 of the Law.

Pursuant to the aforementioned article, it is stipulated that data controllers who fail to fulfill their VERBIS registration and notification obligations may be imposed an administrative fine between TRY 20,000 and TRY 1,000,000. However, pursuant to the seventh paragraph of Article 17 of the Misdemeanor Law No. 5326, these amounts are increased by the revaluation rate determined pursuant to the repeated Article 298 of the Tax Procedure Law No. 213 as of the beginning of each calendar year. Accordingly, as of 2025, the amounts of administrative fines that can be imposed for the aforementioned acts vary between TRY 272,380 and TRY 13,620,402.

As a result of the audits and ex officio investigations carried out by the Board, not only the failure to register in VERBIS at all, but also false, incomplete or misleading statements are subject to sanctions.

The Board determines the amount of the administrative fine by taking into account factors such as the nature and duration of the breach, the number of persons concerned, the degree of sensitivity of the affected data categories, the fault rate of the data controller and the measures taken, and the severity of the damage.

The Board's decisions in this regard are not limited to fines; they may also include measures such as the fulfillment of obligations to remedy the violation, or even informing the public if deemed necessary.

7. Conclusion

Protection of personal data has become an indispensable element of securing the fundamental rights and freedoms of individuals in the digital age. Accordingly, VERBIS is not only a technical registration system, but also a fundamental compliance mechanism that ensures that data controllers act in line with the principles of transparency, accountability and compliance with the law. The obligation to register with VERBIS is a legal obligation that directly affects the organizational structure of the data controller and may lead to serious administrative sanctions in case of violation. Therefore, it is of great importance for data controllers to structure their personal data processing activities within the legal limits, to prepare personal data inventories in full and to complete VERBIS registration processes on time. Otherwise, administrative fines and other sanctions that may be imposed by the Board may have negative consequences on the reputation and financial structure of the data controller.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More