- within Privacy topic(s)
- with readers working within the Oil & Gas industries
- within International Law, Technology and Environment topic(s)
- in United Kingdom
In Decision No.2025/1572 dated 4September 2025, the Turkish Data Protection Authority introduced an exemption for data controllers processing sensitive data as part of their main activity from the obligation to register with the Data Controllers Registry (VERBIS) under Law No.6698 on the Protection of Personal Data, if they qualify as small-scale enterprises. The decision took effect on 1October 2025 following its publication in the Turkish Official Gazette.
Previously, only organisations with fewer than 50employees and an annual balance sheet total under TRY100million whose main activity did not involve processing sensitive data were exempt from registration. Those mainly processing sensitive data as part of their operations, such as hospitals, clinics or medical centres processing health data, had to comply with the registration obligation without any exception.
With this decision, data controllers whose main activity involves processing sensitive data are now exempt if they:
- employ fewer than 10 people annually, and
- record an annual balance sheet total of less than TRY10 million.
This change means that small-scale healthcare providers and similar organisations that meet these criteria no longer need to register.
However, the exemption applies only to registration. These organisations must still meet all other obligations under Turkish data protection law regarding how they collect, use, and protect personal data.
Originally published 7 October 2025
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
[View Source]
