- within Media, Telecoms, IT and Entertainment topic(s)
Turkey: New Exemption Introduced for VERBIS Registration Obligations
On 4 September 2025, the Turkish Personal Data Protection Board (“the Board”) adopted a landmark decision (No. 2025/1572) introducing a new exemption from the obligation to register with the Data Controllers' Registry (“VERBIS”) under Article 16 of the Personal Data Protection Law numbered 6698 (“PDPL”).
Under the PDPL, all controllers that process personal data are generally required to register with VERBIS unless an exemption is granted by the Board based on objective criteria such as the nature and volume of data processed, the legal basis of processing, or data transfers to third parties. Previous Board decisions, including Decision No. 2018/87 (later amended by Decision No. 2023/1154), exempted controllers with fewer than 50 employees and an annual financial balance sheet below TRY 100 million, provided that their main activity did not involve the processing of special categories of personal data.
With the new decision, the Board has now extended this exemption to a limited group of small-scale controllers whose main activity involves the processing of special categories of personal data, such as health or biometric data. Specifically, controllers with fewer than 10 employees and an annual financial balance sheet below TRY 10 million will no longer be required to register with VERBIS.
The Board noted that this change was introduced in light of current economic conditions and the limited technical and human resources available to micro-enterprises, which typically process smaller volumes of data compared to larger organizations. The decision is considered a significant development, as it marks the first time that controllers whose primary activity involves sensitive data processing have been granted a VERBIS exemption based on financial and operational thresholds.
DPA President Announces Administrative Fines and Case Statistics
In a statement dated September 23, President of the Data Protection Authority (Authority”) , Prof. Dr. Faruk Bilir, stated that administrative fines totaling 1,179,295,000 Turkish lira have been imposed as a result of investigations conducted since the Authority began operations in 2017. Also, Prof. Dr. Faruk Bilir, stated that 52,683 of the 54,594 reports and complaints had been resolved, and that 378 of the 1,827 data breaches had been published on the institution's website.
Cybercrime Investigation Leads to Arrests for Unlawful Access to Personal Information
On 30 September 2025, the National Intelligence Organization (“MIT”), in coordination with the Gendarmerie General Command, the National Cyber Incident Response Centre, and the Financial Crimes Investigation Board, carried out a nationwide operation targeting illegal query systems used to obtain personal data. Three individuals were arrested and remanded in custody for allegedly acquiring citizens' personal information through unlawful means. The investigation found that illicit data-query panels were being used and that some of the stolen data had been transferred abroad. Nine websites linked to the network were shut down as part of the operation.
The DPA announced the following data breach notifications in September:
| Data Controller (and sector) | Affected Data Subjects | Affected Personal Data Categories |
| Sinch AB (Communication) | users | Name, surname, telephone number, e-mail, address information, the last four digits of the credit card, credit card type (Visa, Mastercard, etc.), and the expiration date of the credit card |
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
