The Turkish Data Protection Board (“Board”) announced the extension of VERBİS registration deadline until June 30, 2020 for:
- Turkish data controllers with more than 50 employees annually or whose annual total financial statement exceeds TL 25,000,000 (approx. USD 4.2 million); and
- Data controllers located abroad.
The Board observed that the process was not truly understood by the data controllers. Therefore, an extension was provided to allow the data controllers to duly complete their registrations, taking into consideration the below points, especially the requirement to prepare a data inventory:
- Some of the data controllers only filled out the initial application form but did not login to the system with their password and username to complete the registration.
- The main reason underlying the registration requirement is to ensure transparency in data processing and accountability of data processors, control the data processing activities by preventing irregular data processing and create an awareness regarding data processing.
- In many filings, the Board observed discrepancies between the information submitted, such as personal data, reasons to process, receiver/receiver groups, data subject groups, technical and administrative measures that are taken, data transfers and data retention periods.
- Information provided on VERBİS must be accurate and up-to-date, which is the data controller’s responsibility.
- If there are any changes to the information submitted to VERBİS, the Board must be notified through VERBİS within 7 days after the occurrence of those changes.
The Board reiterates the importance of the data inventory. A data inventory must be prepared by the data controller, which will the basis and source of information submitted to VERBİS. The deadline now being extended, preparation of a data inventory, including all relevant processes, must be a priority for the data controllers who are not yet registered.