This article was written by Ekin İnal, Partner at İnal Kama Attorney Partnership, affiliate firm of Norton Rose Fulbright in Turkey.
Data Controllers' Registry or VERBİS is a publicly available database kept by the Data Protection Board (the “Board”), the decision-making body of the Turkish Data Protection Authority (the “DPA”). Unless exempt from the requirement, all data controllers (individuals and legal entities) who process personal data in Turkey must be recorded with VERBİS prior to processing any personal data.
The majority of data controllers must register by the end of this year. However, there are certain actions to be taken by the data controllers that must be taken into consideration to avoid any delays and possible penalties by the DPA.
Data controllers that fail to fulfil this obligation may be subject to an administrative fine in an amount between TL 20,000–1,000,000 (approx. US$3,600-180,000).
Who is required to register?
The following data controllers must complete their registration with VERBIS prior to the deadlines set forth below:
- Legal entities with more than 50 employees annually or whose annual total financial statement exceeds TL 25,000,000 (approx. US$4,500,000) to register before December 31, 2019.
- Legal entities located abroad to register before December 31, 2019.
- Legal entities that have less than 50 employees annually and whose annual total financial statement is less than TL 25,000,000 but whose main business is processing sensitive personal data (e.g. ethnic origin, political opinion, membership of associations, information relating to health) to register before March 31, 2020.
To the extent they process personal data, individuals must also register with VERBİS by the applicable deadline.
When assessing the registration obligation of foreign data controllers, the DPA has not taken into consideration the number of employees, annual financial statements or the scope of activities. These criteria apply to Turkish data controllers. The DPA has stated that it is required and sufficient that a foreign data controller processes personal data of data subjects resident/located in Turkey and there seems to exist no de minimis threshold for registration.
If a data controller becomes subject to the registration requirement after the deadlines listed above (as it fulfils the criteria), then it must register with VERBİS within 30 days upon fulfilment of the criteria.
Exemption from the registration requirement does not relieve data controllers of other duties and obligations under the data protection legislation.
How to register with VERBİS?
The registration process is similar for local and foreign data controllers, except that the foreign data controllers must first appoint a representative (veri sorumlusu temsilcisi) for VERBİS-related actions.
a. Data controllers located abroad
- These controllers first appoint a data controller representative, who must be a Turkish citizen resident in Turkey or a Turkish entity. The data controller will adopt a resolution authorizing the representative and this resolution will be submitted to the DPA. The resolution must be apostilled and will be submitted together with its notarized Turkish translation.
- There is a registration form available online, which includes general information on the data controller and the representative. Representative will fill out this form (does not have to wait for the original resolution to be received by the DPA) and print, sign and submit it to the DPA via courier. Alternatively, the form may be submitted to the DPA’s registered e-mail (KEP) through the data controller’s registered e-mail (KEP), if available.
- Upon receipt of the username and password to be sent by the DPA following the review of the registration form, the representative shall appoint a contact person (irtibat kişisi) who must be a Turkish citizen resident in Turkey. This person does not need to be an employee, officer, director etc. of the data controller.
- Appointed contact person will then submit the requested information on VERBİS system. Please see below for further explanations.
- Representative may appoint himself/herself as the contact person in case the representative is an individual.
b. Data controllers located in Turkey
- The process for data controllers located in Turkey is similar, except that they do not have to appoint a representative but only a contact person.
- These controllers will fill out the registration form available online and deliver it to the DPA as explained above.
- Upon review of the registration form, the DPA will send a username and password to the data controller and the data controller will appoint a contact person. This contact person must be a Turkish citizen, however does not need to be an employee, officer, director etc. of the data controller.
- Appointed contact person will then submit the requested information on VERBİS system.
Information to be submitted to VERBIS for registration
Below-listed information is required for VERBİS registration:
- Information regarding the data controller, the representative if applicable, and the contact person
- Purpose of data processing
- Group(s) of data subjects (veri konusu kişi grubu/grupları) and data categories applicable to these data subjects
- Recipients or recipient groups to whom personal data may be transferred
- Personal data that may be transferred abroad
- All necessary technical and administrative measures to provide an appropriate level of security in order to prevent unlawful processing of personal data, unlawful access to personal data, safeguard personal data
- Maximum period of data storage time required for the purposes of processing such personal data or required by the relevant legislation
- Registration with VERBİS is free of charge.
- Data controllers may not appoint more than one contact person.
- Data controllers may change the contact person at any time.
- A person may not be the contact person for more than one data controller at the same time.
- Registration with VERBİS does not need to be renewed annually. However, all changes to the initial registration must be submitted to VERBİS within seven days of the change.