Article 16 of the Personal Data Protection Law stipulates that, under the supervision of the Board, the Presidency shall maintain a publicly accessible Data Controllers Registry. Natural and legal persons processing personal data must register in the Data Controllers Registry before starting the data processing activities. The Law also allows the Board to make exceptions to the registration requirement. The article further clarifies that the following details must be provided in the Data Controllers Registry: the identity and address information of the data controller and, if applicable, their representative; the purposes for which personal data will be processed; the categories of data subjects and data categories; the recipients or recipient groups to whom the personal data may be transferred; personal data that may be transferred to foreign countries; the security measures taken for personal data; and the maximum retention period required for processing personal data. Any changes in the above-mentioned details must be immediately notified to the Presidency. On December 30, 2017, the Regulation on the Data Controllers Registry came into effect. The Presidency has established the Data Controllers Registry Information System (VERBIS), and the registry is maintained publicly under the supervision of the Personal Data Protection Board. Data controllers can be queried through VERBIS. According to Article 7 of the relevant Regulation, the following details can be accessed: the data controller, their representative (if any), the address, and the KEP address (if available), the purposes for processing personal data, the data subject groups and the data categories, the recipient groups to whom the personal data may be transferred, and personal data to be transferred to foreign countries. Also accessible are the date of registration and the date of termination, the security measures taken for personal data, and the maximum retention periods for personal data.
The Board, using the authority granted in Article 16 and considering the criteria set forth in Article 16 of the Regulation on the Data Controllers Registry, has introduced exceptions to the registration obligation. In this context, the Board’s decisions, including Decisions 2018/32, 2018/68, 2018/75, and 2018/87, have exempted certain entities from the VERBIS registration requirement. These include: those processing personal data solely by non-automatic means and as part of a data recording system, notaries operating under Law No. 1512, associations established under the Law No. 5253, foundations established under the Law No. 5737, unions established under Law No. 6356, entities processing personal data in line with their specific legal frameworks and limited to their activities concerning their employees, members, supporters, and donors, political parties established under the Law No. 2820, lawyers operating under the Law No. 1136, customs brokers, mediators, certified public accountants, and sworn public accountants operating under the Law No. 3568, and data controllers with fewer than 50 employees and an annual financial balance sheet total of less than 25 million TL who do not process sensitive personal data as their main activity. These entities are exempt from the VERBIS registration obligation. Due to the COVID-19 pandemic, the Personal Data Protection Board issued Decision No. 2020/482 on June 23, 2020, to prevent disruptions in the VERBIS registration system. As per this decision, data controllers with more than 50 employees or an annual financial balance sheet exceeding 25 million TL, and those established abroad, were given until September 30, 2020, to fulfill their registration obligation. Data controllers with fewer than 50 employees and an annual financial balance sheet of less than 25 million TL, but whose main activity involves processing sensitive personal data, were given until March 31, 2021, to fulfill their registration obligation. Similarly, public institutions and organizations were also given until March 31, 2021, to fulfill their registration obligation. Data controllers who were not initially subject to the registration obligation but later become obligated, must register within thirty days after becoming subject to this obligation.
Attorney Yalçın TORUN
© 2025 Torun Law Firm – All Rights Reserved.
This article is protected under the provisions of the Law on Intellectual and Artistic Works (No. 5846). The content, in whole or in part, may not be copied, reproduced, published, or shared on any other website without the prior written permission of the author and Torun Law Firm.
This material may only be shared by licensed attorneys, for professional purposes, without any modifications, and with full attribution to the author and the source.
Any unauthorized use may result in legal and criminal liability.