Data Controller Registry Requirement in Turkey
In terms of the private sector, periods regarding the registration obligation has expired as of 31.12.2021 for (i) data controllers located outside of Turkey, (ii) local data controllers having more than 50 employees annually or an annual balance sheet with a value more than TRY 25 million, and (iii) local data controllers whose main field of activity is processing of sensitive personal data.
The Personal Data Protection Board (“Board”) actively monitors data controllers located in Turkey in the light of notifications made to the Social Security Institution and tax offices and imposes administrative fines on data controllers who exceed the thresholds without even warning if they are not registered with VERBIS. The Board also investigates the data controllers located abroad and processing the data of persons located in Turkey and imposes fines on foreign data controllers after asking their reasons for not being registered.
Even if there is a risk of an administrative fine in case of late registration, it is suggested that all data controllers who meet the conditions but have not complied with their registration obligation yet must register to VERBIS as soon as possible to mitigate further risks.
Your Registration Obligation Has Just Begun/May Begin
Data controllers who do not meet the conditions before 31.12.2021 may also become or will become obliged to registration after 31.12.2021.
We suggest that all real and legal persons located in Turkey check the monthly Withholding and Premium Service Declarations and the financial statements attached to the annual income or corporate tax declarations which are provided to public institutions and organizations in 2021 and 2022.
While calculating the employee number and financial data to determine the registration requirement, the following criteria taken into account:
- If the number of employees reported in each of at least 7 of the 12 months in a completed year is more than 50, the registration obligation will begin. The annual number of employees will be calculated according to this criterion. The relevant 7 months are not obliged to be consecutive months either. All real and legal persons who report more than 50 employees in any 7 or more months in the same year are obliged to get registered.
- If the value in the "asset" or "liability" section of the balance sheet submitted/to be submitted in the annex of the tax declaration for a completed year is higher than TRY 25 million, the registration obligation will begin.
One of the two conditions must be met for VERBIS registration obligation to begin for data controllers located in Turkey. The data controllers must closely monitor whether these conditions are met or not in the following years too.
Data controllers, who are not obliged to registration, but later become obliged to registration must register to VERBIS within 30 days of the date they meet one of these conditions.
How can Data Controllers Handle VERBIS Registration?
In brief and primarily, the following must be done for VERBIS registration:
- A clear, updated, and accurate data processing inventory must be prepared as to include information related to the purpose of data processing, data category, the data recipients, and the maximum time period required for the purpose of processing, data to be transferred abroad and measures to be taken for data security.
- Data controllers located outside Turkey must appoint a local data controller representative in Turkey. You may contact us any time for more information about our services to provide local representation for our clients with respect to the registration obligation.
- Data controllers located in Turkey and data controller representatives shall determine a real contact person in order to complete their registration purposes. The contact person shall be a Turkish citizen and resident in Turkey as well. A contact person appointed for one data controller located in Turkey cannot be determined as a contact person for other Turkish resident data controllers. This restriction is not applicable for data controllers located outside Turkey.
Keeping Inventories and VERBIS Forms Updated
In the current situation, all data controllers are required to keep their personal data processing inventories updated, and data controllers who have completed their VERBIS registration before the previous deadline also need to re-evaluate the information submitted to VERBIS within the scope of updates they will make in their inventories.
Keeping the inventory and the information submitted to VERBIS updated is crucial and every new data processing must be reflected in the company’s inventory and updated in VERBIS if it has been registered to VERBIS before. The registration of new data processing periods must also be completed within 30 days from the beginning of the relevant data processing.
In case that a data controller subject to VERBIS registration obligation fails to comply with this obligation and to reflect the updated data processing to the VERBIS form, an administrative fine for 2023 is between TRY 65,856 and TRY 3,293,126.
The higher is the value of total assets shown in the financial statements of the data controllers who fails to comply with their obligations fines, the closer to the upper limit the sanction amount will be as a result of the algorithm used by the Board to determine the amount of fines to be imposed.
We suggest that all data controllers located abroad and processing the personal data of persons located in Turkey and all data controllers in Turkey who exceed the thresholds for the number of employees and the total balance sheet should take action as soon as possible to get registered with VERBIS. Especially, we would like to emphasize that the thresholds do not apply for foreign data controllers and these data controllers are subject to this obligation regardless of the number of employees and balance sheet totals.
Article provided by INPLP member: Begüm Okumuş (Gün + Partners, Turkey)
Dr. Tobias Höllwarth (Managing Director INPLP)