VERBIS IS LIVE!

Turkish Data Controllers Registry's online system VERBIS is live!

The Regulation on Data Controller Registry ("RDCR") was published on December 30, 2017, and came into force on January 1, 2018. Data controllers, who are not exempted by the Data Protection Board ("Board"), can now start their registry with the Data Controller Registry system called VERBIS. (See our article at https://www.ozbek.av.tr/data-privacy-blog/obligation-to-register-with-data-controllers-registry-begins-on-1-october-2018/ for requirements and exemptions.

Type of Data Controller Start Date Deadline
Data controllers who have more than 50 employees or an annual balance sheet total of more than 25 million TL 1 October 2018 30 September 2019
Data controllers residing abroad 1 October 2018 30 September 2019
Data controllers who have less than 50 employees and an annual balance sheet total of less than 25 million TL but their main field of operation is the processing of sensitive (special categories of) data 1 January 2019 31 March 2020
Data controllers that are governmental institutions and organizations 1 April 2019 30 June 2020

There are different entries for Turkish and foreign data controllers. Guidelines for registry explains the process step-by-step. You may see the fundamental requirements to register in our previous informational note: https://www.ozbek.av.tr/data-privacy-blog/obligation-to-register-with-data-controllers-registry-begins-on-1-october-2018/.

1st Step – Confirmation

For confirmation, the data controller (through its signatory authorized personnel), shall fill out an application form by clicking the "Register" ('Kayıt Olun' in Turkish) button. There, the data controller has to choose if it is a domestic person, a foreign person or a public institution, which all require different forms to fill out.

For instance; a foreign data controller has to provide the following information:

  • Official (Trade) Name
  • E-mail address, phone number, address
  • Country
  • Decision date and number appointing the representative of the data controller
  • Data controller representative's ID no. or Tax no. and Tax office
  • Data controller representative's assigned name by the VERBIS system after filling the information above
  • Data controller representative's e-mail address, phone number, address, and KEP address (Turkish Republic registered e-mail address)

After the form is filled out, if the representative has a KEP address, the form will be sent through that address. However; if the representative does not have any KEP address, the form has to be signed, stamped and sent to the Data Protection Board by physical mail. If the data controller has been verified, it will receive a user ID and password to be able to enter VERBIS.

2nd Step – Registration

For the registration, the data controller, its representative or point of contact will enter its username and password onto the website. Afterward, the data controller will be directed to a form, where he/she will input the information of data categories, processing purposes, transferee groups, retention periods, data subject groups, information that will be transferred abroad and data security measures are taken. After the registry is completed, it will be public and may be accessed by anyone using a search bar with related keywords.

Currently, there is only a Turkish guideline and no information of an entry yet. While it is a very important step for the data protection compliance in Turkey, it might still be in its early stages and some data controllers might want to wait and observe VERBIS's progress in the upcoming months.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.