The publication below may be out of date due to postponements and recent announcements. Please click here to access the current deadlines for VERBIS registration obligation mentioned in the publication.
Turkish data protection legislation, Law no: 6698 on the Protection of Personal Data (the "Law") came into force on April 7, 2016. Personal data of natural persons resident in Türkiye, which were formerly secured by the Turkish Constitution, started to be protected with this legislation. The framework of personal data, liabilities of natural persons and legal entities and other issues related to personal data has been outlined with this Law.
While the law protects the data of natural persons, it also imposes liabilities on legal entities in this context. Although the persons whose data are protected are required to be resident of Türkiye, there is no requirement for the entities who have an obligation to be a resident/citizen of Türkiye. In other words, who processes the data of persons who meet the conditions of residency, is responsible under the Law and must fulfill the obligations stipulated in the Law.
In this case, obligation for the registration to the Data Controllers' Registry as in the Article 16 of the Law, is brought not only for legal entities resident abroad, but also for legal entities in Türkiye. After that, the details of this obligation were regulated by the Regulation on the Data Controllers' Registry ("the Regulation") and it was explained how the persons resident abroad will register with the Data Controllers' Registry and how they will make a declaration.
Registration and notification obligations are fulfilled by accessing the Data Controllers' Registry online via the Data Controllers' Registry Information System. In practice, this obligation is called VERBIS obligation or VERBIS registration obligation.
This obligation is clearly set out for legal entities residing abroad by stating in the following Article 5/b of the Regulation as "Data controllers non-resident in Türkiye are obliged to register with the Registry through a data controller representative before starting data processing" However, in the Article 11 of the Regulation, the conditions regarding the data controller, data controller representative and contact person are specified and the way and method to be followed for registration to VERBIS are defined.
Before explaining the way and method to be followed, it would be appropriate to examine why and under what conditions this obligation arises.
Territorial Scope
The Article 3/2 of the European Union Data Protection Regulation ("GDPR") regulates the rule of "The law also applies to the processing of the personal data of the data subjects in the union by a controller or processor that is not established within the Union."
Although there is no provision in this context in KVKK, on the basis of reciprocity, our local Law is also accepted by the Turkish Personal Data Protection Authority ("Authority"), which will apply to the processing of data within the borders of Türkiye by non-resident data controllers in Türkiye. Accordingly, data controllers residing abroad must register with VERBIS.
Legal Nature of the Data Controller Representation
Data controller representative is defined in the Regulation as "a legal entity resident in Türkiye or a natural person of the Republic of Türkiye authorized to represent data controllers non-resident in Türkiye for the matters specified in the 2nd paragraph of the Article 11 of this regulation". Based on this definition, the addressee of compensation and penalties arising from the law on the protection of personal data is the data controller, not the representative. However, if the representative has an omission within the scope of general provisions, the data controller will be able to exercise the right of recourse. In other words, the legal nature of the data controller representative should be determined within the framework of the general rules.
Legal Entities That Do Not Have A Branch Establishment or Liaison Office in Türkiye, But Process the Personal Data of Turkish Residents
There are organizations that provide services to Turkish residents from a center abroad without a commercial head office in Türkiye and process the data of these people within this scope of related services. These organizations must appoint a natural person or legal entity who is a resident of Türkiye as a data controller representative and execute the process of registration with VERBIS through this person. Besides, this data controller representative will be the point of contact for the organization to communicate with the Authority and data subjects. For this reason, if the data controller representative is a natural person, it is required to be a Turkish citizen; or if representative is a legal person, the contact person to be appointed by the legal person is required to be Turkish citizen.
Entities Who Use Personal Data for Their Own Purposes Through a Branch or Liaison Office Located in Türkiye or Legal Entities Located Abroad That Manage the Organization's Data Recording System in Türkiye
In the event that some or all of the personal data is transferred to the founder/partner foreign company located abroad and the foreign company uses this data for its own purposes, there is an obligation to register with the Data Controller's Registry Information System ("VERBIS"). These transfers, in general, consist of recordings of all or part of the data of the employees, suppliers and customers of the legal entity in Türkiye to a recording system which is provided and managed by foreign partner. Based on the definition of data controller, although a legal entity resident in Türkiye performs data processing activities, if it is responsible for the establishment and management of the data filing system, the founder/partner legal entity abroad will also be deemed as data controller. In other words, keeping personal data in a filing system by a foreign partner does not constitute a VERBIS registration obligation, the foreign partner must be responsible for managing this data filing system and determine the purposes and means of processing personal data.
In this context, even if the company, both in domestic and abroad, processes data of the same persons, these two data controllers are obliged to register with VERBIS separately.
Within the framework of this statement, a legal entity resident abroad with the identity of a partner or founder of a company in Türkiye must make a declaration by creating a VERBIS registration in any case through a Data Controller Representative. This requirement also applies to data controller legal entity resident in Türkiye, if it meets the annual number of employees stipulated in the related Law, the sum of the financial balance sheet, or one of the conditions of main activity field. The data controller representative may be a company that is the founder or partner of a non-resident organization in Türkiye, or a natural or legal entity completely independent of this organization.
The Procedures of VERBIS Registration for Data Controllers Resident Abroad
With the paragraph 2 of the Article 11 in the Regulation, the provision "a certified copy of the decision to be taken by the competent authority or person of the non-resident data controller for the appointment of a data controller representative in Türkiye is submitted to the Authority by the data controller representative during the registration application" is regulated. Accordingly, the data controller must determine the data controller representative with a decision of appointment and submit it to the Authority as an official document.
The decision of appointment can be made in the form of a decision of the board of directors, as well as by any organ or person of the company authorized to make a decision. The apostilled or notarized version of the decision taken must be sent to the Authority with a wet signature.
Form of Decision of Appointment and Authorizations to be Granted to the Data Controller Representative
The Article 11 of the Regulation on the Data Controllers' Registry clarifies how to make a decision of appointment and the procedures and principles in regards. Accordingly, the data controller resident abroad, must send the decision with wet signature including apostille or notary approval to the Board via regular mail, which is to be taken as described below, before registering with VERBIS. The Board, either approves or rejects the application sent through Registered Electronic Mail (hereinafter referred to as "KEP"), after also evaluating the decision of appointment. (The Authority also accepts applications made through with an application from via Registered E-Mail Services ("KEP") until the deadline of VERBIS Registration) The decision to appoint a data controller representative should be made to cover the following considerations at a minimum:
- Notification or acceptance of notifications or correspondence made by the Authority on behalf of the data controller,
- Forwarding the requests of the Authority directed to the data controller to the data controller and forwarding the response of the data controller to the Authority,
- In case, no other basis has been determined by the Board; receiving applications of the relevant persons on behalf of the data controller and forwarding them to the data controller, in accordance with the first paragraph of the Article 13,
- In case, no other basis has been determined by the Board; forwarding the response of the data controller to the relevant persons, in accordance with the third paragraph of the Article 13,
- Carrying out the works and transactions related to the VERBIS on behalf of the data controller.
Contact Person - The Comparison of DCR - DPO
There are three authorities within the scope of KVKK and GDPR, whose duties and powers are similar to each other. DCR and contact person concepts are included in KVKK, while DPO is included in the GDPR. DCR, as described above, is the person assigned to represent themselves before the Authority by the data controllers resident abroad. While a contact person is a natural person, who is notified by the data controller at the time of registration to the registry for communication to be established with the Authority in relation to the obligations of legal entities resident in Türkiye and the data controller representative of a legal entity who are not resident in Türkiye in accordance with the Law and secondary regulations to be issued based on this Law. The contact person is the person assigned during registration with VERBIS and to communicate with the Authority and has no criminal responsibility liability in this context. For the notification made through VERBIS and other transactions performed by the contact person, the responsibility will again remain with these persons, as the data controller (or his representative if the data controller is abroad) has an obligation to monitor. The contact person will only be the point of contact and will carry out the operation during the declaration to the registry.
If the data processing activity is carried out by a public authority, and the main activity of the data controller and data processor consists of regular and systematic surveillance of large-scale individuals or processing sensitive personal data of a large scale, a DPO must be appointed. A data protection officer can be an employee under the payroll of the relevant organization or can be appointed from outside the organization. The DPO is broadly responsible in terms of authority and obligation, similar to the data controller representative.