Turkey – Data Protection Law and VERBIS Registration Update

Turkey’s data protection framework has been updated through amendments affecting the criteria for registration with the Data Controllers’ Registry (VERBIS). These changes were introduced following decisions of the Personal Data Protection Board and took effect on the 1^st of October 2025.

The updated framework revises exemption thresholds for data controllers, narrowing the scope of mandatory VERBIS registration while maintaining broader data protection obligations under Turkish law.

Regulatory Background

The Personal Data Protection Board issued Decision No. 2025/1552, dated the 4^th of September 2025, which introduced revised criteria for determining whether data controllers are required to register with VERBIS.

Under the updated rules:

• General data controllers with fewer than 50 employees and an annual financial balance sheet total below TRY 100 million are exempt from VERBIS registration.
• Data controllers whose main business activity involves processing special categories of personal data are exempt where they have fewer than 10 employees and an annual financial balance sheet total below TRY 10 million.

Despite these exemptions, all data controllers remain subject to the substantive obligations set out under Turkey’s data protection legislation, including data processing, security, and transparency requirements.

Applicability and Registration Criteria

A data controller is required to register with VERBIS if it meets either of the following conditions:

1. Employs more than 50 employees in the relevant scale year and/or has an annual financial balance sheet total exceeding TRY 100,000,000; or
2. Has a primary business activity consisting of the processing of special categories of personal data, employs more than 10 employees, and has an annual financial balance sheet total exceeding TRY 10,000,000.

Clarification on Financial Thresholds

Under Decision No. 2025/2393, dated the 25^th of December 2025, the Personal Data Protection Board clarified the application of the financial balance sheet criterion:

• Data controllers maintaining balance sheet books must consider both employee numbers and financial balance sheet thresholds.
• Data controllers not maintaining balance sheet books are assessed solely on employee numbers.

Compliance Deadlines

No deferred implementation date or transition period has been provided. Data controllers falling within scope are expected to comply with the revised requirements immediately.

Required Actions

Entities should:

• Assess whether they meet the revised VERBIS registration thresholds
• Review and structure their data controller profile and processing activities accordingly
• Prepare and update VERBIS registration entries and related documentation where registration is required

Where registration applies, companies should ensure a Turkish Registered Electronic Mail Account (KEP address) is in place and that supporting documentation, including employee records and financial information, is readily available.

Risks of Non-Compliance

The Turkish Data Protection Authority may impose administrative fines for non‑compliance with data protection obligations, including:

• Failure to register with VERBIS: TRY 20,000 to TRY 1,000,000
• Failure to fulfil information obligations toward data subjects: TRY 5,000 to TRY 100,000
• Inadequate data security measures: TRY 15,000 to TRY 1,000,000
• Non‑compliance with Board decisions: TRY 25,000 to TRY 1,000,000

How Mercator^® by Citco (Mercator) Can Help

Mercator can assist with:

• Assessing VERBIS registration obligations under the revised framework
• Managing VERBIS registration and ongoing compliance
• Supporting the establishment of a Turkish Registered Electronic Mail Account (KEP)
• Preparation and filing of required documentation

For assistance, please contact mercator@citco.com.