In a move that underscores Turkey’s commitment to supporting economic growth and enterprise development, the country’s Personal Data Protection Board (‘the Board’) recently made a substantial revision to their Data Protection Regulations (‘the Regulation’). The Board announced their decision on 6 July  2023, and presented a significant increase in the monetary threshold for exemption from the Obligation to Register, from TRY 25 million to TRY 100 million. This progressive step could impact the business landscape in Turkey significantly.  

The Board’s prior decision on 19 July 2018 meant that data controllers were eligible for exemption from the Data Protection Controller’s Registry (VERBIS) registration obligation: provided they were “real or legal persons whose primary activity did not involve processing special categories of personal data, with fewer than 50 employees annually, and with a total annual financial balance sheet of less than TRY 25 million.” 

Obligation to register for data controllers in Turkey 

VERBIS requires data controllers to register and declare information relating to their data processing activities in Turkey. It is maintained by the Presidency under the supervision of the Board.  

The obligation to register aims to ensure transparency in the processing of personal data and to create a safer environment for data controllers to comply with the legislation. 

Additionally, pursuant to Law No. 6698 on the Protection of Personal Data, the Personal Data Protection Authority authorises the Board to grant exemptions from the obligation to register with VERBIS. This is based on criteria determined by the Board, such as the nature and quantity of the processed personal data, whether the data processing arises from a legal obligation, or the transferring of personal data to third parties. 

Exemptions to the Obligation to Register

There are several individuals and entities exempt from the obligation to register with VERBIS, including: 

  • Those who process data through non-automated means while being part of any data recording system; 
  • Notaries; 
  • Foundations, unions, and associations, (only if their activities are limited to the relevant legislation and their purposes, and they process personal data solely for their employees, members, affiliates, and donors); 
  • Political parties; 
  • Lawyers; 
  • Independent Accountants and Financial Advisors, as well as Certified Public Accountants; 
  • Mediators; 
  • Customs Consultants; and 
  • Data controllers with fewer than 50 employees and an annual financial balance sheet total of less than TRY 100 million, whose primary activity does not involve processing sensitive personal data. 

Adapting to economic realities

The catalyst for this change was the redefinition of “small enterprise” in the Regulation on the Definition, Qualifications, and Classification of Small and Medium-Sized Enterprises, enacted in May 2023. This redefinition brought small enterprises under the umbrella of businesses with “less than fifty employees and annual net sales revenue or financial balance sheets not exceeding one hundred million Turkish Liras.” 

The Board’s decision recognises the dynamic nature of Turkey’s business landscape, with companies showing substantial growth and expanding their operations. This shift aligns with the economic indicators, acknowledging that the TRY 25 million threshold, set in 2018, no longer adequately represents the financial positions of today’s enterprises. It reflects a commitment to supporting businesses and ensuring that Data Protection Regulations evolve in tandem with economic realities.  

The Impact on data controllers

The update to the threshold has many implications for data controllers operating within Turkey and must now assess whether they meet the updated criteria: 

  • With immediate effect, the new threshold has been effective as of 25 July 2023. 
  • For those data controllers who find themselves newly obligated to register with VERBIS, a 30-day window is provided for ensuring compliance. 

It is important to emphasise that these exemptions and revised thresholds exclusively apply to data controllers resident in Turkey. Foreign data controllers remain subject to the VERBIS registration obligation, irrespective of the number of employees or total annual financial balance sheet.  

Navigating the new changes

Turkey’s growing economy and expansion in business volumes prompted its regulators to update the existing requirements for data controllers. Some see it as a signal of the country’s unwavering commitment to data protection and its efforts to ensure that entities processing personal data within its borders adhere to rigorous compliance standards.  

Ensuring compliance with the updated criteria in this new data protection landscape in Turkey will require careful review of the nuances between the previous and current obligations.  

As a B Corp Data Protection Office, HewardMills is dedicated to assisting clients to address internal data privacy concerns and business practices. If you have any concerns on navigating the update to the criteria concerning the Registration Obligation in Turkey, or any other global data privacy issues, we can support your team. 

If you would like to discuss this topic or anything else data protection and privacy-related, please contact us at dpo@hewardmills.com.