VERBIS Registration in Turkey: Who Must Register and How?

Introduction

VERBIS registration in Turkey is one of the most important compliance obligations under Turkish Personal Data Protection Law. Companies that process personal data in Turkey, foreign businesses targeting Turkish individuals, employers, e-commerce platforms, healthcare providers, technology companies, logistics operators, financial service providers, schools, associations, foundations, and professional service firms may all need to assess whether they are required to register with the Data Controllers’ Registry, commonly known as VERBIS.

VERBIS is not merely an online formality. It is the official public registry system through which data controllers disclose key information about their personal data processing activities. Registration requires a structured legal and operational analysis of processing purposes, data subject groups, data categories, recipient groups, cross-border transfers, data security measures, and maximum retention periods. Under Article 16 of Law No. 6698 on the Protection of Personal Data, natural and legal persons processing personal data must register with the Data Controllers’ Registry before starting data processing, unless an exemption applies.

For businesses, VERBIS registration should be treated as part of a broader KVKK compliance program. A company cannot properly complete VERBIS without first understanding what personal data it processes, why it processes it, where it stores it, who receives it, whether it transfers data abroad, how long it retains data, and what security measures it implements. For this reason, VERBIS registration is closely connected with data inventory preparation, privacy notices, retention policies, data subject request procedures, security controls, and cross-border transfer compliance.

What Is VERBIS?

VERBIS stands for Data Controllers’ Registry Information System. Under the By-Law on the Data Controllers Registry, VERBIS is an internet-accessible information system established and managed by the Presidency of the Turkish Personal Data Protection Authority under the supervision of the Personal Data Protection Board. Data controllers use VERBIS for registration with the Registry and for other Registry-related operations.

The purpose of the Data Controllers’ Registry is transparency. The Turkish Personal Data Protection Authority explains that VERBIS aims to announce who data controllers are and to help individuals exercise their personal data protection rights more effectively.

This public-transparency function is important. A registered data controller’s VERBIS record may reveal processing purposes, data subject groups, data categories, recipient groups, categories of data envisaged for transfer abroad, security measures, and maximum storage periods. The By-Law expressly states that the Registry is kept publicly available and that certain information in the Registry is disclosed to the public.

Legal Basis of VERBIS Registration

The legal basis of VERBIS registration is Article 16 of Law No. 6698. Article 16 provides that the Data Controllers’ Registry shall be kept by the Presidency under the supervision of the Board and made publicly available. The same article states that natural or legal persons who process personal data must register with the Registry before starting personal data processing, subject to exemptions determined by the Board.

Article 16 also lists the information that must be included in a Registry application. This includes the identity and address of the data controller and representative, if any; processing purposes; data subject groups and related data categories; recipients or recipient groups; data envisaged to be transferred abroad; security measures; and maximum storage periods necessary for processing purposes.

The detailed procedure is regulated by the By-Law on the Data Controllers Registry. The By-Law confirms that data controllers must register before starting data processing, that data controllers not established in Turkey must register through their representatives, and that registration information is prepared based on the personal data processing inventory.

Who Is a Data Controller?

Understanding whether an organization is a data controller is the first step in VERBIS analysis. The By-Law defines a data controller as the natural or legal person who determines the purpose and means of processing personal data and is responsible for establishing and managing the data filing system.

In practical terms, a company is usually a data controller if it decides why and how personal data will be processed. For example, an employer determines why employee data is collected and how it is stored. An e-commerce company determines which customer data is needed for membership, payment, delivery, returns, marketing, and support. A hospital determines how patient records are created, used, stored, and disclosed. A SaaS provider may be a data processor for customer data processed on behalf of a client, but it may be a data controller for its own employee, billing, website visitor, and marketing data.

The distinction matters because VERBIS registration is primarily a data controller obligation. A data processor that processes personal data only on behalf of another controller may not be required to register for that processing activity as a controller. However, many companies have mixed roles. A software company may be a processor for customer platform data but a controller for HR data, marketing data, and vendor data. Therefore, each processing activity must be evaluated separately.

Who Must Register with VERBIS?

As a general rule, natural or legal persons who process personal data must register with the Data Controllers’ Registry before starting processing, unless they fall under an exemption.

The registration obligation may apply to Turkish companies, foreign companies, branches, public institutions, professional organizations, healthcare providers, financial institutions, schools, online platforms, employers, associations, foundations, and other organizations that determine the purposes and means of personal data processing.

However, not every data controller is automatically required to register. Article 16 authorizes the Board to provide exemptions by considering objective criteria such as the nature and quantity of processed data, whether processing is laid down by law, and whether data is transferred to third parties.

This means that VERBIS analysis is not limited to asking whether a company processes personal data. A proper assessment should consider employee count, financial balance sheet, main field of activity, whether special categories of personal data are processed, whether data is transferred to third parties or abroad, and whether specific Board exemptions apply.

Current Exemption Criteria for Smaller Data Controllers

The Board has updated certain exemption thresholds over time. Under the 2023 update, data controllers with fewer than 50 annual employees and an annual financial balance sheet total of less than TRY 100 million are exempt from VERBIS registration if their main activity is not processing special categories of personal data.

This exemption is important for small and medium-sized businesses, but it should not be applied mechanically. Both employee number and financial balance sheet criteria must be assessed correctly, and the company’s main activity must not be processing special categories of personal data. If a company’s main activity involves sensitive data, such as health data, biometric data, genetic data, or other special categories, a separate analysis is required.

In 2025, the Board introduced an additional exemption for very small data controllers whose main activity is processing special categories of personal data. According to the Authority’s announcement, natural or legal person data controllers whose main activity is processing special categories of personal data are also exempt if they have fewer than 10 annual employees and an annual financial balance sheet total of less than TRY 10 million.

The Authority later clarified that, for data controllers keeping books on a balance-sheet basis, both the annual employee number and annual financial balance sheet criteria are applied cumulatively; for data controllers that do not keep books on a balance-sheet basis, only the annual employee number criterion is taken into account because annual financial balance sheet information does not exist for them.

Exemptions Do Not Remove Other KVKK Obligations

A common misunderstanding is that exemption from VERBIS means exemption from KVKK. This is incorrect. The By-Law expressly states that derogation from the registration obligation does not remove the obligations of those data controllers under the Law.

Therefore, an exempt company must still comply with KVKK principles and obligations. It must process personal data lawfully and fairly, provide privacy notices where required, identify legal bases for processing, protect data security, respond to data subject applications, manage data retention, delete or anonymize data when necessary, and comply with domestic and cross-border transfer rules.

For example, a small e-commerce company may be exempt from VERBIS because it is below the threshold and does not mainly process special categories of data. However, it still needs a privacy notice, cookie compliance structure, marketing consent records, vendor contracts, security measures, retention rules, and a data subject request procedure.

Foreign Data Controllers and VERBIS

Foreign data controllers require special attention. The By-Law states that data controllers not established in Turkey are obliged to register with the Registry through their representatives before starting data processing.

A representative of a data controller not established in Turkey must be a legal person established in Turkey or a Turkish citizen natural person, authorized at least for the matters specified in the By-Law. These include receiving notifications and correspondence from the Authority, transmitting requests from the Authority to the controller, transmitting controller responses to data subjects where applicable, and performing Registry operations on behalf of the controller.

Foreign businesses should not assume that VERBIS applies only to Turkish-incorporated companies. A foreign e-commerce platform, SaaS provider, mobile application operator, health tourism company, online marketplace, or multinational employer may need to assess whether it is a data controller for processing activities involving individuals in Turkey.

The Board has also addressed the position of Turkish branches of foreign legal entities. In Decision Summary No. 2019/225, the Board stated that if a Turkish branch of a foreign legal entity determines the purposes and means of processing personal data and is responsible for establishing and managing the data filing system, it may be considered a Turkey-based data controller separate from the foreign legal entity. In that case, its registration obligation must be assessed according to the employee number and financial balance sheet criteria.

What Information Must Be Entered in VERBIS?

A VERBIS application must be based on the data controller’s personal data processing inventory. The By-Law states that data controllers under the registration obligation must prepare a personal data processing inventory and that the information to be entered in the Registry application is prepared based on that inventory.

The information entered into VERBIS includes the controller’s identity and address information, representative and contact person information where applicable, processing purposes, data subject groups, data categories, recipient groups, categories of data envisaged for transfer abroad, data security measures, and maximum storage periods.

This means that VERBIS registration is not a simple corporate profile form. A company must first map its real data processing activities. For example, an employer should identify employee data, candidate data, intern data, payroll data, disciplinary records, workplace camera records, health records, occupational safety records, and former employee data. An e-commerce company should identify customer account data, order data, delivery data, payment-related data, support records, marketing data, cookies, seller data, and return/refund records.

Personal Data Processing Inventory and VERBIS

The personal data processing inventory is the backbone of VERBIS registration. Without a proper inventory, the VERBIS entry may be inaccurate, incomplete, inconsistent, or misleading. The By-Law connects VERBIS information directly to the inventory and states that public Registry information based on the inventory is relevant for the obligation to inform, responses to data subject requests, and determining the scope of explicit consent.

A strong inventory should identify the following for each processing activity: data subject group, data category, processing purpose, legal basis, collection method, retention period, recipient group, transfer abroad status, security measures, and responsible business unit.

For example, a company’s HR inventory may list candidate data, employee identity data, payroll data, health data, disciplinary data, workplace camera records, and exit records separately. A customer data inventory may list account creation, order processing, payment, delivery, customer service, marketing, loyalty programs, complaint management, and legal claims separately.

A common compliance mistake is completing VERBIS before preparing a real inventory. This can cause contradictions between VERBIS, privacy notices, internal policies, contracts, and actual data flows.

Public Disclosure and Transparency

VERBIS is publicly accessible. Under the By-Law, public Registry information includes the data controller, representative if any, address and registered email address if available, processing purposes, data subject groups and data categories, recipient groups, categories of data envisaged for transfer abroad, registration and expiration dates, security measures, and maximum storage periods.

This public nature has practical consequences. Customers, employees, regulators, business partners, complainants, and competitors may examine a company’s Registry entry. If the company’s privacy notice says one thing, but VERBIS says another, this inconsistency may weaken the company’s compliance position.

For example, if a privacy notice states that customer data is not transferred abroad but VERBIS indicates categories of data envisaged for foreign transfer, the company may face questions. If VERBIS does not list a recipient group that is clearly used in practice, such as cloud providers or logistics companies, this may also create risk.

VERBIS and Privacy Notices

VERBIS registration should be consistent with privacy notices. Article 10 of KVKK requires data controllers to inform data subjects about the controller’s identity, processing purposes, transfer recipients and purposes, collection method and legal basis, and data subject rights. Article 16 and the By-Law require similar structural information in VERBIS, including processing purposes, data subject groups, data categories, recipients, foreign transfers, security measures, and retention periods.

The practical result is clear: VERBIS, privacy notices, consent forms, data inventories, retention policies, and transfer documentation should speak the same language. A company should not prepare these documents independently from one another. The safest approach is to first create a data inventory, then use it to prepare VERBIS entries, privacy notices, retention schedules, consent texts, and vendor agreements.

VERBIS and Data Retention

VERBIS requires maximum storage periods. Article 16 requires notification of the maximum storage period necessary for the purpose of processing personal data. The By-Law also states that the maximum storage period entered into and published in the Registry is the basis for erasure, destruction, and anonymization obligations.

The By-Law further provides that data controllers must issue a personal data storage and disposal policy to define maximum storage periods, comply with the periods indicated in the inventory, and track whether such periods are exceeded.

Retention periods should not be arbitrary. They should be based on legal obligations, limitation periods, sector-specific rules, contract performance, legitimate operational needs, and data minimization principles. A company should not write “indefinite” or excessively long periods unless a clear legal justification exists.

Updating VERBIS Records

VERBIS registration is not a one-time obligation. The By-Law states that if there is any change in Registry records, data controllers must notify the Authority through VERBIS within seven days from the date of change.

This is very important for companies whose processing activities evolve. A business may launch a new mobile application, start using a foreign CRM tool, introduce biometric access, begin processing health data, outsource payroll, use new advertising cookies, change cloud providers, add new recipient groups, or revise retention periods. If these changes affect VERBIS information, the Registry record should be updated.

Failure to update VERBIS may be treated as acting contrary to Registry and notification obligations. Companies should therefore include VERBIS review in their internal compliance procedures, especially when launching new products, onboarding new vendors, changing HR systems, or implementing cross-border data transfers.

VERBIS Registration and Cross-Border Transfers

VERBIS requires disclosure of personal data envisaged to be transferred abroad.

This requirement became even more important after the 2024 amendments to KVKK Article 9, which introduced a structured cross-border transfer regime based on adequacy decisions, appropriate safeguards such as standard contracts and binding corporate rules, and limited exceptional transfer grounds. In addition, Article 18 now provides an administrative fine for failure to fulfill the notification obligation under Article 9/5 concerning standard contracts.

Therefore, a data controller should not complete VERBIS without mapping foreign transfers. Foreign cloud storage, global HR platforms, CRM systems, parent company access, analytics providers, email marketing platforms, international support teams, and foreign data centers may all need to be considered. VERBIS should be consistent with Article 9 transfer documentation, standard contracts, privacy notices, and vendor agreements.

How to Register with VERBIS

The registration process should begin with a compliance assessment, not with immediate data entry. A practical VERBIS registration project usually includes the following steps.

First, determine whether the organization is a data controller. If the organization determines the purposes and means of processing, it is likely a controller for those activities.

Second, assess whether an exemption applies. This assessment should consider employee count, financial balance sheet, main activity, special category data processing, and applicable Board decisions.

Third, prepare a personal data processing inventory. This inventory should map all data subject groups, data categories, processing purposes, legal bases, recipients, foreign transfers, security measures, and retention periods.

Fourth, prepare or revise privacy notices. VERBIS entries should be consistent with Article 10 notices.

Fifth, determine retention periods and prepare a storage and disposal policy where required.

Sixth, review data transfers, including domestic recipient groups and foreign transfers.

Seventh, enter the required information into VERBIS.

Eighth, assign a contact person or representative where required. For foreign data controllers, registration must be made through the representative structure described in the By-Law.

Ninth, establish an internal update procedure. Any changes in Registry information must be notified through VERBIS within seven days.

Common Mistakes in VERBIS Registration

One common mistake is registering without a real data inventory. This often leads to vague, incomplete, or inaccurate entries.

Another mistake is assuming that VERBIS registration alone equals full KVKK compliance. The By-Law clearly states that registration does not remove other obligations under the Law.

A third mistake is failing to update records after operational changes. New software, new vendors, new data categories, foreign transfers, or biometric systems may require VERBIS updates.

A fourth mistake is treating all companies below a certain size as automatically exempt. The exemption analysis depends not only on employee number and balance sheet but also on whether the main activity involves special categories of personal data and whether updated Board decisions apply.

A fifth mistake is inconsistency between VERBIS and privacy notices. If the privacy notice, inventory, and VERBIS record do not match, the controller may appear non-transparent.

A sixth mistake is failing to assess foreign data controller obligations. Foreign companies and Turkish branches of foreign entities require separate legal analysis.

Administrative Fines for VERBIS Non-Compliance

Article 18 of KVKK provides administrative fines for those who act contrary to the obligations for registration with the Data Controllers’ Registry and notification under Article 16. The same article also provides fines for failure to fulfill the obligation to inform, failure to fulfill data security obligations, failure to comply with Board decisions, and failure to notify standard contracts under Article 9/5.

Administrative fine amounts are updated annually under Turkish law. The Authority states that administrative fines under Article 18 are subject to annual adjustment based on the revaluation rate determined under the Tax Procedure Law, and updated amounts become effective from the beginning of each calendar year.

For companies, the financial risk is only one part of the issue. Incorrect or missing VERBIS registration may also trigger regulatory scrutiny, weaken the company’s defense in data subject complaints, create problems in due diligence, affect commercial contracts, and damage reputation.

VERBIS Compliance Checklist

A strong VERBIS compliance program should include the following steps:

1. Determine whether the organization is a data controller.
2. Identify all processing activities.
3. Prepare a personal data processing inventory.
4. Assess whether VERBIS registration is mandatory or whether an exemption applies.
5. Review employee count and annual financial balance sheet criteria.
6. Determine whether the main activity involves special categories of personal data.
7. Assess foreign data controller or representative obligations.
8. Identify data subject groups.
9. Identify personal data categories.
10. Identify processing purposes.
11. Determine legal bases for processing.
12. Identify domestic recipient groups.
13. Identify cross-border data transfers.
14. Determine maximum retention periods.
15. Identify technical and organizational security measures.
16. Prepare or revise privacy notices.
17. Ensure consistency between VERBIS, privacy notices, inventory, and retention policy.
18. Complete VERBIS registration where required.
19. Establish a seven-day update procedure for changes.
20. Review VERBIS records periodically.

Sector-Specific VERBIS Considerations

E-commerce companies should pay attention to customer data, membership data, order records, delivery data, payment-related information, marketing data, cookies, analytics, call center records, and cross-border transfers through cloud systems and digital marketing tools.

Employers should review employee data, candidate data, payroll records, health data, disciplinary records, camera recordings, biometric access systems, remote work monitoring, payroll providers, occupational health providers, and global HR platforms.

Healthcare providers should treat VERBIS analysis carefully because health data is a special category of personal data and their main activity may involve sensitive data processing. Small healthcare-related businesses should also assess the 2025 exemption for very small data controllers whose main activity is special category processing.

Technology companies and SaaS providers should distinguish between controller and processor roles. A SaaS company may be a processor for customer platform data but a controller for its own employee, billing, analytics, support, and marketing data.

Foreign companies should assess whether they are data controllers not established in Turkey, whether they need a representative, and whether their Turkish branch should be treated as a separate Turkey-based data controller depending on its role in determining processing purposes and means.

Conclusion

VERBIS registration in Turkey is a central element of KVKK compliance. It requires data controllers to publicly disclose structured information about their personal data processing activities, including processing purposes, data subject groups, data categories, recipient groups, foreign transfers, security measures, and retention periods. The legal basis is Article 16 of Law No. 6698, supported by the By-Law on the Data Controllers Registry.

Not every data controller must register. The Board may provide exemptions based on objective criteria, and current exemption thresholds include specific rules for data controllers with fewer than 50 employees and less than TRY 100 million annual financial balance sheet total where the main activity is not special category data processing, as well as a 2025 exemption for very small controllers whose main activity is special category data processing and who meet the fewer-than-10-employees and less-than-TRY-10-million balance sheet criteria.

However, exemption from VERBIS does not mean exemption from KVKK. All data controllers must still comply with privacy notices, lawful processing, data security, retention, data subject rights, breach response, and transfer rules.

For businesses operating in Turkey, the safest approach is to treat VERBIS not as a standalone online registration but as the visible result of a full data protection compliance analysis. A legally sound VERBIS process begins with data mapping, continues with inventory preparation, aligns with privacy notices and retention policies, addresses foreign transfers, and remains updated as business operations change.

A well-prepared VERBIS record strengthens transparency, supports regulatory compliance, improves internal data governance, and reduces the risk of administrative fines and complaints. For any company subject to Turkish data protection law, VERBIS compliance should be managed carefully, documented properly, and reviewed regularly.