Draft Regulation on Data Controller Registry


Draft Regulation on Data Controller Registry (“Draft”) has been made available to public consultation on May 5, 2017 by the Data Protection Board (“Board”). The Draft has been prepared as per Article 16 of the Law on Data Protection No.6698 (“Law”). 

Data Controller Registry (“Registry”) is a mandatory registration system foreseen under the Law for data controllers where the information regarding their data processing activities must be registered and disclosed to public. The purpose of the Draft is to establish and enforce the procedures and principles regarding the establishment and administration of the Registry and the information and records to be registered.


Pursuant to the Law, any real person or legal entity who determines the purposes and means of processing personal data and who is responsible for the establishment and management of the data recording system is a “data controller”.

In principle, all data controllers must register with the Registry. However, pursuant to the Draft, the Board will determine exemptions of the registration requirement according to the following criteria in respect of personal data processing activities which are not fully or partially automatic;

  • Personal data type,
  • Personal data quantity,
  • Purpose of processing,
  • Activity field that data are processed,
  • Transfer of data to third parties,
  • Whether processing is specifically envisaged under the laws or processing is necessary for compliance with a legal obligation to which the data controller is subject,
  • Data processing [retention] period,
  • Annual turnover of the data controller
  • Employee number of the data controller.

If this provision is enacted as proposed, the exemption from registration obligation will only be applicable to those data controllers whose data processing activities are not fully or partially automatic. This would mean that the Board opts to limit its power given by the Law to determine the exemption criteria solely to a group of data controllers.

The Board will further announce the exemption rules to the public. However, it should be noted that being exempt from the registration obligation will not affect the other obligations of the data controller under the Law.


  • Data controllers must fulfill the registration obligations before the personal data is processed. Data controllers who subsequently become obligated to register are enrolled within 30 days. It is possible to request an additional period for once only, by stating the grounds.
  • Data controllers who are residing abroad are also obliged to register with the Registry by appointing a representative. This data controller representative must be a legal entity which resides in Turkey or a real person who is a Turkish citizen.
  • Data controllers residing in Turkey and data controllers residing abroad and appointed a legal entity are obliged to appoint a contact person for registering with the Registry. The contact person is not a representative of the data controller. The sole purpose of the contact person is to manage the communication between the Data Protection Authority and the data controller.
  • Data controllers subject to the registration obligation shall prepare a data processing inventory. A data processing inventory is an inventory generated and detailed by the data controllers for their personal data processing activities associated with; personal data processing purposes, data categories, recipient groups, and data subject groups. Information to be submitted to the Registry must be prepared in line with the data processing inventory.
  • Information to be provided to the Registry;
  • Identity and address information of the data controller and its representative, if any;
  • Information on the application form which will be determined by the Board,
  • Purposes of processing personal data,
  • Explanations on data subject category or categories and data categories belonging to the data subjects,
  • The recipient or recipient groups which personal data could be transferred to,
  • Personal data which might be transferred to foreign countries,
  • Precautions taken in accordance with the criteria set out by the Board regarding data protection
  • Maximum data processing [retention] periods that data processing purposes require.

Data controllers subject to the registration obligation need to prepare a Retention and Erasure Policy, where data controllers determine the data processing [retention] periods that data processing purposes require.


Application to the Registry and any operations regarding the Registry will be carried out through an information system called VERBIS that will be accessible via the Internet. Data controllers will be deemed to have fulfilled their registration obligation by uploading the above information to VERBIS. In the absence of proper notification, the Data Protection Authority may suspend the processing of personal data until such deficiencies are rectified.


Data controllers who fail to comply with the registry obligation will be subject to an administrative fine between TRY 20,000 and TRY 1,000,000.


According to the Draft, the data controller in the legal entity is the legal entity itself. Data controller’s liabilities within the scope of the Law will be fulfilled by the person or persons indicated in the relevant legislation or by the competent body that represents and binds the legal entity. The competent body representing the legal entity may appoint one or more persons to fulfill the obligations in respect of the application of the Law. This assignment of powers will not release the liability of the relevant body in accordance with the provisions of the Law. The competent body that represents and binds the legal entity cannot transfer its responsibilities to one or more persons within or outside the legal entity or to a member or members for the purposes of enforcement of the Law.

If the Draft is finalized in this way, board of directors of the companies will not be able to allocated the powers and liability to one of the board members or one of an employee who is not a board member (like a data privacy officer) or someone outside of the company The board of directors, as a body, will always be primarily responsible even if it appoints an executive director or a data officer.

The re-evaluation of this provision by the Data Protection Authority and rearrangement of this provision in accordance with the Turkish Code of Commerce will be great importance for the data controller companies.


  • The Board will review the submitted comments on the Draft and will finalize the Draft.
    • As there is no transition period stipulated by the Draft, the regulation may enter into force at the date of publication without any room for the preparations. In such case, (i) in case the VERBIS system cannot be made ready by the Data Protection Authority and therefore data controllers cannot register and/or, (ii) in case the Board does not issue the exemption criteria for registration under art. 17; all data controller companies and data controllers will need guidance from the Board regarding their registration obligations.
  • This is why, especially for the data controller companies, we recommend them;
    • make sure that they follow Board announcements closely,
    • speed up their efforts to prepare the Data Processing Inventory which is mentioned in the Draft and in our announcements dated 6 April 2016 and 7 October 2016.
  • In the event that the preparations for registration are finalized through VERBIS and/or through another means with the guidance of the Board, we recommend all data controllers
    • who are not qualified to benefit from registration exemptions, in case exemption criteria is determined and announced by the Board,
    • who are processing personal data by fully or partially automatic means

register with the Registry. 

For any further queries on the subject matter or for information on our recommendations submitted to the Board regarding the Draft, please contact Selen Gures at sgures@ozbek.av.tr.