Mandatory data protection compliance in Turkey: VERBIS registration and enforcement actions

Thursday 19 June 2025

Özlem Kurt
Yönetici Ortak Avukat, Istanbul

ozlem.kurt@kurtgurler.com

Introduction: global companies operating in Turkey must ensure that they are compliant with the Data Protection Law

Companies worldwide that have business activities related to Turkey, engage in data transfers to/from Turkey, or maintain partnerships, branches or subsidiaries within the country must comply with Turkey’s Personal Data Protection Law No 6698 (Kişisel Verileri Koruma Kanunu or KVKK).

Under the KVKK, data controllers, whether based in Turkey or abroad, are required to register with the Data Controllers’ Registry Information System (otherwise known as VERBIS), an online system established by the Personal Data Protection Authority (the ‘KVKK Authority’).

The deadline for the mandatory registration of data controllers expired on 31 December 2021. However, compliance remains a pressing issue, as the KVKK Authority has begun imposing administrative fines not only on companies that have failed to register, but also on those that registered late. Furthermore, penalties are being applied for each year of non-compliance, meaning that companies that have not yet met this obligation continue to face financial and legal risks.

Even foreign companies that transfer personal data from Turkey abroad, such as employee or customer names, contact details or more sensitive categories of personal data, may be fined for failing to meet the VERBIS registration requirements. This obligation applies even to those companies with a minimal presence in Turkey, such as liaison offices with no direct commercial activities. This underscores the strictness of the enforcement of the KVKK compliance framework and the importance of taking immediate action.

In particular, the legislative amendment introduced in Turkey in September 2024 has significantly reinforced the importance of VERBIS registration, especially for companies engaged in cross-border data transfers. The new rules, which are closely aligned with the European Union’s General Data Protection Regulation, require notification to the KVKK Authority via mechanisms such as standard contractual clauses or binding corporate rules. As a result, companies that previously failed to register with VERBIS but now engage in international data transfers are more visible to the KVKK Authority, increasing the risk of administrative fines related to both data transfer compliance and non-registration.

Below, we provide an overview of the VERBIS registration obligations and the legal consequences of non-compliance.

Who must register with VERBIS?

Under Turkish data protection law, the following entities are required to register with VERBIS:

1. Data controllers based in Turkey:

  • those with more than 50 employees;
  • an annual financial balance sheet exceeding TRY 100 million;
  • those processing special categories of personal data, regardless of employee count or financial threshold; and
  • public institutions and organisations acting as data controllers.

2. Data controllers based abroad:

  • all foreign data controllers processing personal data related to Turkey must register with VERBIS, irrespective of their number of employees or turnover.

3. Companies that transfer personal data from Turkey abroad:

  • if your company transfers personal data outside Turkey and qualifies as a data controller, you are required to register with VERBIS.

Strict enforcement and ongoing penalties

The deadline for VERBIS registration was 31 December 2021. Companies that failed to register on time are subject to penalties for each year of non-compliance. Late registration does not exempt companies from fines.

The KVKK Authority has now actively started imposing financial penalties on:

  • companies that failed to register with VERBIS;
  • companies that registered late; and
  • foreign companies, even those with minor operations in Turkey.

Even a foreign company with only one employee in Turkey and no direct commercial activities was fined for a mere two-month delay in registration.

Key risks of non-compliance

Delayed registration does not eliminate liability. Fines are imposed for each year of non-compliance. Companies transferring personal data from Turkey abroad are also subject to VERBIS registration.

While completing registration late may serve as a mitigating factor, the KVKK Authority remains strict on enforcement. Companies must proactively assess their compliance status to avoid financial and reputational damage.

Action plan: how to ensure compliance

It is recommended that companies should take the following steps:

  • assess whether the company qualifies as a data controller under Turkish law;
  • if required, complete VERBIS registration immediately;
  • review the company’s data processing activities related to Turkey and ensure compliance with the KVKK; and
  • consult legal professionals for guidance on fulfilling the company’s data protection obligations.

Similar topics

International Bar Association 2025 © Privacy policy Terms & conditions Cookie Settings Harassment policy

International Bar Association is incorporated as a Not-for-Profit Corporation under the laws of the State of New York in the United States of America and is registered with the Department of State of the State of New York with registration number 071114000655 - and the liability of its members is limited. Its registered address in New York is c/o Capitol Services Inc, 1218 Central Avenue, Suite 100, Albany, New York 12205.

The London office of International Bar Association is registered in England and Wales as a branch with registration number FC028342.