VERBIS Registration-Navigating VERBIS Compliance in Turkey
Navigating VERBIS Compliance in Turkey: Data Protection Obligations for Global Companies Under the KVKK

Navigating VERBIS Compliance in Turkey: Data Protection Obligations for Global Companies Under the KVKK
Global companies conducting business activities in Turkey, engaging in data transfers to/from Turkey, or maintaining partnerships, branches, or subsidiaries within the country are legally bound to comply with Turkey’s Personal Data Protection Law No. 6698 (KVKK). This law has a broad scope, encompassing data controllers located both within Turkey and abroad.
What is VERBIS and Why is it Crucial?
Under the KVKK, data controllers are mandated to register with the Data Controllers’ Registry Information System (VERBIS), an online platform established by the Personal Data Protection Authority (the ‘KVKK Authority’). While the deadline for VERBIS registration expired on December 31, 2021, compliance remains a paramount concern. The KVKK Authority has been actively imposing administrative fines not only on companies that failed to register but also on those that registered late. Furthermore, penalties are applied for each year of non-compliance, meaning that companies yet to fulfill this obligation continue to face significant financial and legal risks.
Cross-Border Data Transfers and Heightened Scrutiny
Even foreign companies that transfer personal data from Turkey abroad—such as employee or customer names, contact details, or more sensitive categories of personal data—can face fines for failing to meet VERBIS registration requirements. This obligation applies even to companies with a minimal presence in Turkey, such as liaison offices without direct commercial activities. This underscores the strict enforcement of the KVKK compliance framework and the urgent need for immediate action.
Notably, a legislative amendment introduced in Turkey in September 2024 has significantly reinforced the importance of VERBIS registration, especially for companies involved in cross-border data transfers. The new rules, closely aligned with the European Union’s General Data Protection Regulation (GDPR), mandate notification to the KVKK Authority through mechanisms like standard contractual clauses or binding corporate rules. Consequently, companies that previously failed to register with VERBIS but now engage in international data transfers are more visible to the KVKK Authority, increasing their risk of administrative fines related to both data transfer compliance and non-registration.
Below, we provide an overview of the VERBIS registration obligations and the legal consequences of non-compliance.
Who Must Register with VERBIS?
Under Turkish data protection law, the following entities are required to register with VERBIS:
Data Controllers Based in Turkey:
Those with more than 50 employees.
Those with an annual financial balance sheet exceeding TRY 100 million.
Those processing special categories of personal data, regardless of employee count or financial threshold.
Public institutions and organizations acting as data controllers.
Data Controllers Based Abroad:
- All foreign data controllers processing personal data related to Turkey must register with VERBIS, irrespective of their number of employees or turnover.
Companies that Transfer Personal Data from Turkey Abroad:
- If your company transfers personal data outside Turkey and qualifies as a data controller, you are required to register with VERBIS.
Strict Enforcement and Ongoing Penalties
The deadline for VERBIS registration was December 31, 2021. Companies that failed to register on time are subject to penalties for each year of non-compliance. Late registration does not exempt companies from fines.
The KVKK Authority has now actively started imposing financial penalties on:
Companies that failed to register with VERBIS.
Companies that registered late.
Foreign companies, even those with minor operations in Turkey.
There have been instances where even a foreign company with only one employee in Turkey and no direct commercial activities was fined for a mere two-month delay in registration.
Key Risks of Non-Compliance
Delayed registration does not eliminate liability. Fines are imposed for each year of non-compliance. Companies transferring personal data from Turkey abroad are also subject to VERBIS registration.
While completing registration late may serve as a mitigating factor, the KVKK Authority remains strict on enforcement. Companies must proactively assess their compliance status to avoid financial and reputational damage.
Action Plan: How to Ensure Compliance
It is strongly recommended that companies take the following steps:
Assess whether the company qualifies as a data controller under Turkish law.
If required, complete VERBIS registration immediately.
Review the company’s data processing activities related to Turkey and ensure full compliance with the KVKK.
For more information info@ozmconsultancy.com






