Regulation on Data Controller 22 January 2018

Regulation on Data Controller 22 January 2018

Regulation on Data Controller Registry (“Regulation”) is published in the Official Gazette on 30 December 2017.

The Regulation is based upon the Law No. 6698 on Protection of Personal Data (“Law”).

The Purpose and Scope of the Regulation

The purpose of this Regulation is to establish and enforce the procedures and principles regarding the creation and management of the Data Controller Registry which will be kept open to the public.

The scope of this Regulation covers natural and legal persons who are responsible for the establishment and management of the data record system, which determines the processing purposes and means of personal data.

What is Data Controller and Data Controller Registry?

Pursuant to the Law any real person or legal entity who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system is a data controller.

Establishment of a Data Controller Registry (“Registry”) is an obligatory registration system for data controllers to which they shall submit information regarding their or their representatives’ identity and their data processing activities.

The Directorate of Data Management is responsible for the establishment and administration of the registry.

Commencement of the Obligation

-In principle, all data controllers must register with the Registry.

-Data controllers who initially are not obliged to record personal data but becomes responsible for data recording later must register to the Registry in 30 days pursuant to their liability to register.

-Data obligations under the registration obligation must be filed with the Authority in order to fulfill the registration obligations, provided that in case of failure to fulfill the registration obligations due to any actual, technical or legal impossibility, apply in writing to the Authority within 7 working days at the latest after the occurrence of such impossibility, they may request additional time. The Authority may give an additional period of time, not exceeding thirty days in any case.

Application for Registration

-Data controllers are deemed to have fulfilled the registration obligation by uploading the specified information to VERBIS. Application to the Registry and any operations regarding the Registry will be carried out through an information system called VERBİS.

-As stated by the Authority, data controllers that have been granted additional time must complete the registration application before this period is over.


Data controllers who fail to comply with the registry obligation will be subject to an administrative fine between TRY 20,000 and TRY 1,000,000.

Effective Date

This Regulation shall enter into force on 1 January 2018.

Related Links


In the Protection of Personal Data Law “(Law”), the data controllers must register to the Data Controller Registry (“Registry”) within the period determined and announced by the Board and that the Data Controller Registry shall be kept open to the public by the Presidency, can bring an exception.

In this context, it is necessary to announce to the public the publication of the Board’s decision on exceptions to be made to the registry registration obligations, the opening of the Data Controller Registry Information System (VERBIS) being prepared and a start date determined by the Board.

Accordingly, the registration obligation will begin after VERBIS is opened for service and a start date is set by the Board. The necessary announcement will also be made to begin the registration obligation.

Detailed information on the work and transactions to be performed by the other party in accordance with the provisions of the Law and Regulations will be announced on the website of the Authority in the following days.

Related Link