The draft regulation

The Draft Regulation on Data Controller Registry (“Draft Regulation”) was made available by the Data Protection Board (“Board”) for public appraisal and shall be online until 20 May 2017. Any opinions and suggestions can be sent to

The Draft Regulation was prepared based on Article 16 of the Law on Data Protection No. 6698 (“Data Protection Law”). Please click here to access the Draft Regulation. The text is in Turkish only.

Purpose and scope of the draft regulation

According to the Data Protection Law, real persons or legal entities processing personal data shall be obliged to enroll in the Data Controllers’ Registry before they begin processing data. However, the Board may provide an exemption from this obligation to enroll depending on whether or not the data processing activity is required by law or whether or not data will be transferred to third parties, insofar as this can be determined by the Board using objective criteria such as the nature and the number of the processed data.  

Data controllers’ must provide the following information when registering the application:

  • the identity and address of the data controller and its representative, if any;
  • purposes of processing personal data;
  • explanations on categories of data subject and categories of data pertaining to those data subject;
  • the recipient or recipient groups which personal data could be transferred to;
  • explanations on personal data which is considered to be transferred to foreign countries;
  • precautions taken in accordance with the criteria set out by the Board regarding data protection; and
  • the maximum time designated to process of personal data as per the given purpose.

Moreover, the Board under the application form, which is not drafted yet, may ask additional information.


According to the Draft Regulation there will be an internally based information system called VERBIS. Applications to the registry and any operations concerning the data controller registry will be carried out through the VERBIS.


According to the Data Protection Law, data controllers who fail to register shall be subject to an administrative fine of between TRY 20,000 (twenty thousand) and TRY 1,000,000 (one million).