コンテンツへスキップ
KVKK in practice
Category background for Turkish KVKK in Practice: A Complete Guide to VERBIS Registration
News トルコKVKK

Turkish KVKK in Practice: A Complete Guide to VERBIS Registration

Understanding KVKK requirements and making a VERBIS registration

Elif Merve Demir
Elif Merve Demir
7 min read
Placeholder image

Türkiye’s Personal Data Protection Law (KVKK, Law No. 6698) was enacted in 2016, and it lays out rules for personal data processing that are in many respects similar to the core principles of the EU GDPR. 

One of the requirements of the law is registration with VERBIS, Türkiye’s official digital registry of data controllers. In general, any business which collects or processes personal data in Türkiye (or data relating to people in Türkiye) is deemed to be a data controller and is required to register. 

This article explains:

  • What VERBIS is
  • Who must register with VERBIS
  • How the VERBIS registration process works
  • What happens if you don’t register
    The steps required for foreign companies to meet their obligations under the extra-territorial scope of the KVKK

What is VERBIS and How Does It Work? 

VERBIS (Data Controllers’ Registry Information System) is an online platform operated by the Turkish Personal Data Protection Authority (KVKK Authority) where data controllers register their personal data processing activities. It serves as a public database showing who processes personal data in Türkiye and for what purposes, promoting transparency and compliance with KVKK. Each registration includes key details such as contact information, processing purposes, data categories, transfers, security measures, and retention periods. Individuals can view this information via the “Sicil Sorgulama” (Registry Inquiry) feature on the VERBIS website

Who Must Register with VERBIS 

Not every business is required to register, but most data controllers that handle personal data related to Türkiye must do so. The Law on the Protection of Personal Data (KVKK) and the Regulation on the Data Controllers’ Registry define who must register. 

Data controllers established in Türkiye 

  • Organisations in Türkiye must register with VERBİS if they have more than 50 employees or an annual balance sheet exceeding TRY 100 million. Under the Authority’s exemption decision, controllers with fewer than 50 employees or a balance sheet below TRY 100 million are exempt, provided their main activity does not involve processing special categories of personal data. Controllers above either threshold must register. 
  • For controllers whose main activity is processing special-category data, registration is required if they have 10 or more employees or an annual balance sheet of at least TRY 10 million. They are exempt only if both thresholds are below these limits. This amendment took effect on 1 October 2025 (Decision No. 2025/1572). 
  • Thresholds are assessed annually. If in at least seven of the twelve months of a year the number of employees exceeds the applicable limit (10 or 50), registration is required. These seven months need not be consecutive. Similarly, if either side of the annual financial statement exceeds the relevant threshold, registration is mandatory. 
  • Where a foreign company operates in Türkiye through a branch or liaison office, the Turkish entity must register in its own name. The foreign parent must register separately via its Turkish representative only if it also acts as a controller. Under KVKK, a “data controller” means the natural or legal person who determines the purposes and means of processing personal data. So, each entity that determines the purposes and means of processing must register. 

Data controllers not established in Türkiye 

Foreign organisations that process the personal data of individuals located in Türkiye must register with VERBIS through a data protection representative in Türkiye. This obligation applies regardless of the organisation’s size or the volume of data processed. 

Data controllers transferring data abroad 

If personal data is transferred from Türkiye to another country, this transfer must be declared in the VERBIS registration. Transfers abroad must be declared in the VERBIS form; however, the obligation to register depends on the controller’s establishment status and whether it falls within an exemption. 

How to Complete a VERBIS Registration (Step-by-Step) 

Registering with VERBIS can be completed online. Here’s a simple step-by-step guide to completing your VERBIS registration: 

1. Access the VERBIS Portal 

Go to the official VERBIS system via the KVKK website or directly at verbis.kvkk.gov.tr. You’ll need to create an account or log in. 

  • Turkish companies use their company details to access the system. 
  • Foreign companies access VERBIS through their appointed representative in Türkiye (explained below). 

There is no official VERBIS filling fee charged by the Authority, and registration must be completed before starting to process personal data. It’s designed to be a proactive compliance step, not something to do afterwards. 

2. Assign a Contact Person or Representative 

As part of registration, you must appoint specific roles: 

  • For Turkish companies: An İrtibat Kişisi (contact person) who serves as the point of communication with the KVKK Authority. This person, usually an employee or data protection officer, only liaises with the Authority; they are not personally responsible for compliance. The contact person serves only as a communication point and does not replace or limit the controller’s own legal responsibility. 
  • For foreign companies: A local representative in Türkiye must be appointed. This representative must be a Turkish legal entity or a citizen resident in Türkiye, and they will complete the VERBIS registration on the controller’s behalf. For VERBIS, the representative must be appointed through a board resolution or an authorised-signatory letter that is physically signed (wet-ink), notarised in the controller’s country, and apostilled. The original document must then be sent to the local representative in Türkiye to complete the VERBİS registration. Digital or scanned copies are not accepted for this process. 

3. Prepare and Enter Your Data Processing Details 

Once logged in, the main task is to fill out a structured set of forms describing your personal data processing activities. Beforehand, prepare your internal data processing inventory. This helps ensure accuracy. 

The VERBIS system asks for details under the following sections: 

  • Kişisel Veri İşleme Amaçları (Purposes of Processing) 
  • Veri Kategorileri (Categories of Personal Data) 
  • Veri Konusu Kişi Grupları (Data Subject Groups, e.g. employees, customers) 
  • Alıcı Grupları (Recipient Groups, e.g. IT providers, business partners) 
  • Saklama Süreleri (Retention Periods) 
  • Yabancı Ülkelere Aktarım (Transfers to Foreign Countries) 
  • Veri Güvenliği Tedbirleri (Data Security Measures, e.g. encryption, access controls) 

You’ll select or input the relevant information for each section, mirroring your internal records and retention policy. The form allows you to indicate if something doesn’t apply. Make sure everything is accurate and complete. This information forms your public entry in the registry. 

4. Submit and Confirm Your Registration 

After completing all sections, review your entries carefully. VERBIS shows a summary report for final confirmation. When ready, approve and submit your notification to the Authority through the VERBIS portal. 

If the submission is successful, you’ll see a message confirming that your notification has been received. Once accepted, your status will appear as valid, confirming that your VERBIS registration is complete. 

Your company’s entry will then appear in the public VERBIS registry inquiry section, showing your basic information. You won’t receive a paper certificate. The online entry itself is your proof of registration. Keep a copy or screenshot of the confirmation for your records. 

Remember to update your VERBIS entry whenever your processing activities change. 

What Happens If a Company Doesn’t Register with VERBIS? 

Failing to register with VERBIS is a serious breach of Türkiye’s data protection law . Companies that skip or delay registration face significant administrative fines. For 2025, the range for this type of violation is between TRY 272,380 and TRY 13,620,402, depending on the specific circumstances and annual revaluation by the Authority. The Personal Data Protection Authority (KVKK) can also order the suspension of data processing, though fines are the most common penalty. 

Importantly, this rule is actively enforced. The Authority monitors compliance and has issued fines to both Turkish and foreign companies, including those with only minimal presence in Türkiye. Enforcement began after the initial registration deadline of 31 December 2021, and penalties have been imposed not only for missing registration but also for late or ongoing non-compliance. Continued or repeated non-compliance can lead to additional fines over time.  

How Prighter Supports KVKK Compliance 

For international companies without a physical presence in Türkiye, meeting obligations under the KVKK, such as VERBIS registration, can be challenging. This is where Prighter’s KVKK Representative Service becomes essential. 

Prighter acts as your authorised local representative in Türkiye, a role required by law for foreign data controllers. The team manages the entire VERBİS registration process on your behalf, starting with collecting and organising your data mapping details, guiding you through the notarisation and apostille requirements for the letter of authority, submitting the initial registration, and keeping it updated as your data processing activities evolve. As your representative, Prighter also serves as the main point of contact for both the Turkish Data Protection Authority and any individuals in Türkiye who may contact your company about their personal data. We liaise with the Authority on any queries or investigations and handle communications such as access or deletion requests from data subjects. 

By using Prighter’s service, foreign companies can meet Turkish data protection requirements without opening a local office or dealing with bureaucracy. Prighter’s local expertise ensures smooth compliance, showing your company’s commitment to privacy and building trust with customers and regulators in Türkiye. 

If you would like to discuss your organisation's compliance with the KVKK, book a free consultation with our experts today.

Sources 

  1. Kişisel Verileri Koruma Kurumu (Turkish Personal Data Protection Authority) - VERBİS (Data Controllers’ Registry) 
    https://verbis.kvkk.gov.tr/
  1. Kişisel Verileri Koruma Kurumu (Turkish Personal Data Protection Authority) - By-Law on Data Controllers’ Registry 
    https://www.kvkk.gov.tr/Icerik/6635/By-Law-On-Data-Controllers-Registry
  1. Kişisel Verileri Koruma Kurumu (Turkish Personal Data Protection Authority) -VERBİS with Questions (October 2025) 
    https://verbis.kvkk.gov.tr/sharedFolder/sorularla-verbis.pdf?ts=20251006
  1. KVKK Board Decision No. 2025/1572, published in the Official Gazette on 1 October 2025 (No. 33034) -https://www.resmigazete.gov.tr/eskiler/2025/10/20251001-4.pdf  

About the Author

Elif Merve Demir

Elif Merve Demir

プライバシースペシャリスト

Elifは、Prighterでデータ保護およびデジタルガバナンスのスペシャリストとして活躍しています。
トルコの法学部を卒業後、イギリスにて情報技術および知的財産法のLLM(修士課程)を修了。これまでにトルコとイギリスで、ガバナンスやコンプライアンス業務に携わってきました。その経験を活かし、Prighterではトルコ法に関する取り組みや製品開発をリードするとともに、EUおよびUKのデータ保護・デジタルガバナンスに関するアドバイスも行っています。