19 Eylül 2023
Obligation to Register to the Data Controllers Registry Information System (Verbis)
Data controllers are required to register with the Data Controllers Registry Information System ("VERBIS") within the scope of the Law Personal Data Protection Law No. 6698 ("Law") and the Regulation on the Registry of Data Controllers ("Regulation"). It is stated in the article 16 of the Law, "Natural or legal persons who process personal data shall register with the Data Controllers' Registry prior to the start of data processing." However, the procedures and principles regarding the obligation to register with VERBIS are determined by the Regulation.
The procedures and principles regarding the VERBIS registration obligation specified in the Law and Regulation and the periods determined for registration are announced by the Personal Data Protection Board ("Board"). With the Board's decision dated 01.03.2021 and numbered 2021/238, data controllers who are under the registration obligation were required to register with VERBIS until 31.12.2021 to cover all data processing processes. In this article, we have discussed the Data Controllers Registry Information System, the persons who are obliged to register with VERBIS, the things to be done during and after registration with VERBIS and the administrative fines to be applied in case of violation of this obligation.
VERBIS and Those Who are Obliged to Register with VERBIS
Data Controllers Registry Information System (VERBIS) is a registration system in which data controllers are obliged to register and declare information about data processing activities. This system contains information on the data processing activities, data processing purposes, and categories of processed data of data controllers.
VERBIS notifications according to the Law and the Regulation consist of;
- Identity and address information of the data controller and his/her representative, if any,
- The purpose for which the personal data will be processed,
- Groups of persons who are data subjects and the categories of data belonging to them,
- The recipient or groups of recipients to whom personal data may be transferred,
- Personal data intended to be transferred to foreign countries,
- Measures taken regarding personal data security,
- The maximum period necessary for the purpose for which the personal data are processed.
The Board records the data processing activities carried out by the data controllers. Verbis is kept "publicly available" under the supervision of the Board. Natural and legal persons who process personal data must register with the Data Controllers Registry (VERBIS) before starting data processing.
Within the scope of the conditions determined by the Law and Regulation, the Board has amended its decision dated 11.03.2021 and numbered 2021/238 with the decision dated 06.07.2023 and numbered 2023/1154 and with the latest amendment, It is decided to extend the deadline for the fulfillment of the registration obligation until 31.12.2021 for;
- The natural and legal person data controllers with more than 50 employees per year or the total annual financial balance sheet of more than TL 100 million TRY and the real and legal person data controllers residing abroad to fulfill the obligation to register in the Register,
- Natural and legal person data controllers whose main field of activity is processing special categories of personal data, although the annual number of employees is less than 50 and the annual financial balance sheet is less than 100 million TRY,
- Public institutions and organizations and professional organizations in the nature of public institutions.
At this point, it is useful to clarify two points.
- The maximum deadlines specified in the decision have already passed due to the fact that the decision was made in 2021. However, this does not mean that the obligation to register with VERBIS has disappeared. The Board is able to identify the data controllers who have not yet registered with VERBIS despite the lapse of the given periods, ex officio or upon complaint and may impose an administrative fine. For this reason, every data controller who has the obligation to register with VERBIS is still obliged to register in the register.
- In the decision dated 11.03.2021 and numbered 2021/238 issued by the Board, it is stated that, "Natural and legal person data controllers whose number of employees is more than 50 per year or whose annual financial balance sheet total is more than 25 million TRY" and "Natural and legal person data controllers whose number of employees per year is less than 50 and whose annual financial balance sheet is less than 25 million TRY and whose main field of activity is the processing of special quality personal data", but then with the decision dated 06.07.2023 and numbered 2023/1154 issued by the Board, the specified amounts have been updated and changed to "Natural and legal person data controllers whose number of employees per year is more than 50 or whose annual financial balance sheet total is more than 100 million TRY" and "Natural and legal person data controllers whose number of employees is less than 50 per year and whose annual financial balance sheet is less than 100 million TRY and whose main field of activity is the processing of special quality personal data".
The data controllers who have the obligation to register with VERBIS determined by the Law and Regulation are as follows:
- Natural and legal persons whose number of employees is over 50 per year or whose annual financial balance sheet total is over 100 million TRY,
- Natural and legal persons residing abroad,
- Natural and legal persons whose number of employees is less than 50 per year and whose annual financial balance sheet total is less than 100 million TRY, but whose main field of activity is the processing the special categories of personal data.
- Public institutions and organizations,
- Doctors, dentists, dieticians, psychologists, psychotherapists, psychoanalysts, physiotherapists, opticians, etc. real persons who provide health services in private practice, pharmacies, hospitals, polyclinics, medical centers, dialysis centers, aesthetic centers, rehabilitation centers, diagnosis-examination and imaging centers, real or legal persons providing paramedical human health services, health service providers, real or legal persons providing services for mental disability or substance abuse persons, professions and institutions such as medical analysis laboratories.
Companies included in the above categories must be registered with VERBIS. As explained above, the fact that the date specified in the decision has passed does not eliminate the obligation to register with VERBIS. Each data controller in this category must first follow the following steps in order to register with VERBIS:
- To create a clear, up-to-date and accurate data inventory including the purpose of data processing, the data category, the groups to which the data is transferred, the maximum retention period after the data is processed, the data to be transferred domestically and / or abroad and the security measures to be taken for data protection,
- If he/she is not resident in Türkiye, to appoint a real person who is a citizen of the Republic of Türkiye residing in Türkiye as a data controller representative,
- Data controllers and data controller representatives residing in Türkiye are required to designate a real contact person to complete, update and keep up-to-date VERBIS registrations.
Exceptions to the VERBIS Registration Obligation
Although VERBIS registration and notification obligation has been mentioned above, in the article 16 of the Personal Data Protection Law, it is also regulated that the Personal Data Protection Board may make an exception to the obligation to register in the Data Controllers Registry System (VERBIS) and those who do not have the obligation to register with VERBIS with the decisions of the Board are listed as follows:
- Those who are included in any data recording system but process data by non-automatic means,
- Notarys
- Those who process personal data from foundations, unions and associations limited to their fields of activity in accordance with the relevant legislation and purposes and only for their own employees, members and donors,
- Political Parties,
- Lawyers,
- Professional accountants and financial consultants and certified public accountants,
- Mediators,
- Custom Brokers,
- Data controllers whose number of employees is less than 50 per year and whose annual financial balance sheet total is less than 100 million TRY, whose main field of activity is not the processing the special categories of personal data.
In accordance with the Regulation on Data Controllers Registry, regarding the obligation to register with VERBIS, it has been stated that the data controllers are obliged to fulfill the obligation to register with VERBIS before starting the data processing and it has been stated that the data controllers who are not under the registration obligation but later become the data controller must register with VERBIS within a period of 30 days following the arising of the obligation.
Thus, data controllers who have submitted their tax returns for the year 2023 are required to fulfill their obligations to register with VERBIS within 30 days if the total assets in the balance sheet attached to the declaration are more than TL 100 million. To explain with a short example; A data controller who has filed his/her corporate tax return on 05.05.2024 will be obliged to register with VERBIS until 05.06.2024 at the latest.
Finally, we can state that the fact that the data controller does not have the obligation to register with VERBIS does not eliminate his/her other obligations under the KVKK.
Representative and Contact Person in VERBIS System
“Data controller is the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system."1 The Data Controller Representative may be a natural or legal person or it is defined as the subject where the legal responsibility is collected to cover all data processing activities.
"The contact person is responsible for ensuring the communication between the data controller and the data subject or the Personal Data Protection Authority."2 It is mandatory to appoint a contact person by the data controller in line with the Law and the Regulation. The contact person is appointed by the relevant data controller via VERBIS. After being appointed by the data controller, the Contact Person can log into the system through the registration section.
To Do After Registration to VERBIS
The information required to be added to VERBIS in the VERBIS registration must be collected up-to-date and accurate before registration. In this process, it is very important that the preparation of the data inventory is prepared by a lawyer who is an expert in the field of KVKK.
Within the scope of the data inventory, the information requested in VERBIS must be added to the system. At this stage; the identity and address information of the data controller and its representative, if any, the purpose for which the personal data will be processed, the groups of persons who are the data subject and the data categories belonging to these persons, the recipient or recipient groups to whom the personal data can be transferred, the personal data foreseen to be transferred to foreign countries, the measures taken regarding the personal data security and the maximum periods required for the purpose for which the personal data are processed must be recorded in VERBIS up-to-date and accurate.
The information recorded for VERBIS registration must be checked regularly by the companies. If there is a change in the data processing activity, the VERBIS registration will also need to be changed. The update must be notified to the Personal Data Protection Authority within 7 days from the date of the change. For these reasons, in case of a change in data processing activities, it is important that the relevant change is made by the data controller or contact person within VERBIS.
Violation of the Obligation to Register with VERBIS
In accordance with Article 18/1-ç of the Law, the current amounts of administrative fines to be imposed in case of violation of the obligation to register in the Data Controllers Registry Information System were published by the Board on 17.01.2023 with an announcement. In line with the announcement published by the Board, if the obligation to register in the Data Controllers Registry Information System is violated, an administrative fine between 189,245.00 TRY and 9,463,213.00 TRY may be issued.
After all; Each data controller who meets certain terms and conditions is obliged to register with VERBIS and if it is determined that the said obligation is not fulfilled, fines in the amounts specified by the Authority may be applied. The data controllers who have the obligation to register with VERBIS must both fulfill the VERBIS registration obligation and maintain the up-to-dateness of the information recorded in VERBIS; It is of great importance in terms of the control of the personal data processing activities of the data controllers and the penalties to be imposed in case of violation of the VERBIS Registration Obligation.
Should you have any queries or need further details, please contact us.
Notification!