Bezen & Partners | News

Turkey: The Turkish Personal Data Protection Board's Decision On The Registration Liability Of The Data Controllers' Registry


The Personal Data Protection Law numbered 6698 (the "PDPL") provides that data controllers which are subject to the PDPL must register with the Data Controllers' Registry ("VERBIS") provided that they are not exempt from such obligation according to the decisions of the Turkish Personal Data Protection Board (the "Board") numbered 2018/32, 2018/75 and 2018/87. However, there were ambiguities concerning the scope of such obligation for legal entities registered outside of Turkey and branches and liaison offices of such legal entities in Turkey. The Board has clarified the status of such establishments to a certain degree in its decision dated 23 July 2019 and numbered 2019/225 (the "Decision").


The PDPL defines a data controller as "a natural person or a legal entity responsible for defining the purposes and methods of processing personal data and establishing and managing the data entry system". Accordingly, the status of the branches and liaison offices which carry out the responsibilities stated above in relation to personal data has been an outstanding question.

The Decision

The Board has clarified in the Decision that the Turkish branches of legal entities registered outside of Turkey must be considered data controllers in the terms of the PDPL provided that such branches are responsible for defining the purposes and methods of data processing and the establishment and management of the data entry system. Accordingly, branches established in Turkey that meet the above criteria must register with VERBIS, provided that there are no exemptions applicable for such branch.

In contrast, the Board has concluded that liaison offices must not be considered data controllers in the terms of the PDPL and are therefore not obliged to register with VERBIS. The Board concluded that the reason for such exemption is that liaison offices cannot carry out any commercial activity in Turkey but rather carry out only marketing and feasibility research operations.

The Board has also set out in the Decision that the entities established abroad and carrying out personal data processing activities in Turkey directly or via their branches are qualified as data controllers under the PDPL and must register with VERBIS, if certain criteria are met. However, the status of data controllers which are established abroad and obtaining personal data directly from Turkey, but processing such data abroad still remains ambiguous.

Article by Murat SoyluZekican SamlıBerfu Öztoprak and Ufuk Söğüt

Bezen & Partners