Amendment to the Exemption Criteria Regarding the Obligation to Register with the Data Controllers Registry Under KVKK

Personal data protection legislation in Turkey presents a dynamic structure within the framework of Law No. 6698. One of the most important focal points of this dynamism is the VERBİS (Data Controllers Registry Information System), overseen by the Personal Data Protection Authority. With a decision published in the recent period, the Board has taken a significant step toward amending the exemption criteria regarding the obligation to register with the Data Controllers Registry.

In this bulletin, we will examine the details of the Board’s decision regarding the amendment of exemption criteria and how natural or legal person data controllers should comply with this new process from the perspective of Esenyel & Partners.

VERBİS Registration Obligation and Exemption Criteria

Pursuant to Law No. 6698, natural or legal person data controllers who process personal data must register with the registry before commencing data processing. However, the Board has defined certain exemptions to reduce the administrative burden on businesses. Specifically, the latest update to the exemption criteria for the registration obligation has changed the legal status of many enterprises.

In our analyses as Esenyel & Partners, we observe that the most critical point to consider is the distinction between controllers whose main field of activity involves processing special categories of personal data and those whose does not.

Current Financial Balance Sheet and Number of Employees Thresholds

With the Board’s Decision No. 2023/1154, the financial balance sheet threshold required for the obligation to register with the Data Controllers Registry has been increased. Following the amendment to the exemption criteria, the new table is as follows:

• For data controllers whose main field of activity is NOT processing special categories of personal data, the annual number of employees must be fewer than 50.
• Simultaneously, the annual financial balance sheet total must be less than 100 million Turkish Liras.

If your business’s field of activity is established upon processing special categories of personal data, the registration obligation may continue for natural or legal person data controllers with at least 10 employees or an annual financial balance sheet total of at least 10 million TL. As Esenyel & Partners, we clarify whether our clients fall within the scope of exemption by meticulously auditing processing activities involving special categories of personal data.

Matters to Consider in the Data Controllers Registry Process

The decision to amend the relevant exemption criteria was published in the Official Gazette on July 25, 2023, and entered into force. As of this date, it is critical for companies subject to the obligation to register with the Data Controllers Registry to check their current financial data.

Whether your company’s main field of activity falls into the category of processing special categories of personal data is decisive not only for registry registration but also for the scope of technical and administrative measures to be implemented. When creating personal data protection strategies, focusing solely on VERBİS registration is insufficient; the accuracy of the data inventory is also essential.

KVKK Compliance with Esenyel & Partners

The guidelines and current Board decisions published by the Personal Data Protection Authority serve as a roadmap for data controllers. At Esenyel & Partners, we integrate every new regulation published regarding amendments to exemption criteria into your operational processes.

The registration process for the Data Controllers Registry is not merely a technical data entry; it is a legal declaration. Therefore, it is of vital importance for institutions whose main field of activity is processing special categories of personal data to receive expert legal support during inventory preparation. With our deep experience in sectors where the main activity is processing sensitive data, we provide proactive solutions to prevent our clients from facing administrative fines.

Conclusion

While the financial limit raised as a result of the amendment to the relevant exemption criteria provides convenience for many small and medium-sized enterprises, general obligations regarding the protection of personal data continue. Audits continue more strictly for controllers whose subject is the processing of special categories of personal data.

You may contact Esenyel & Partners to learn whether your company is subject to the current obligation to register with the Data Controllers Registry and to place your KVKK compliance processes on a professional footing.