Data Protection

Foreign Data Controller Representative Appointment

According to The Turkish Personal Data Protection Law (Law No. 6698, “Law”), natural and legal persons who process personal data are called "data controllers". One of the obligations brought by the Law No. 6698 is the obligation to register with the Data Controllers Registry Information System (VERBIS).

Contact us for more information about the service 

Başında Sıfır olmadan giriniz

Data Controllers’ Registry Information System (“VERBIS”) refers to the information system managed by the Turkish Personal Data Protection Authority, accessible over the internet, that data controllers will use in their application to the Data Controllers Registry and in other related transactions.

Organizations based outside of Türkiye that collect or process personal data of Turkish citizens and/or Turkish and non-Turkish residents in Türkiye must appoint a local data controller representative through that Registry Information System.

The representative must be a Turkish citizen or a Turkish entity. The Turkish Personal Data Protection Authority requires data controllers to notify the Turkish Personal Data Protection Authority of their data processing activities. The representative must apply through the VERBIS. The VERBIS Regulation, which is Turkish Personal Data Protection Law's secondary legislation, only provides for the appointment of a data controller representative who will communicate with the Authority and data subjects.

It needs to be noted that the selection of a representative for social media firms that offer services in Türkiye is subject to similar regulations.

As Sistem Global Consulting Company, we can undertake the representation of data controllers on behalf of companies located abroad. The Data Controller Representative, who will be appointed through our representative service, will assist you in complying with the legislation and implementing the following requirements for you. Within this context, we will: Become the point of contact for the processing of personal data for Turkish nationals and residents in Türkiye, carry out the VERBIS registration, and act as your representative with the Turkish Personal Data Protection Authority.


Data Controller Registry Notification

Before processing personal data from Türkiye, the The Turkish Personal Data Protection Law (Law No. 6698, “Law”) states that all natural persons and legal entities must register with the Data Controller Registry Information System (VERBIS). The registration procedure is free of charge and is performed through an online system.

What Information Should Be Provided During the Application to the Registry?

The following information must be submitted by the data controllers during the registration application; Identity and address information of the data controller and the representative of the data controller, the information in the application form, determined by the Board, the purpose for which personal data will be processed, the explanations about the data subject group and groups and the data categories of these persons, the recipient or recipient groups to whom personal data can be transferred, the personal data which are envisaged to transferred abroad, measures taken concerning the security of personal data as referred in Article 12 of the Law and in accordance with the criteria determined by the Board, maximum storage period of personal data laid down by the legislation or for the purposes for which personal data are processed.

In addition to that in case of any change in the Registry records, data controllers shall notify the Authority through VERBIS within seven days of the date of the change.

What are Our Services about the Registry?

As Sistem Global Consultancy, we are providing consultancy services for determining and reporting the obligations of data controllers residing abroad within the scope of Personal Data Protection Law No. 6698, preparing the necessary information and documents to fulfill these obligations, registering VERBIS. In additionwe support foreign data controllers while conducting correspondence with the Personal Data Protection Authority, answering the applications to be made by the data subjects and other legal processes. We carry out our services with a focus on transparency with the knowledge and approval of data controllers residing abroad for whom we are the representative.

Data Protection Impact Assessment (DPIA) For Local Compliance


A DPIA is a type of risk assessment. It helps you identify and minimize risks relating to personal data processing activities. Before certain types of processing, the EU GDPR (General Data Protection Regulation) and DPA (Data Protection Act) 2018 require you to conduct a DPIA. This ensures that you can reduce data protection risks. For example, if processing personal information is likely to put data subjects' rights and freedoms at risk, you should conduct a DPIA. Also, when implementing new data processing processes, systems, or technologies, you should also conduct one. Although the GDPR applies only to the European Union, many companies based outside the EU but doing business globally are implementing GDPR terms, including DPIA requirements, globally. A DPIA is the responsibility of the "controller," which is the company or organization that determines the purposes and methods of processing data, according to the GDPR. While the Turkish Law on the Protection of Personal Data does not specifically require a DPIA, it does require all necessary technical and administrative measures to provide a sufficient level of security to prevent the unlawful processing of personal data. The law also specifies certain principles that must be followed during all data processing activities. As a result, personal data must be processed lawfully, for specific, explicit, and legitimate purposes, and relevant to, limited to, and proportionate to those purposes. Finally, the Turkish Constitution protects people's right to privacy and their rights to personal data. Also, as result, data controllers are required to refrain from processing personal data in an unlawful manner. Via “DPIA for local compliance” services, we consider the data protection risks of foreign data controllers’ operations in Turkiye. If the operation focuses on a specific sector, we can turn this DPIA to Legal Impact Assessment which we report other regulative risks.


We Keep You, Up To Date On Regulatory Changes On Data Protection

The Turkish Data Protection Authority publishes guidelines to clarify grey areas in practice as well as guidance on data protection issues in Türkiye on a regular basis. A new business model is created daily, new technologies are developed, and the demand for personal data increases.

A vast variety of guidelines and model policies, such as a data processing inventory policy, data retention and destruction policy, and an external facing privacy policy, also released by The Turkish Personal Data Protection Authority to help practitioners comprehend the Turkish Personal Data Protection Authority's implementation of The Turkish Personal Data Protection Law. When you work with us, the compatibility of your business/services /products with Turkish law will be constantly updated and controlled. You will be informed of new legislation, regulations, and decisions within this framework.

As your representative, we will keep you informed without delay if the new laws come into forces or publications of new resolutions.


Subscribe to our E-Bulletin