On July 25, 2023, Decision No. 2023/1154 was published in the Official Gazette No. 32259, announcing a significant amendment to the VERBIS registration obligation in Turkey. This decision marks a notable change in the criteria that determine which legal entities are required to register with VERBIS (the Data Controllers’ Registry System).
The amendment specifically focuses on altering the “total annual financial balance sheet” criterion, raising the threshold from 25 million Turkish liras to 100 million Turkish liras. As a result of this modification, legal entities that meet the revised financial criterion are now obligated to register with VERBIS.
This article delves into the implications and significance of the amendment to the VERBIS registration obligation in Turkey, highlighting its potential impact on businesses and data protection compliance in Turkey.
Background on VERBIS Registration Obligations in Turkey
The Data Controllers’ Registry System (VERBIS) is a vital component of Turkey’s data protection regime. Introduced with the implementation of the Turkish Personal Data Protection Law (KVKK) in 2016, VERBIS serves as a centralized database for recording the information of data controllers. It aims to ensure transparency and accountability in data processing activities while safeguarding the rights and privacy of individuals whose personal data is processed.
Before the recent amendment, the primary criterion for determining the obligation to register with VERBIS was based on the “total annual financial balance sheet” of legal entities. Entities with a financial balance sheet of 25 million Turkish liras or more were required to register with the system. However, Decision No. 2023/1154 has now revised this threshold, significantly impacting the scope of VERBIS registration obligations.
Decision No. 2023/1154: Key Points
Decision No. 2023/1154, which was officially published on July 25, 2023, introduces a substantial change to the VERBIS registration obligations. The primary amendment centers on revising the financial criterion, increasing the threshold from 25 million Turkish liras to 100 million Turkish liras. As a result of this modification, legal entities with a total annual financial balance sheet of 100 million Turkish liras or more now fall under the VERBIS registration obligations.
The decision has garnered attention due to the potential impact it may have on businesses and data controllers in Turkey. With the raised financial threshold, more entities may be exempted from the VERBIS registration obligation, potentially reducing the overall number of registered data controllers. This could result in a more streamlined registration process for smaller businesses while still ensuring that larger entities with significant financial capabilities adhere to the data protection regulations.
Implications of the Decision
The decision to increase the financial threshold for VERBIS registration obligations carries several implications for data controllers, businesses, and the data protection landscape in Turkey.
- Compliance for Smaller Entities: With the raised financial threshold, smaller businesses with total annual financial balance sheets below 100 million Turkish liras may no longer be required to register with VERBIS. This could alleviate the compliance burden for these entities, enabling them to focus more on their core operations while still ensuring data protection compliance through other applicable measures.
- Focus on Larger Data Controllers: By increasing the threshold, the decision may result in a more targeted approach towards larger data controllers who possess substantial financial capabilities. This ensures that entities with significant data processing activities and financial resources adhere to data protection regulations and maintain transparency in their practices.
- Data Protection Effectiveness: The decision has sparked debates on its potential impact on data protection effectiveness. While some argue that the raised threshold may lead to a reduction in the number of registered data controllers, others contend that it may strengthen data protection compliance among larger entities that fall within the new criterion.
- Simplified Registration Process: For businesses exempted from the VERBIS registration obligation due to the increased threshold, the registration process is no longer a mandatory requirement. This could lead to a simplified process for smaller entities and may potentially encourage them to adopt best practices voluntarily.
- Enforcement and Penalties: It’s essential to note that the decision does not undermine the importance of data protection compliance. Non-compliance with data protection regulations can still result in severe penalties, regardless of the financial threshold. All businesses, whether required to register with VERBIS or not, must continue to uphold data protection principles and ensure the privacy of individuals’ personal data.
Decision No. 2023/1154, which amends the VERBIS registration obligations in Turkey, signifies a crucial step towards refining data protection practices in the country. By increasing the financial threshold for mandatory registration, the decision aims to strike a balance between promoting compliance among larger entities and relieving smaller businesses from administrative burdens. While its implications may vary for different stakeholders, the underlying objective remains the same – ensuring the protection of individuals’ personal data while fostering a business-friendly environment.
As the decision takes effect immediately upon its publication, legal entities in Turkey must promptly assess whether they now fall under the VERBIS registration obligations. Furthermore, all businesses, irrespective of registration requirements, should remain vigilant in their data protection efforts, understanding that compliance is a continuous commitment towards safeguarding individual privacy and upholding data ethics in the digital age.