05 Dec, 2020

VERBIS Registration Process in the Pandemic Period

As we have stated in our previous notifications, as it is known, the dates required to be registered in the Data Controllers Registry (Registry) of natural and legal persons processing personal data according to the Law on Protection of Personal Data (Law) No. 6698 have been announced by the Personal Data Protection Board (Board). Finally, it was approved by the Board's decision dated 01.10.2020 and numbered 2020/760 to notify the data controllers, who have not fulfilled their obligation to register, in a letter.

It has been observed that the aforementioned letter has been sent to the data controllers in the direction previously announced by the Board, and a 30-day period has been given to the data controllers with the letter. The following points are highlighted in the article:

  • “… According to the 2019 data obtained from the Ministry of Treasury and Finance by our Presidency, it has been determined that you have not applied for registration with VERBIS, although your annual number of employees is more than 50 or your annual financial balance sheet total is more than 25 million TL. Based on this determination, the Personal Data Protection Board As a result of the examination and evaluation carried out by our Company, if you meet the criteria of "more than 50 employees per year" or "total annual financial balance of more than 25 million TL" according to 2019 data, it is notified that you must fulfill your obligation to register in the Data Controllers Registry, It has been decided to give you thirty days from the date of sending this letter for you to

As can be seen, the Board has notified the data controllers, who are required to register VERBIS according to the 2019 data, shortly before the end of 2020. We think that the remarkable part of this notification is that although the Board made this notification based on the data it received from the Ministry of Treasury and Finance, the data controller was given the opportunity to object to the article by saying "if you meet the criteria" and to report that this determination is incorrect.

It has been reported by the Board in the past that the size of the financial balance sheet should be considered as “turnover”. Although we have not yet received any difference in interpretation on this matter, it is possible for both the financial balance sheet and the turnover to decrease or increase within the year. Especially in the current pandemic conditions, the situation becomes more complicated when the fact that the financial size of the data controllers and the number of employees are reduced.

As is known, the relevant part of the Board's decision dated 19.07.2018 and numbered 2018/87 is as follows;

  • “… Considering Article 16 of the Regulation on Data Controllers Registry titled “Exception Criteria”; In addition to the data controllers exempted by the Board Decision dated 02.04.2018 and numbered 2018/32, natural or legal person data controllers whose annual number of employees are less than 50 and whose annual financial balance sheet total is less than 25 million TL, the main field of activity is special quality personal data controllers. those who do not process data; Exemption from the obligation to register with the Data Controllers Registry…”

The Board has stated that it will consider the "annual" numbers in our opinion, since it is not possible to determine the number of employees or the financial size at any given time. However, even the decision taken to clarify the relevant provision of the Regulation needs explanation and clarification. Especially, 2019 data is open to discussion since the last day for VERBIS registrations is in 2020.

Although the financial years of the companies may vary, we believe that the relevant company's own financial year should be taken into account in terms of financial size.

At this point, we would like to remind you of the 3rd paragraph of Article 8 of the Regulation on the Data Controllers Registry;

  • “(3) Data controllers under the registration obligation, in case their registration obligations cannot be fulfilled due to any actual, technical or legal impossibility, shall apply to the Authority in writing within 7 working days at the latest from the date of the emergence of this impossibility, and on condition that they state the reason, they shall fulfill their registration obligations. They may request additional time from the Institution to fulfill their obligations. The Institution may grant an additional period of time only once and not exceeding thirty days in any case.”

In other words, if there is a real obstacle to registration, it seems possible to request an additional thirty-day period from the Board. It is thought that it may be possible to request that you are within the scope of the exemption in terms of financial size and number of employees, together with the request for this period.


To request a quotation for the following: Cyber Security, Digital Transformation, MSSP, Penetration Testing, KVKK, GDPR, ISO 27001 and ISO 27701, please click here.

About Content:
Share on Social Media:
Facebook
Twitter
LinkedIn
Telegram