Partner
Analysis & trends
VERBIS Exemption for Micro Enterprises Introduced by the Personal Data Protection Board
The Turkish Data Protection Board (“DPA”) has introduced exemption criteria regarding the obligation to register with the Data Controllers Registry (“VERBIS”) as stipulated under Article 16 of the Personal Data Protection Law. These exception criteria – originally acted by the decision dated 19.07.2018 and numbered 2018/87 and subsequently amended with the decision dated 06.07.2023 and numbered 2023/1154 – have been updated by a new the decision of the DPA dated 04.09.2025 and numbered 2025/1572, published in the Official Gazette dated 01.10.2025 and numbered 33034.
UPDATED EXCEPTION CRITERIA
With this update, a new exemption has been introduced for data controllers in the micro-enterprise category whose main activity involves the processing of sensitive personal data. In this context, it has been decided that data controllers meeting the criteria listed below shall be exempt from the obligation to register with VERBIS:
“Natural or legal persons acting as data controllers whose main activity is the processing of sensitive personal data, but who have fewer than 10 employees and an annual balance sheet total of less than 10 million Turkish Liras.”
The VERBIS registration exemption criteria introduced by previous decisions of the DPA, which are applicable for natural or legal persons acting as data controllers whose main activity is not processing sensitive personal data, having fewer than 50 employees and an annual balance sheet total of less than 100 million Turkish Liras, remain unchanged. Accordingly, data controllers meeting these criteria will continue to be exempted from the VERBIS registration obligation.
ASSESSMENT
The rationale for this change is explained in an announcement published on the DPA’s website and is primarily based on the fact that data controllers falling within the micro-enterprise threshold under the Small and Medium-Sized Enterprises Regulation have limited personnel and financial resources, and therefore do not have sufficient employment opportunities in legal and information technology matters and process a limited amount of personal data compared to other data controllers. To that end, this regulatory change is aimed at reducing the administrative and financial obligations of micro-scale healthcare institutions, such as dental clinics and pharmacies, which operate with limited capacity, in their compliance processes regarding data protection.