Key Decision by the Personal Data Protection Authority for the Data Controllers

Key Decision by the Personal Data Protection Authority for the Data Controllers and Data Processors was published in the Official Gazette dated 1 October 2025 and numbered 33034. Take a look at the full text from here. That is regarded as a core decision dedicated to absorbing the core obligations of data controllers in accordance with the Personal Data Protection Law No. 6698 (hereinafter as the Law No. 6698).

Table of Contents

Introduction

A Key Decision by the Personal Data Protection Authority for the Data Controllers and Data Processors was published in the Official Gazette dated 1 October 2025 and numbered 33034. The said decision introduced an important criterion to understand the core responsibilities of data controllers.

What is the main administrative body for data protection in Turkey?

The Personal Data Protection Authority is established with a view to ensuring the protection of personal data and developing awareness in line with the fundamental rights related with privacy and freedom stated in the Constitution.

What is the right to privacy in Turkey?

The right to respect for private life is enshrined in the Turkish Constitution. Article 20 provides that everyone has the right to respect for their private and family life and establishes the principle that the confidentiality of private and family life is protected, subject to the conditions and limitations set out by law.

For more information about the protection of the right to privacy see our article on The Right to Data Privacy and Respect for Private Life

What is Turkish data protection law?

The Personal Data Protection Law No. 6698 constitutes the principal legal framework governing the protection of personal data in Türkiye. The primary purpose of the Law, as set out in Article 1, is to regulate the processing of personal data by safeguarding the fundamental rights and freedoms of individuals—particularly the right to privacy—and by establishing the principles, obligations, and procedures applicable to natural and legal persons engaged in personal data processing activities.

What is the meaning of processing of personal data?

In accordance with Article 2 of the Law No. 6698, “processing of personal data” means any operation which is performed on personal data, wholly or partially by automated means or non-automated means which provided that form part of a data filing system, such as collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization, preventing the use thereof.

Overview of the Key Decision by the Personal Data Protection Authority for the Data Controllers

A Key Decision by the Personal Data Protection Authority for the Data Controllers and Data Processors was published in the Official Gazette dated 1 October 2025 and numbered 33034.

That decision was delivered for the identification of data controllers on their VERBIS registration obligations. In this context, taking into account objective criteria to be determined by the Board, such as the nature and volume of the processed personal data, whether the data processing arises from a legal obligation, or whether the data are transferred to third parties, the Board took an initiative by granting exemptions from the obligation to register with the Data Controllers’ Registry. According to the amended criteria developed by the Board Decision dated 04.09.2025 and numbered 2025/1572,

natural or legal person data controllers employing fewer than 50 employees annually and having an annual financial balance sheet total of less than TRY 100 million, whose main field of activity does not involve the processing of special categories of personal data, as well as natural or legal person data controllers whose main field of activity involves the processing of special categories of personal data but who employ fewer than 10 employees annually and have an annual financial balance sheet total of less than TRY 10 million.”

What are the essential criteria for VERBIS registration under the key decision by the Personal Data Protection Authority for the Data Controllers ?

There are two main criteria for understanding if the data controller concerned is responsible for VERBIS registration or not.

  • Provided that main business activity does not involve the processing of special categories of personal data, as clearly defined in Article 6 of the Law No.6698, and provided that employment of fewer than 50 employees annually and having an annual financial balance sheet total of less than TRY 100 million, they do not responsible for VERBIS registration.
  • Even if the relevant activity covers the processing of  special categories of personal data, the employment number is less than 10 and annual budget is less than TRY 10 million the data controller can benefit from the exceptional clause about VERBIS registration.

Conclusion

To conclude, the key decision by the Turkish Data Protection Authority for Data Controllers will play a significant role upon identifying the legal borders of obligations about data controllers. The decision looks  a little complicated but fundamental perception is to make most data controllers benefit from the exceptional clause.

Leave a Comment

Your email address will not be published. Required fields are marked *