In the Paragraph 5 of the Article 12 of Turkish Personal Data Protection Law (KVKK) No.6698, in the event that the personal data processed is obtained by others by illegal means due to a data breach, the data controller shall inform the data subject and the Board as soon as possible.

Due to the activities on personal data processing in Turkey, legal persons which are located abroad;

Legal persons residing abroad,

The branches of legal persons residing abroad,

The liaison offices of legal persons residing abroad

the Turkish Data Protection Board announced a decision no: 2019/225 (“Decision”) in regards with the personal data protection Law numbered 6698, as a result of the examination whether these entities are to be considered as data officers and whether there is an obligation for these entities to submit a record to the Data Responsible Register (“Registry”).

In the event that some or all of the personal data is transferred to the founder / partner foreign company located abroad and the foreign company uses this data for its own purposes, there is an obligation to register with the Data Responsible Register Information System (“VERBİS”). These transfers, in general, consist of recordings of all or part of the data of the employees, suppliers and customers of the legal entity in Turkey to a registration system which is provided and managed by foreign partner. However, keeping only personal data in a registration system by the foreign partner does not constitute VERBIS registration obligation and the foreign partner should use this data for their own purposes.

According to the numbered 2019/265 decision of the Personal Data Protection Board (KVKK) dated 03/09/2019, obligation to register at Data Controllers' Registry ("VERBİS") has been extended until 31.12.2019.