In Decision No. 2025/1572 dated 4 September 2025, the Turkish Data Protection Authority introduced an exemption for data controllers processing sensitive data as part of their main activity from the obligation to register with the Data Controllers Registry (VERBIS) under Law No. 6698 on the Protection of Personal Data, if they qualify as small-scale enterprises. The decision took effect on 1 October 2025 following its publication in the Turkish Official Gazette.

Previously, only organisations with fewer than 50 employees and an annual balance sheet total under TRY 100 million whose main activity did not involve processing sensitive data were exempt from registration. Those mainly processing sensitive data as part of their operations, such as hospitals, clinics or medical centres processing health data, had to comply with the registration obligation without any exception.

With this decision, data controllers whose main activity involves processing sensitive data are now exempt if they:

    • employ fewer than 10 people annually, and
    • record an annual balance sheet total of less than TRY 10 million.

This change means that small-scale healthcare providers and similar organisations that meet these criteria no longer need to register.

However, the exemption applies only to registration. These organisations must still meet all other obligations under Turkish data protection law regarding how they collect, use, and protect personal data.

Share


Legal Information

This briefing is for information purposes; it is not legal advice. If you have questions, please call us. All rights reserved.


You May Be Interested In

Privacy Preference Center