Follow us :
KVKK & Compliance

VERBİS 2026: The 100M TRY Threshold and the 7-Day Update Rule

Corporate data registry and compliance process — Xen Bilişim KVKK & Compliance

Most companies filled in VERBİS once, filed the confirmation screenshot, and moved on. VERBİS is Türkiye’s Data Controllers’ Registry Information System, the public register that every in-scope organisation must maintain under KVKK, the country’s personal data protection law. Years later the contact person named in that record has left the company, the mail server has moved to the cloud, and a fingerprint reader has appeared at the turnstile. The registration still exists on paper. In practice the obligation is being breached, because what the registry says no longer matches reality.

Then there is the threshold question. Plenty of guides still quote “25 million TRY.” That figure changed in 2023.

Who must register in 2026?

The Board revised the exemption criteria with decision 2023/1154, raising the annual balance sheet threshold from 25 million to 100 million TRY. Decision 2025/1572, dated 4 September 2025, added a separate threshold for controllers whose core business is processing special categories of personal data.

Data controllerRegistration required?
More than 50 employees or annual balance sheet total above 100M TRYYes
Core business is special category data; fewer than 10 employees and balance sheet under 10M TRYNo, exempt
Core business is special category data; above those thresholdsYes
Controllers established outside TürkiyeYes, regardless of size
Public institutionsYes

Note that the two criteria are joined by “or.” A forty-person company saying “we’re an SME, this doesn’t apply to us” loses that argument the moment its balance sheet crosses 100 million TRY.

Decision 2025/2393, issued in December 2025, settled the point that caused the most confusion in practice: for controllers that do not keep balance-sheet-based accounts, only the employee headcount test applies. If you use simplified (cash-basis) bookkeeping, you have no “annual balance sheet total” to measure in the first place.

For companies that cross the line on the balance sheet rather than headcount, the Authority sets a separate filing window each year. Corporate taxpayers that became liable on the basis of their 2025 financial year had until 5 June 2026. That date has passed. If your 2025 balance sheet exceeded 100 million TRY and you still have not registered, the delay is an ongoing breach right now.

Registering once does not close the file

Article 13 of the Regulation on the Registry of Data Controllers is short and unambiguous: where registered information changes, the change must be reported through VERBİS within seven days of the date it occurred.

Not thirty days. Seven. I keep seeing thirty quoted in compliance write-ups; the regulation contains no such period.

The triggers I run into most often:

  • The contact person left. The name in VERBİS may belong to an HR manager who resigned three years ago. Official notices, breach correspondence and complaint files all route through that person.
  • You switched providers. Moving an on-premises Exchange server to Microsoft 365 changes your recipient groups and your cross-border transfer declaration.
  • A new data category appeared. A fingerprint reader on the turnstile, audio recording added to CCTV, a health report requested during hiring. Some of these are special category data, which can even move your threshold calculation.
  • Retention periods were revised, or the company name, address or tax details changed.

None of these count as a new registration. They are updates to an existing one, and the clock is still seven days.

One of the first places an investigation looks

When a complaint or a breach notification reaches the Authority, your VERBİS record is among the first pages opened. If the technical and organisational measures you declared there do not match what is actually deployed, that gap becomes a documented inconsistency working against you. You cannot declare “access logs are retained” and then present a server that keeps no logs.

Here are the 2026 amounts, after the 25.49% revaluation rate:

Breach2026 administrative fine
Duty to inform (Art. 10)85,437 – 1,709,200 TRY
Data security obligations (Art. 12)256,357 – 17,092,242 TRY
Failure to comply with a Board decision (Art. 15)427,263 – 17,092,242 TRY
Registry and notification obligation (Art. 16)341,809 – 17,092,242 TRY

The VERBİS line starts at 341,809 TRY. Measured against a maintenance job that takes a few hours a year, the trade is a bad one.

Frequently asked questions

We have fewer than 50 employees but our balance sheet passed 100M TRY. Do we register? Yes. The criteria are joined by “or” — crossing either one is enough.

Do branches register separately? No. The data controller is the legal entity itself. Registration happens at company level, not branch level.

Can the contact person legally represent the company? No. The regulation states this explicitly: the contact person only handles communication with the Authority and does not represent the data controller. Keeping their details current is still your responsibility.

We dropped below the threshold mid-year. Can we deregister? A deletion request can be submitted through VERBİS, but it is subject to the Authority’s assessment. Do not simply abandon the record and assume it lapses.

What to check this week

Log into VERBİS and verify the contact person’s details. Compare the suppliers, cloud services and cross-border transfers that changed in the last 12 months against what the registry declares. Confirm that the data categories in your personal data inventory match what the system holds. If even one item is off, that seven-day clock has already started running.

If you would like to review your VERBİS record and your personal data inventory together, get in touch.

Share this post
Türkçe oku

Related Posts