With the DCR Service, we offer you more scalable approach than hiring an in-house staff. The DCR outsourcing service provides compliance to business-owners by accessing to skilled and experienced professionals, in personal data protection requirements.

Organizations located outside of the Turkey which collects or processes personal data of Turkish citizens and/or Turkish and non-Turkish residents in Turkey, are required to assign a local data controller representative (DCR). The representative must be a Turkish citizen, resident of Turkey or a Turkish entity. Turkey’s personal data protection legislation (KVKK) requires data controllers to notify the Turkish Data Protection Authority regarding their data processing activities. The representative must complete Data Controllers' Registry Application (VERBIS). Thus, the representative must appoint a contact person who must be a Turkish citizen residing in Turkey. The data controller representative can be the contact person who is appointed via the online VERBIS system.

Through our representative service, the Data Controller Representative to be appointed will assist you in complying with the Legislation while implementing the following requirements for you. Within this scope, we are going to:

1) Act on your behalf as the representative with Turkish Data protection authorities

The Data Controller Representative (DCR) to be appointed acts as a bridge as your point of contact with the relevant authority. While transmitting the requests to you by the Personal Data Protection Board, the DCR carries out all the necessary communication with the Board on your behalf as well.

2) Become the contact point on personal data processing activities for the Turkish citizens and residents in Turkey

The appointed representative accepts any application submitted to you by a person on your behalf; and in the meantime, provides you the details of the application submitted in accordance with the Article 11 of KVKK and relevant legislation, as well. Not limited to this, the representative also follows up the application if it is responded and forwarded by you to the related parties within the legal period and provides you to fulfill your legal responsibility.

3) Conduct the VERBIS registration

The DCR fulfills the necessary steps for VERBIS registration and completes the required information on VERBIS by means of the contact person appointed on behalf of your company regarding the personal data you process in Turkey. Providing sustainability within the service, in the event of a change in your data processing activities within your company's process, the representative performs the related update on VERBIS system, as well.

4) Update you on the regulatory changes regarding the data protection law

The representative keeps you updated in Turkish and English about the updates in legislation, new applications and the changes in the current applications regarding the protection of personal data which is a living process that must be followed at all times. In addition, if there are requirements for you to fulfill due to a change in legislation in accordance with your obligation for VERBIS declaration, the representative will discuss these with you and take action accordingly.

The Related Legislation in the scope of the Law No. 6698 on the Protection of Personal Data

According to the Article 11 of the Regulation on the Data Controllers’ Registry – the scope of the authorization for DCR are as follows

  1. Notification or acceptance of notifications or correspondence made by the Authority on behalf of the data controller,
  2. Forwarding the requests of the Authority directed to the data controller to the data controller and forwarding the response of the data controller to the Authority,
  3. In case, no other basis has been determined by the Board; receiving applications of the relevant persons on behalf of the data controller and forwarding them to the data controller, in accordance with the first paragraph of the Article 13,
  4. In case, no other basis has been determined by the Board; forwarding the response of the data controller to the relevant persons, in accordance with the third paragraph of the Article 13,
  5. Carrying out the works and transactions related to the VERBIS on behalf of the data controller.

Data Controllers' Registry - ARTICLE 16

  1. Under the supervision of the Board, Data Controllers Registry shall be kept by the Presidency in a publicly available manner.
  2. Natural or legal persons who process personal data shall register with the Data Controllers Registry prior to commencing processing. However, considering objective criteria that shall be designated by the Board such as the characteristics and the number of data to be processed, whether or not data processing is based on any law, or whether data will be transferred to third parties, the Board may set forth exemptions to the obligation to register with the Data Controllers Registry.
  3. Registry application to the Data Controllers Registry shall be made with a notification including the following matters:
    • a) Identity and address information of the data controller and of the representative thereof, if any.
    • b) The purposes for which personal data will be processed.
    • c) The group or groups of persons subject to the data and explanations regarding data categories belonging to these persons.
    • ç) Recipient or groups of recipients to whom personal data may be transferred.
    • d) Personal data which is envisaged to be transferred abroad.
    • e) Measures taken for the security of personal data.
    • f) The maximum period of time necessitated by the purposes for which personal data are processed.
  4. Changes to the information provided as per the 3rd paragraph shall be immediately reported to the Board.
  5. Other procedures and principles relating to the Data Controllers Registry shall be regulated by a regulation.