VERBIS Registration Deadline Extended to 5 June 2026: What Companies Newly Captured by 2025 Balance-Sheet Thresholds Need to Know
In a public announcement, the Personal Data Protection Authority (KVKK) confirmed that the registration and notification deadline for corporate-tax-paying legal entities that fall under the Data Controllers’ Registry (VERBİS) obligation by reason of their 2025 annual balance-sheet total has been extended to Friday, 5 June 2026.
Who is Captured by the Obligation?
Under Article 16 of the Turkish Law on the Protection of Personal Data (Law No. 6698), data controllers processing personal data are required to register with the Registry and to notify their data-processing activities. Pursuant to Article 8(2) of the Regulation on the Data Controllers’ Registry, entities newly captured by the obligation must complete their registration and notification within 30 days.
The Board’s Decision No. 2018/87, as amended by Decision No. 2025/1572 dated 04.09.2025, sets the balance-sheet thresholds for the registration obligation as follows:
- Corporate-tax-paying legal entities whose primary activity is not the processing of special-categories personal data and whose 2025 annual balance-sheet total is TRY 100 million or above;
- Corporate-tax-paying legal entities whose primary activity is the processing of special-categories personal data and whose 2025 annual balance-sheet total is TRY 10 million or above.
Companies that crossed these thresholds in their 2025 balance sheets — and that did not previously fall within the registration obligation — are the direct addressees of the extended deadline.
How the Deadline Was Calculated and Why It Was Extended
The Revenue Administration set 30 April 2026 as the last day for filing 2025 corporate-tax returns. Under the Regulation, the thirty-day period that runs from the moment the obligation arises would, on the ordinary calendar, have ended on Saturday, 30 May 2026, rolling over to Monday, 1 June 2026 because of the weekend.
However, the last week of that thirty-day window coincided with the Eid al-Adha holiday, which materially compressed the working days available to data controllers to fulfil the obligation in practice. The Authority’s public announcement, taking this practical difficulty into account, extended the deadline to Friday, 5 June 2026.
VERBİS is Not a Single-Step Process
To grasp the 5 June 2026 deadline correctly, the multi-stage structure of the VERBİS registration and notification process needs to be understood. Per the VERBİS User Guide published by the KVKK, the process consists of four core stages:
In the first stage, an application form is created on VERBİS using the data-controller legal entity’s Tax Identification Number. A critical point to note here: the application must use the legal entity’s Tax ID — submissions made under an authorised person’s or employee’s Turkish ID number are treated as invalid by the KVKK.
In the second stage, the application form must be submitted to the Authority bearing a wet-ink signature and the company stamp/seal. Delivery is made via Registered Electronic Mail (KEP) to [email protected] where a KEP address is indicated in the form; otherwise, by post or in person to the Personal Data Protection Authority Presidency (Nasuh Akar Mahallesi 1407. Sokak No: 4 Balgat/Çankaya/ANKARA). This step is often overlooked — yet the Authority’s review begins only after this physical/KEP delivery is received.
In the third stage, after the Authority reviews and approves the application, a username and password are sent to the email address indicated in the application. The data controller signs into VERBİS with these credentials and designates a Turkish-citizen, Turkey-resident natural person as the contact person.
In the fourth and final stage, the contact person signs into VERBİS via e-Devlet and completes the notification on behalf of the data controller. This notification requires detailed entries across data categories, processing purposes, recipient groups, retention periods, data-subject groups, cross-border transfers and data-security measures.
The 5 June 2026 date is the deadline for completing this entire process, including the notification — not only the first step. Leaving the application to the last day therefore carries serious risk: the Authority’s review and approval of the form, transmission of credentials and contact-person assignment all consume time before the notification entry can be made. Starting preparation now is therefore not just a recommendation — it is a practical necessity.
What Companies Should Do During This Window
The extension is a limited but valuable opportunity to close any preparatory gaps. Companies that assess themselves as falling under the obligation are advised to complete the following steps within this window:
Prepare a personal-data inventory. The VERBİS notification covers data categories, data-subject groups, processing purposes, recipient groups, retention periods and data-security measures. A registration entered before this inventory is built properly creates downstream audit and compliance risk.
Align the Personal Data Processing Inventory with the notification content. The Regulation requires the inventory and the VERBİS notification to be consistent — discrepancies between the two adversely affect outcomes in an audit.
Identify and formally appoint a contact person. For corporate data controllers, the contact person must be a Turkish-citizen, Turkey-resident natural person. The appointment should be made by a competent corporate decision and entered into the system at registration.
Review the Retention and Destruction Policy together with the technical and organisational measures. Data controllers obliged to register are also obliged to maintain a Personal Data Retention and Destruction Policy. The policy being up-to-date and operationally applicable matters as much as the document existing on paper.
Update privacy notices and consent flows. The registration process often is the first occasion on which the company’s data-processing operations are reviewed holistically. It is advisable to use the same window to audit information-notice obligations and consent flows.
Consequences of Non-Compliance
Non-compliance with the VERBİS registration and notification obligation triggers an administrative monetary penalty under Article 18 of the Law. Data controllers that breach the registration and notification obligation are subject to administrative fines ranging from TRY 341,809 to TRY 17,092,242 in 2026.
Beyond the monetary penalty, a non-notifying data controller’s position before the Authority in a potential data-breach notification or complaint review is also adversely affected; and where the same incident gives rise to multiple breaches (failure to notify + failure to fulfil the information obligation + failure to implement data-security measures), penalties may be imposed cumulatively.
Conclusion
The 5 June 2026 deadline is the officially recognised last opportunity for companies that have become subject to the registration obligation for the first time by reason of their 2025 balance-sheet total. Companies that assess themselves as having crossed the thresholds but have not yet started preparing should treat this window not as a data-entry period but as a window for a holistic review of their KVKK compliance architecture. When structured correctly, the compliance process becomes an investment that reduces data-breach risk, strengthens corporate governance, and builds trust with business partners.
For the technical steps of the VERBİS registration and notification process, the Authority’s VERBİS User Guide may be consulted.
