The public announcement (“Announcement”) issued on 16 March 2026 by the Turkish Personal Data Protection Authority (“Authority”) provides clarification regarding the registration obligation with the Data Controllers’ Registry Information System (“VERBIS”) for business partnerships, consortia, and ordinary partnerships that do not have legal personality.
The Announcement sets out the principles as to which party and in what manner personal data processed within the scope of activities carried out by such structures should be notified to VERBIS.
According to the Authority’s assessment:
- Business partnerships, consortia, and ordinary partnerships do not have separate legal personality.
- Therefore, such structures cannot be considered as independent data controllers.
- Personal data processing activities carried out within these structures must be assessed at the level of the natural or legal persons constituting the partnership.
Approach to VERBIS Registration
The Authority has established the following principles regarding the VERBIS registration obligation:
- Personal data processing activities must be evaluated separately for each partner forming the partnership.
- Where the partners jointly determine the purposes and means of processing, this may give rise to joint controllership.
- In such cases, each partner is required to complete its own VERBIS registration individually.
Key Practical Implications
The Announcement entails the following important practical consequences:
- A single VERBIS registration made in the name of the partnership or consortium will not be sufficient.
- Each partner must analyze its own data processing activities and determine whether it qualifies as an independent or joint data controller.
- It is essential that the roles and responsibilities relating to data processing are clearly regulated contractually.
Action Points for Companies
In this context, companies are advised to:
- Map data processing activities within partnerships and similar structures,
- Accurately determine their capacity as data controller,
- Update or complete their VERBIS registrations, where required,
- Review and revise data protection provisions in partnership agreements.
Conclusion
The Announcement provides significant clarification in terms of transparency and accountability in personal data processing activities carried out within non-incorporated partnerships. Companies are advised to reassess their existing structures, particularly in light of the practical implications of joint controllership.
You may access the full text of the Announcement published by the Authority via the link below.
For detailed information and professional support during the compliance process, feel free to contact us.
This Legal Alert has been prepared for general information purposes only on current legal issues, and the evaluations contained in this Legal Alert do not constitute legal advice or a legal opinion. It is not possible to impose any liability on SRP-Legal Law Office due to the content of this Legal Alert. It is recommended to obtain the opinion of a legal advisor regarding your questions and enquires within the scope of this Legal Alert.
