According to the Law on the Protection of Personal Data and the Regulation on the Data Controllers Registry, individuals and legal entities that process personal data are required to register with the Data Controllers Registry before initiating data processing. The Personal Data Protection Board (“Board”) may determine exemptions to the same obligation, considering factors such as (i) the nature of the personal data, (ii) the quantity of personal data, (iii) the purpose of the data processing, (iv) the field of activity where personal data is processed, (v) the transfer of personal data to third parties, (vi) the legal basis of the data processing activity, (vii) the retention period of personal data, and (viii) the group of data subjects or data categories.
In this regard, with the decision of the Board dated 06.07.2023 and published in the Official Gazette dated 25 July 2023 and numbered 32259, the financial threshold for the exemption from the obligation to register with the data controllers registry, which was previously introduced by the decision of the Board dated 19.07.2018, has been increased from 25 million to 100 million Turkish Liras. Following this change,
(i) Individuals and legal entities that have fewer than 50 employees,
(ii) Individuals and legal entities with an annual financial statement total of less than 100 million Turkish Liras and whose main activity is not the processing of sensitive personal data,
will be exempt from the obligation to register with the data controllers registry.