New Turkish data protection law (TDPL) requires controllers to register their data processing inventory with the Turkish data protection authority.

“Although the information [required in the Turkish data inventory portal, called VERBIS], is similar to the GDPR Article 30 data processing ledger, such records may not be directly applicable because VERBIS is based on categories of personal data rather than the purposes of processing.”

In addition, controllers are also required to maintain a data processing ledger, containing more information than required in the GDPR Article30 data processing ledger requirement.

“The Turkish DPA has so far granted exemptions from the registration requirement for certain types of processing activities, as well as for data controllers concerned in certain fields of work or who have a relatively small business.”

Though TDPL is unclear regarding the law’s extra- territorial application, “the Turkish DPA’s recent fine imposed on Facebook demonstrates that the Turkish DPA is willing to take action against foreign data controllers, at least when persons in Turkey are affected.”

Details from the International Association of Privacy Professionals.