Understanding DPR in Turkey: What It Is, Who Needs It, and How Kooch Can Help

Understanding DPR in Turkey: What It Is, Who Needs It, and How Kooch Can Help

What is DPR (Data Protection Representative) in Turkey?

In Turkey, the concept of DPR typically refers to a Data Protection Representative (sometimes “Data Controller Representative”) under Turkish data protection law (Law No. 6698, “LPPD”). Foreign or cross-border data controllers that process Turkish personal data may be required to appoint a DPR in Turkey as their local contact and liaison for regulatory and data subject demands.

Why this exists:

• Turkey’s data protection regime aims to ensure that controllers operating from abroad still have a responsible local contact that can receive notifications, correspond with the Turkish Data Protection Authority (KVKK), and address data subject rights.
• The DPR role is analogous in some respects to the “representative” requirement under the EU’s GDPR for non-EU controllers (Article 27), though there are procedural and substantive differences under Turkish law.

Who Must Have a DPR in Turkey?

Not every company needs a DPR — it depends on where you are domiciled, where you process data, and whether you fall under registration obligations. Below is a breakdown.

SituationDPR Required?Key ConsiderationsData controller based in TurkeyUsually not (for the DPR role)Turkish entities already have legal presence and regulatory responsibility. But they may have obligations such as registration with VERBIS (Data Controllers Registry). Data controller outside Turkey, processing Turkish individuals’ personal dataYes, you must appoint a DPRForeign controllers must appoint a DPR and use that representative to register in VERBIS on their behalf. Controllers (either domestic or foreign) with limited scalePossibly exemptThe Turkish authority can grant exemptions based on objective criteria (size, volume, nature of processing).

Some important nuance:

• For non-Turkish controllers, there is no threshold exemption: even if you have small volume, you may still need a DPR.
• The appointment of DPR must follow formal steps (e.g. a resolution, notarization, apostille/legalization) under Turkish rules.
• The DPR acts as the official point of contact for data subjects, for the KVKK, and must relay communications and requests.
• Also, the DPR may take on certain duties: receiving notices/communications, forwarding them to the controller, handling data subject requests, performing VERBIS registration tasks, etc.

Failing to appoint a DPR (when required) or failing to comply with VERBIS obligations can expose companies to significant administrative fines in Turkey.

What Is VERBIS and Its Link to DPR

To understand DPR in Turkey, one must also understand VERBIS — the Data Controllers Registry System under the LPPD.

• VERBIS is the registry where controllers (domestic or foreign) must register information about their personal data processing: identity, address, processing activities, recipients, transfers abroad, data security measures, retention periods, etc.
• The Regulation on the Data Controllers’ Registry, published Jan 1, 2018, sets out procedures and principles.
• Non-Turkish controllers cannot directly register themselves; they typically must do so through their DPR in Turkey who acts on their behalf.
• Some controllers are exempted (or given exceptions) from VERBIS registration depending on objective criteria (e.g. size, number of data processed) or the kind of data involved.

Thus, in practice, the DPR often is the party responsible for ensuring that registration is correctly done, maintained, and updated when processing changes.

Key Risks, Challenges & Recent Developments

Risks & Compliance Challenges

• Administrative fines: Turkish authorities can impose fines if you fail to register in VERBIS or fail to appoint a DPR when required.
• Procedural burdens: The requirement for notarization, apostille, or legalization of DPR appointment documents can make the process slower and more complex.
• Language / local nuances: VERBIS is currently available only in Turkish; communications with the Turkish authority and data subjects must often be in Turkish.
• Changing rules / exemptions: The Turkish Data Protection Board may issue guidelines or exemptions; these may evolve. Always monitor regulatory updates.
• Cross-border data transfers: If your processing involves transferring data into or out of Turkey, you must ensure that such transfers comply with Turkish regulation (adequacy, standard contractual clauses, or other permitted mechanisms).
• Operational complexity: The DPR must be reliably reachable, must understand Turkish law, and must handle incoming regulatory or data subject requests in a timely fashion.

Recent & Relevant Developments

I did not find any very recent legislative change (2025) explicitly redefining DPR obligations in Turkey. The basic framework remains anchored in LPPD (Law 6698) and the Regulation on Data Controllers’ Registry.

One related observation: many Turkish banks are using Diversified Payment Rights (DPR) securitization programs, which is a different financial instrument meaning of DPR (unrelated to data protection). For instance, Fitch recently upgraded several Turkish DPR (financial securitization programmes) ratings.

Just to avoid confusion: in this blog, DPR refers to Data Protection Representative, not financial instruments.

What Kooch Can Do for You (As Your DPR / Compliance Partner)

At Kooch, we can offer the following services (and we will be realistic about limitations):

1. DPR Appointment & Legal Documentation
   • Prepare the appointment resolution, ensure proper signature, help with notarization and apostille or legalization.
   • Serve as your official contact in Turkey (either via a legal entity or qualified individual) who can act as DPR.
2. VERBIS Registration & Maintenance
   • Handle the registration on the Data Controllers’ Registry on your behalf (via DPR role).
   • Maintain and update your VERBIS entry when your processing activities change (e.g. new data processing, new transfers, new subprocessors).
3. Communication & Liaison with KVKK
   • Receive official notifications, correspondences, or audits from the Turkish Data Protection Authority (KVKK) on your behalf.
   • Translate, interpret, and relay their requests to your internal team, and manage replies within deadlines.
4. Data Subject Request Handling (for Turkey)
   • Act as the Turkish contact point for data subjects exercising rights (access, rectification, deletion, portability, objection, etc.).
   • Ensure procedural compliance with timing, format, and recordkeeping in line with Turkish law.
5. Compliance Consulting & Audits
   • Review your data flows, cross-border transfers, security measures, retention policies, etc., and propose improvements to align with Turkish data protection requirements.
   • Conduct periodic audits to ensure your process remains compliant, especially as your business evolves.
6. Training & Awareness
   • Provide training to your internal teams (especially those handling Turkish user data) on Turkish data protection expectations, breach notification rules, etc.
7. Updating & Monitoring Legal Changes
   • Monitor Turkish regulatory updates, guidance from KVKK or the Board, and ensure you’re informed of changes that might affect your DPR obligations.
   • Advise you proactively if new requirements emerge.
8. Risk Assessment & Remediation Support
   • Help assess gap risks (where your current practice is weak versus Turkish expectations) and assist in remediation plans.
   • Assist in response or mitigation if a regulatory notice or inquiry occurs.

We will be transparent: we cannot eliminate regulatory risk entirely — fines or enforcement may still come depending on how the Turkish authority views the case. But by working with us, your compliance burden is lower and you reduce the probability of serious noncompliance.

‍