VERBIS Registration and Standard Contractual Clauses in Turkey: A Complete Guide for Life Sciences Companies Conducting Clinical Trials

Navigating Turkish Data Protection Requirements

Turkey's data protection landscape presents unique challenges for international life sciences companies seeking to conduct clinical trials within its borders. Unlike the European Union's General Data Protection Regulation (GDPR), which many multinational pharmaceutical and biotechnology companies have become familiar with, Turkey's Personal Data Protection Law (known as KVKK, or Kişisel Verilerin Korunması Kanunu) introduces distinct procedural requirements that can catch even experienced compliance professionals off guard.

For companies based in the United States, Europe, or other regions planning to initiate clinical trial sites in Turkey, understanding the interplay between VERBIS registration, Standard Contractual Clauses (SCCs), and the bureaucratic processes surrounding apostille and notarization requirements is essential. This comprehensive guide draws on practical experience helping life sciences companies navigate these complexities, offering actionable insights that go beyond theoretical legal analysis.

The Turkish data protection framework, while inspired by European standards, has evolved its own set of procedural requirements that demand careful attention to detail. Companies that underestimate these requirements often face delays in site initiation, unexpected costs, and compliance risks that could have been avoided with proper planning. This article aims to provide the clarity that is often lacking in general guidance, addressing the specific questions and challenges that arise when international sponsors seek to transfer clinical trial data out of Turkey.

Understanding VERBIS: Turkey's Data Controller Registry

What Is VERBIS and Why Does It Matter?

VERBIS (Veri Sorumluları Sicil Bilgi Sistemi), which translates to the Data Controllers Registry Information System, is a mandatory registration system maintained by the Turkish Data Protection Authority (known as KVKK or the Turkish DPA). Unlike notification requirements under GDPR, which were largely abolished by the regulation, Turkey maintains an active registry system that requires data controllers meeting certain criteria to register before processing personal data.

For clinical trial sponsors and their partners operating in Turkey, VERBIS registration is not optional. The registry serves as a transparency mechanism, allowing Turkish authorities and data subjects to understand who is processing personal data within or from Turkish territory. Failure to complete VERBIS registration can result in administrative fines and, more practically, can delay or prevent the lawful conduct of clinical research activities.

Who Must Register with VERBIS?

The VERBIS registration requirement applies to data controllers that meet specific thresholds established by the Turkish DPA. While certain exemptions exist for smaller organizations, international pharmaceutical companies, biotechnology firms, and contract research organizations (CROs) conducting clinical trials will almost universally need to ensure that appropriate VERBIS registrations are in place.

The complexity arises in determining which entities in a clinical trial ecosystem require registration. In a typical multinational clinical trial, multiple parties may be processing personal data:

• The sponsor company (often headquartered outside Turkey)
• Local CROs managing trial operations in Turkey
• Clinical trial sites (hospitals, research centers, and physician practices)
• Central laboratories processing biological samples
• Specialty laboratories conducting specific analyses
• Electronic data capture (EDC) system providers

Each of these entities may have different registration obligations depending on their role as data controller or data processor and their connection to Turkish data processing activities.

The VERBIS Registration Process

Completing VERBIS registration requires providing detailed information about data processing activities, including:

• Categories of personal data processed
• Purposes of data processing
• Categories of data subjects
• Recipients or categories of recipients to whom data is disclosed
• International data transfer activities
• Data retention periods
• Technical and organizational security measures

For international companies, the registration process typically requires working with local Turkish counsel who can submit the registration on behalf of the foreign entity. The Turkish DPA requires in-person submission for certain filings, making local representation essential.

One practical consideration that often surprises international companies is the level of detail required in VERBIS registration. Unlike some notification systems that accept high-level descriptions, the Turkish DPA expects comprehensive information about data processing activities. This means that companies should have their data mapping and records of processing activities well-documented before initiating the VERBIS registration process.

VERBIS as a Compliance Indicator

An interesting practical insight relates to using VERBIS registration status as an indicator of an organization's data protection maturity. When assessing potential clinical trial sites in Turkey, particularly university hospitals and public healthcare institutions, checking whether the institution has completed its VERBIS registration can provide valuable information about their familiarity with data protection requirements.

Experience shows that Turkish healthcare institutions vary significantly in their data protection compliance levels. Some university hospitals have fully completed their VERBIS registration and maintain sophisticated data protection programs, while others lag behind. Sites that have completed VERBIS registration are generally more likely to understand and accept the need for Standard Contractual Clauses and other compliance documentation.

This due diligence step can save significant time and frustration later in the site initiation process by identifying potential compliance challenges early.

Standard Contractual Clauses in Turkey: Key Differences from GDPR

The Turkish SCC Framework

While Turkey's approach to cross-border data transfers draws inspiration from the European model, the Turkish Standard Contractual Clauses system differs significantly from the GDPR framework in both substance and procedure. Understanding these differences is critical for companies accustomed to operating under GDPR requirements.

The Turkish DPA has published official SCC templates that must be used for international data transfers. Unlike under GDPR, where parties have some flexibility in structuring their transfer mechanisms, Turkish law requires strict adherence to the official templates. Modifications to the core clauses are generally not permitted, though parties can add supplementary provisions in designated annexes.

Bilingual Documentation Requirements

One of the first practical challenges international companies encounter is the language requirement for Turkish SCCs. The Turkish DPA requires that SCCs be executed in Turkish for official purposes. However, recognizing the practical needs of international business, a widely accepted practice has emerged: preparing bilingual documents with Turkish and English versions side by side.

When using bilingual SCCs, several important considerations apply:

First, both language versions must be signed independently. It is not sufficient to sign only the English version and treat it as binding. Each language version requires separate execution by the authorized signatories.

Second, the Turkish DPA will rely on the Turkish version for any interpretation or enforcement purposes. The English version serves as a convenience for non-Turkish-speaking parties but does not supersede the Turkish text.

Third, the bilingual format can streamline the execution process by eliminating the need for post-execution translation and notarization of the SCC document itself. This is a significant procedural advantage that can save time and reduce costs.

The Apostille and Notarization Requirement

Perhaps the most distinctive aspect of Turkish SCC compliance is the requirement for apostilled and notarized supporting documentation. This requirement frequently causes confusion for international companies because it does not apply to the SCC document itself but rather to the documents that evidence the signatory's authority.

Here is how the process works in practice:

The SCCs themselves require only simple signatures from authorized representatives of each party. No notarization or apostille is required for the SCC document when using the bilingual format with both Turkish and English versions properly executed.

However, the Turkish DPA requires evidence that the person signing the SCCs on behalf of a foreign company is actually authorized to do so. This evidence typically takes the form of a corporate document—often called a signature circular or signature specimen in Turkish practice—that demonstrates the signatory's authority.

This supporting document must be:

1. Obtained from the commercial registry or equivalent authority in the company's country of incorporation
2. Apostilled in that country (if the country is party to the Hague Apostille Convention)
3. Sent to Turkey in original form
4. Translated into Turkish by a certified translator
5. Notarized before a Turkish notary public

The apostille and notarization process can take several weeks, making it essential to initiate this workstream early in the site initiation process.

A Crucial Practical Tip: Reusability of Authority Documents

One frequently overlooked aspect of the Turkish SCC process that can generate significant efficiency gains relates to the reusability of apostilled authority documents. Once a company has obtained and properly processed an apostilled signature authority document for a particular signatory, that document can typically be used for multiple SCC submissions.

This means that if a company's Chief Legal Officer or other authorized signatory will be executing multiple SCCs for different Turkish sites or vendors, the apostille process needs to be completed only once (assuming the same person retains signature authority). This can result in substantial time and cost savings for companies conducting multiple clinical trials in Turkey or working with multiple Turkish partners.

When planning Turkish data protection compliance, it is therefore worth considering who will serve as the authorized signatory for SCCs and ensuring that person is likely to remain in their role for the foreseeable future.

The Five-Day Submission Rule: A Critical Timeline Consideration

Understanding the Notification Deadline

Turkish data protection law imposes a requirement that executed SCCs be submitted to the Turkish DPA within five working days of execution. This tight deadline creates practical challenges, particularly given the apostille and notarization requirements discussed above.

The five-day rule applies from the date the SCCs are considered executed. This creates a potential timing trap: if parties date their SCCs on the day of signature, the five-day clock begins running immediately, potentially before all supporting documentation is ready for submission.

Strategic Approach to SCC Dating

Experienced practitioners in Turkish data protection have developed a strategic approach to managing this timing challenge: executing SCCs without dates.

While this may seem unusual to legal professionals accustomed to dating agreements on execution, leaving the date blank on Turkish SCCs is a well-established practice that allows for proper coordination of the submission process. The date can be inserted once all supporting documentation is in order and the package is ready for submission to the Turkish DPA.

This approach requires clear communication with internal stakeholders, particularly authorized signatories who may instinctively want to date documents when signing them. Briefing signatories in advance about this Turkish-specific requirement helps avoid complications.

Counterpart Execution Considerations

Another practical consideration relates to the sequence of execution. Turkish SCCs can be executed in counterparts, with each party signing separately. This flexibility allows for efficient processing, particularly when parties are located in different countries.

The typical sequence involves:

1. The Turkish party (such as a clinical trial site or local vendor) signs first
2. The foreign party signs and handles the apostille process for authority documents
3. Once all documents are assembled, the date is inserted
4. The complete package is submitted to the Turkish DPA within five working days of the inserted date

This sequencing ensures that the five-day clock does not begin running until all parties are prepared for submission.

Data Controller and Processor Relationships in Turkish Clinical Trials

Mapping the Data Flow

One of the more complex aspects of Turkish data protection compliance for clinical trials involves properly characterizing the relationships between various parties in the data processing chain. The Turkish DPA's approach to data controller and data processor determinations can differ from expectations based on GDPR experience.

In a typical clinical trial, personal data flows through multiple entities:

• Clinical trial sites collect data from research subjects
• Data may be transmitted to local CROs managing trial operations
• Central and specialty laboratories receive biological samples and associated data
• Electronic data capture systems host and process trial data
• The sponsor company ultimately receives and analyzes the data

Each of these transfers potentially triggers SCC requirements, and properly structuring the contractual relationships is essential for compliance.

The Turkish DPA's Perspective on Data Flows

The Turkish DPA takes a somewhat flexible approach to characterizing data transfers, considering both the contractual relationships between parties and the actual flow of data. This can create complexity when the contractual structure does not perfectly align with the technical data flow.

For clinical trials, the sponsor company is typically characterized as the data controller because it determines the purposes and means of processing clinical trial data. Even though the sponsor may not directly receive data from Turkish sites—data may flow first to laboratories, CROs, or EDC systems—the sponsor's role as the entity directing and controlling the research generally supports its characterization as the controller.

Turkish clinical trial sites, meanwhile, often occupy a dual role. They may be considered independent data controllers for their own treatment-related processing of patient data, while acting as data processors (or potentially joint controllers) for research-related processing conducted under the sponsor's direction.

Structuring SCC Relationships

Given this complexity, how should companies structure their Turkish SCCs? Several approaches are possible, and the optimal structure depends on the specific circumstances of each trial.

One common approach follows the contractual chain: if the sponsor has a direct clinical trial agreement with the site, the SCCs are executed between the sponsor and the site, regardless of where data physically flows. This approach has the advantage of simplicity and aligns with how many companies structure their European data transfer compliance.

An alternative approach follows the data flow: SCCs are executed between each pair of entities that actually transfer data to one another. Under this approach, a site might have SCCs with a laboratory, and the laboratory might have separate SCCs with the sponsor. This approach may be more technically accurate but creates additional administrative complexity.

The Turkish DPA appears to accept either approach, provided that the entire chain of transfers is covered. The key requirement is that personal data leaving Turkey is protected by appropriate SCCs at each stage of its journey.

Onward Transfer Provisions

Regardless of the structural approach chosen, the Turkish SCCs include provisions addressing onward transfers—situations where a data importer further transfers data to another party outside Turkey. These provisions require that appropriate protections be in place for any subsequent transfers.

For clinical trials, this means considering not just the initial transfer from Turkey but the entire data flow through laboratories, data management vendors, and other service providers. The SCC annexes should clearly describe these downstream data flows and the protections in place.

Challenges with Public Healthcare Institutions

The Compliance Gap in Turkish Healthcare

One of the most significant practical challenges in Turkish clinical trial data protection relates to the varying compliance levels among potential trial sites, particularly public healthcare institutions such as university hospitals.

While Turkish law clearly requires all organizations processing personal data to comply with data protection requirements, including the execution of SCCs for international transfers, practical experience reveals that not all institutions are equally prepared or willing to engage with these requirements.

Some university hospitals and public healthcare institutions in Turkey have fully embraced data protection compliance. These institutions have completed their VERBIS registration, developed internal data protection policies, and are comfortable executing SCCs as part of clinical trial agreements. Working with these sites is relatively straightforward.

Other institutions, however, remain less engaged with data protection requirements. These sites may be unfamiliar with SCCs, reluctant to execute additional compliance documentation, or simply under-resourced for data protection activities. Local CROs working with these sites may report that "sites don't expect to sign SCCs," creating a disconnect between legal requirements and practical realities.

Strategies for Managing Site Reluctance

When facing reluctance from Turkish clinical trial sites to execute SCCs, several strategies can help manage the situation:

First, education and communication often help. Sites that are unfamiliar with SCC requirements may simply need clear explanation of the legal basis and purpose of the documentation. Providing translated materials and working through local partners who can explain requirements in Turkish can overcome initial resistance.

Second, leveraging existing compliance activities can demonstrate that SCCs are not as unusual as sites may perceive. If a site has completed VERBIS registration, pointing out that the same law requiring VERBIS also requires SCCs can help establish the legitimacy of the request.

Third, documentation of good faith efforts provides some protection if a site ultimately refuses to execute SCCs. While this is not a complete solution—the sponsor still faces potential liability for transfers without adequate protections—documenting that the sponsor requested SCCs and the site refused at least demonstrates the sponsor's compliance intent.

In communications to resistant sites, it should be made clear that the SCC requirement is a legal obligation under Turkish law, not merely a preference of the sponsor. The site, as the entity transferring personal data out of Turkey, bears primary liability for ensuring compliant transfers. Framing the discussion around the site's own compliance obligations, rather than presenting SCCs as an imposition from the sponsor, can shift the dynamic.

Assessing Site Compliance Readiness

For sponsors in the site selection phase, conducting due diligence on potential Turkish sites' data protection maturity can help avoid these challenges. Checking VERBIS registration status, inquiring about the site's experience with SCCs, and understanding the institution's general compliance posture can identify potential problems before commitments are made.

Including data protection compliance capabilities as a criterion in site selection—alongside traditional factors like patient population, investigator experience, and institutional reputation—helps ensure that selected sites can meet all study requirements, including regulatory compliance obligations.

Cost Considerations and Budgeting for Turkish Compliance

Understanding the Fee Structure

Engaging local Turkish counsel for VERBIS registration and SCC support involves costs that should be anticipated in clinical trial budgets. While fee structures vary among law firms, understanding the typical components helps with accurate budgeting.

Professional fees for SCC preparation and submission typically cover:

• Review and verification of supporting documents obtained from abroad
• Guidance on apostille and notarization requirements
• Review of completed SCC templates for compliance with Turkish requirements
• Assistance with optional provisions and annex completion
• Physical submission to the Turkish DPA (required for non-Turkish entities)
• Response to any DPA queries or requests for additional information

In addition to professional fees, out-of-pocket expenses must be budgeted:

• Certified translation of supporting documents into Turkish
• Turkish notary fees for notarization of translated documents
• Apostille fees in the country of origin (varies by jurisdiction)
• Courier costs for original documents

‍

Efficiency Gains Through Proper Planning

While Turkish data protection compliance involves unavoidable costs, proper planning can generate efficiency gains that reduce overall expense.

Processing multiple SCCs simultaneously allows for economies of scale in review and submission. Using a single authorized signatory across multiple agreements means the apostille process need only be completed once. Coordinating VERBIS registration and SCC submission allows related work to be performed together.

For companies expecting to conduct multiple clinical trials in Turkey or to have ongoing Turkish operations, investing in a comprehensive initial compliance setup—including reusable authority documentation and thorough VERBIS registration—reduces the marginal cost of each subsequent study.

Comparing Turkish Requirements with GDPR: Key Differences

A Framework Inspired by—But Distinct From—European Law

Turkey's data protection framework was heavily influenced by European law, particularly the 1995 Data Protection Directive that preceded GDPR. However, Turkey is not an EU member state and has not been granted an adequacy determination by the European Commission. This means that Turkey occupies a unique position: it has data protection law substantively similar to European standards but is treated as a "third country" for GDPR transfer purposes.

For companies operating under both GDPR and Turkish law, understanding the key differences is essential for developing efficient compliance strategies.

Notification and Registration Requirements

Perhaps the most significant procedural difference is Turkey's VERBIS registration requirement. GDPR largely eliminated prior notification requirements that existed under the 1995 Directive, replacing them with accountability-based obligations such as maintaining records of processing activities. Turkey, however, maintains an active registration system that requires proactive compliance steps before processing can lawfully begin.

This difference means that companies cannot simply extend their GDPR compliance programs to Turkey without modification. Even if a company has robust GDPR compliance in place, separate Turkish compliance steps are required.

SCC Procedures and Formalities

While both GDPR and Turkish law rely on Standard Contractual Clauses as a mechanism for international data transfers, the procedural requirements differ significantly.

Under GDPR, parties execute SCCs, perform transfer impact assessments where required, and implement the contracts—no government notification or approval is required. The European Commission has adopted updated SCCs that provide some flexibility in how parties structure their agreements.

Under Turkish law, the process is more bureaucratic:

• Official Turkish SCC templates must be used with limited modification
• SCCs must be submitted to the Turkish DPA after execution
• The five-day submission deadline creates timing pressure
• Apostilled authority documentation adds procedural steps

Companies accustomed to the relative simplicity of GDPR SCC execution often underestimate the time and effort required for Turkish compliance.

Data Flow Versus Contractual Relationships

Approaches to structuring data transfer agreements may also differ between GDPR and Turkish compliance programs. Some companies have been advised under GDPR to strictly follow actual data flows when determining which parties should execute SCCs. Under this approach, SCCs exist between each pair of entities that physically transfer data, regardless of contractual relationships.

The Turkish DPA appears more flexible, accepting either data-flow-based or contract-based approaches to structuring SCC relationships. This flexibility can be helpful for companies seeking to maintain consistent approaches across jurisdictions, but it can also create complexity when different advisors recommend different approaches.

Companies operating in both environments should carefully consider their overall transfer strategy and ensure consistency where possible while accommodating jurisdiction-specific requirements where necessary.

Practical Recommendations for Life Sciences Companies

Start Early and Plan Comprehensively

The single most important recommendation for companies planning Turkish clinical trials is to begin data protection compliance planning early. The combination of VERBIS registration, SCC preparation, apostille processing, and potential site education creates lead times that can extend to several months.

Building Turkish data protection compliance into initial study planning—rather than treating it as a late-stage checklist item—ensures that compliance activities do not delay site initiation.

Engage Experienced Local Counsel

Turkish data protection compliance involves nuances that are difficult to navigate without local expertise. Engaging Turkish counsel who specializes in data protection and understands the life sciences context provides valuable guidance on current requirements and practical approaches.

The regulatory landscape in Turkey continues to evolve, and staying current with Turkish DPA guidance and enforcement trends requires ongoing attention. Local counsel relationships provide access to this current intelligence.

Coordinate Across Compliance Workstreams

VERBIS registration, SCC preparation, and general clinical trial regulatory compliance are related activities that benefit from coordination. Ensure that the various parties involved—sponsors, CROs, local counsel, and regulatory affairs teams—are communicating effectively and working from consistent assumptions about data flows and processing activities.

Data mapping performed for VERBIS registration purposes should align with SCC annexes describing data transfers. Clinical trial agreements should reflect the same data processing arrangements described in SCCs. Consistency across documentation reduces compliance risk and simplifies responses to any regulatory inquiries.

Document Everything

Given the procedural complexity of Turkish compliance and the potential for disputes or regulatory inquiries, thorough documentation is essential. Maintain records of:

• All correspondence regarding SCC requirements
• Copies of all executed compliance documents
• Evidence of submission to the Turkish DPA
• Communications with sites regarding compliance expectations

If sites refuse to execute SCCs or other compliance documentation, document these refusals clearly. While documentation does not eliminate liability, it demonstrates good faith compliance efforts.

Build Compliance Capabilities for the Long Term

For companies expecting ongoing activities in Turkey, investing in sustainable compliance capabilities pays dividends over time. This includes:

• Establishing relationships with Turkish counsel who understand your business
• Creating template language for Turkish SCCs and related documents
• Developing internal expertise in Turkish requirements among legal and compliance staff
• Including Turkish data protection compliance in standard operating procedures for study startup

Frequently Asked Questions About Turkish Data Protection Compliance

How Long Does the Full Compliance Process Take?

The timeline for complete Turkish data protection compliance depends on multiple factors, but companies should generally plan for a minimum of eight to twelve weeks from initiation to completion. This timeline accounts for:

• VERBIS registration preparation and submission (two to four weeks)
• Apostille processing in the company's home jurisdiction (one to three weeks, highly variable by country)
• Translation and notarization in Turkey (one to two weeks)
• SCC preparation and internal review (two to three weeks, can run in parallel)
• Submission to the Turkish DPA and confirmation (one to two weeks)

These timelines can extend significantly if complications arise, such as sites requiring additional education about compliance requirements, authority documents requiring revision, or Turkish DPA requests for supplementary information.

Can We Use Electronic Signatures on Turkish SCCs?

The Turkish DPA's requirements regarding electronic signatures continue to evolve. Currently, the safest approach is to use traditional wet ink signatures for Turkish SCCs, particularly for the Turkish-language version that will be submitted to the DPA. While electronic signatures have legal validity in Turkey under certain conditions, the conservative approach for regulatory submissions is to use physical signatures.

For the supporting authority documentation that requires apostille, traditional execution is required since the apostille process involves physical certification of original documents.

What Happens If a Site Refuses to Sign SCCs?

If a Turkish clinical trial site refuses to execute SCCs despite the legal requirement for such documentation, sponsors face a difficult decision. Options include:

• Escalating discussions with the site, potentially involving site leadership or institutional compliance officers
• Seeking alternative sites that are willing to comply with data protection requirements
• Documenting the site's refusal and proceeding with appropriate risk acceptance (though this does not eliminate legal exposure)
• Structuring the trial to minimize or eliminate cross-border data transfers from that particular site

None of these options is ideal, which reinforces the importance of assessing site compliance readiness during the selection process.

How Do Turkish Requirements Apply to Pseudonymized Clinical Trial Data?

Pseudonymization does not exempt clinical trial data from Turkish data protection requirements. Under Turkish law, as under GDPR, pseudonymized data remains personal data because it can be re-identified using additional information. SCCs and other transfer protections are therefore required even for key-coded clinical trial data.

The practical implication is that companies cannot avoid Turkish compliance requirements by arguing that their data is "anonymized" when it is actually pseudonymized—a distinction that sometimes causes confusion in clinical trial contexts.

Are There Special Considerations for Biological Samples?

Biological samples themselves are not considered personal data under Turkish law, but information derived from or associated with those samples typically is. This means that the transfer of samples to laboratories outside Turkey may not directly trigger SCC requirements, but the transfer of associated data (subject identifiers, sample metadata, analytical results linked to individuals) does.

Companies should carefully map the data flows associated with biological sample handling to ensure that all personal data transfers are covered by appropriate SCCs, even if the physical sample movement does not require such documentation.

Conclusion: Complexity That Can Be Managed

Turkish data protection compliance for clinical trials is undeniably complex, requiring attention to procedural details that differ significantly from other jurisdictions. The combination of VERBIS registration, Turkish-specific SCC requirements, apostille and notarization procedures, and the five-day submission rule creates a compliance landscape that demands careful planning and execution.

However, this complexity is manageable with proper preparation, experienced advisors, and realistic timelines. Companies that approach Turkish compliance with appropriate attention and resources consistently achieve successful outcomes, enabling them to access Turkey's substantial clinical trial opportunities while maintaining rigorous data protection standards.

The key is recognizing that Turkish requirements are genuinely different from GDPR and other frameworks, rather than assuming that existing compliance programs can be extended without modification. By investing in understanding these differences and building Turkey-specific compliance capabilities, life sciences companies can confidently navigate the Turkish data protection landscape.

For organizations seeking to conduct clinical research in Turkey, data protection compliance should be viewed not as an obstacle but as an investment in sustainable operations. The procedural requirements, while demanding, ultimately serve to protect research participants and establish the legitimacy of international data flows—goals that align with the values of responsible clinical research.

‍