Data Controller and Data Processor Within the Scope of KVKK And GDPR
Data Controller and Data Processor Concepts
The Personal Data Protection Law is a young law that entered into force in 2016. For this reason, it can be easily said that it has taken shape in accordance with the needs of our age. The purpose of The Personal Data Protection Law is to protect the fundamental rights and freedoms of individuals, especially the privacy of private life, in the processing of personal data, and to regulate the obligations and procedures and principles to be followed by real and legal persons who process personal data. In line with this purpose, the law has made many regulations and tried to clarify the relevant concepts. The concepts of data processor and data controller are among the concepts regulated in the KVKK.
The Personal Data Protection Law separates the persons involved in the processing of personal data as data controllers and data processors and does not hold them equally responsible. Those who are in a decision-making position in determining the process and processing personal data are considered as data controllers.
In the Definitions section of the first article of the Law;
“Data Controller” means the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system; “Data Processor” means the natural or legal person who processes personal data on behalf of the data controller upon its authorization. “Processing of personal data” means any operation which is performed on personal data, wholly or partially by automated means or non-automated means which provided that form part of a data filing system, such as collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization, preventing the use thereof.
The definition of the processing of personal data may help to determine the activities and decisions that the data processor may take. As can be easily understood, operations such as collecting, recording, storing and transferring personal data are technical operations. However, the interpretation of personal data and making a decision are mostly within the scope of activity of the data controller. This distinction should be considered as a rough distinction rather than a precise distinction. As a matter of fact, the storage of personal data is often carried out jointly by both the data processor and the data controller.
On the other hand, it cannot be said that there is complete freedom in the processing of personal data. In particular, paragraph 2 of Article 4 of the Law states that there must be a need for the processing of personal data. The need for the processing of personal data must be for the data controller. The data controller who needs the processing of personal data will not be able to get rid of the responsibilities stipulated in the law by giving the responsibility of processing personal data to someone else. In other words, if the person who collects or stores personal data does this work not for a personal data processing need, but for someone else’s personal data processing need, then he/she becomes a data processor, not a data controller.
Sometimes the need for processing of personal data may arise for more than one person. For example, more than one company may come together for a joint activity to collect and processing of personal data. If each of the partners needs to processing of personal data, then each of them will be considered as a data controller separately. If there is more than one data controller, it will be necessary to decide whether there is a joint liability or a sole liability according to the circumstances of the concrete case.
Distinction of Data Controller and Data Processor
The processing of personal data may seem like a theoretical issue if it is carried out in full compliance with the legislation and by taking all necessary measures. However, in the event that personal data falls into the hands of unauthorized persons or damage occurs due to an unlawful act, the distinction between the data controller and the data processor will need to be made correctly in order to determine the responsible. It will only be possible to determine the administrative fines stipulated in the Law and the opponent to whom the data subject may direct his/her lawsuit through this distinction.
For example, if the roles assigned to the persons involved in a project are not separated from each other with clear lines, it will be a matter of debate how the responsibilities imposed by the law will be shared. Not every project is a project in which the entire personal data processing process is carried out by one person. In some cases, the collected personal data may be processed for the needs of a large number of people and assistance may be requested from many companies for the processing of personal data. As a result of the unclear limits of responsibility or the gaps in the area of responsibility deliberately left by the contracts, it may cause the loss of rights of the person concerned, as well as the absence of an addressee in the audits to be carried out by the Board.
At this point, the issues we will explain below will help in determining the responsibility in this regard.
As we mentioned above, the data controller is the natural or legal person who decides on the purposes and method of processing of personal data. The data controller may also carry out such data processing activity jointly with other persons. In other words, the data controller is the one who answers the questions of “why” and “how” in the processing of personal data. While the data controller determines some of the purposes of processing personal data, it may also determine all purposes jointly with other data controllers.
Another situation is that although the data controller, who is active in determining the purposes, performs all data processing operations himself/herself, another data controller also has a say on the purposes of data processing. In this case, the data controller is not the only one. In other words, everyone who is active in determining the purposes should be recognised as the data controller.
In many business models in business life, it is seen that more than one company is in a decision-making position in determining the purposes in the processing of personal data. The point to be considered here is the difference between making a suggestion and making a decision. Person may be active in determining the purposes with suggestions and ideas, but if they are not in a decision-making position in determining the purposes, it cannot be said that they are data controllers.
In summary, the data controller is the one who decides on the answers to the following questions.
- Collection of personal data and collection method,
- Types of personal data to be collected,
- The purposes for which the collected data will be used,
- Which individuals’ personal data will be collected,
- Whether the collected data will be shared, and if so, with whom,
- How long the data will be stored
These decisions can only be taken by the data controller who has full control over the processing of personal data. The data processor, on the other hand, may have the authority to make decisions on some of the following issues in accordance with the contract he has agreed with the data controller.
- Which information technology systems or other methods will be used to collect personal data,
- The method by which personal data will be stored,
- Details of the security measures to be taken for the protection of personal data,
- The method by which personal data will be transferred,
- The method to be used for the correct application of the periods for the storage of personal data,
- Methods of deletion, destruction and anonymisation of personal data.
As can be understood, the points where the data processor can make decisions are limited to how the decisions made regarding personal data will be implemented. A responsibility of the data processor can be mentioned within the area of responsibility framed by the data controller.
The situations listed above are not all possible situations, but some situations are listed just to show how a distinction should be made for the sake of example.
The data processor may be in the position of decision-maker in technical matters within the knowledge of the data controller. The data processor cannot decide on the content and purposes of processing personal data, which are issues that only the data controller can decide, in a way that exceeds the limits drawn for it.
Determination of Responsibility
However, many difficulties may still be encountered in the determination of the titles of data processor and data controller, and therefore the responsibility, when evaluating on a concrete case basis. When we look at business life, business relationships involve different co-operations far from uniformity. For example, services can be received from many people on a project, more than one company acts jointly in the collection or use of personal data, small-scale companies develop different business models with large-scale companies, and in many other issues, a business life that is not as simple as in the law.
For example, in a dealership or franchising business model, the head company decides which personal data to collect and how to process personal data, and the branch company must strictly comply with these rules. However, the dealer or branch that collects personal data is the one in direct contact with the data subject and the first place where personal data is collected is the branch. In this case, can it be said that the branch is the decision-maker regarding the collection of personal data? Especially in the dealership and franchise business model, in some models, the operator of the branch is only in the role of the operator and performs transactions on behalf of the parent company, while in other models, it is the company operating the branch that performs financial transactions. It is clear that if the company operating the branch performs transactions on behalf of the parent company, it is only in the position of data processor. However, in the other example, the company that sells the products of a famous brand but carries out these transactions on its own behalf is the data controller. In this case, the data subject will be required to fulfil the obligation to inform with whom it shares personal data during the obtaining of explicit consent.
Another example is a company specialised in technology providing data centre services to another company. The company providing data centre services is specialised in its own field. It makes some commitments to its customer company regarding the data to be stored and often does not need to explain in detail which technologies it uses while fulfilling these commitments. It decides which devices to use and how to use them. For example, if it provides a database server service or virtual server service, the guarantees given by the company are more important than the devices used for the customer. The company using the data centre service decides which personal data will be collected and for how long it will be stored, and can process them in the data centre. The data centre may also provide services such as backing up and transferring these data to another location. Similarly, a company providing archive services may store the papers containing personal data and may destroy or send them elsewhere upon the request of its customer. In this relationship, whether it is paper or digital data, the personal data custodian is not in a decision-making position. It fulfils the requests sent to it. In this case, it is the data processor. The party making decisions is the data controller.
Another example is a joint marketing campaign between two companies that have agreed with an advertising agency. It is not the advertising agency that decides which personal data to collect. However, the advertising agency may carry out some activities related to the personal data collected. These activities may be within the permission of the companies and within the framework set by the companies. The fact that the companies determine the purposes of collecting personal data and determine the retention period and processing methods makes the two companies the data controller and the advertising agency the data processor.
Data processors may process personal data under the responsibility and with the authorisation of data controllers. There may be other personal data that data processors decide. For example, a company providing data services for a bank may also provide services to natural persons and store their personal data. In this case, the company operating the data centre is the data controller. The data responsibility of the company is only for personal data for which it has the decision-making authority. For personal data processed for the bank, it is only the data processor.
A company cannot be both a data processor and a data controller for the same personal data. In other words, it is either a data processor or a data controller. However, it may be a data processor for one of the different personal data and a data controller for the other. One of the points that can be taken as a criterion in making this distinction is “whose” the data is. For example, if we assume that this personal data is invoice information, it can be understood by looking at who issued the invoice. Of course, it should not be forgotten that the question of “whose” is used only to express an interest without violating the rights of the person concerned.
Subcontractors and consultants from whom data controllers obtain services for personal data need not necessarily be data processors. Whether a person is a data controller or a data processor can be decided by looking at their role and responsibilities in the processing of personal data.
Most of the time, companies can get help from suppliers on some specialised issues. For example, they may ask a lawyer for a legal opinion, an accountant for accounting services, a doctor for a medical opinion for a patient, a human resources company for an expert on a certain subject.
Sometimes, the data processor who has signed a contract with the data controller may receive services from others for some of the work to be done. For example, a company providing data centre services to a company may have made an agreement with another international company for cloud services. In the contract between the data controller and the data processor, it must be stipulated whether a part of the service received can be obtained from others. In this case, if the data processor receives assistance from another company for the processing of personal data, it will not make it a data controller. There may be other data processors who provide services to the data processor and do not have a contract with the data controller.
Various Examples on Determination of Liability
- In the example where a retail company has contracted with a market research company in order to measure the satisfaction level of customers, it is left to the decision of the research company to determine the customers to be contacted, the questions to be asked, the selection of personal data to be collected during the interview, and the method of contact by relying on its experience. In this case, even though the marketing company is assigned by the retail company and the personal data is stored by the retail company as a result, the marketing company is the data controller in terms of the personal data collected during the research.
- In another example, let’s assume that a company that sells on the internet collects the fee to be collected from its customers through a company that provides payment services. This structure is also quite common. Although there is a contract between the two companies that draws the boundaries of the service provided and regulates the financial relationship, the payment service company that makes the collection is not the data processor of the sales company, but the data controller. Because it decides which personal data will be collected and has the opportunity to make direct savings regarding the collected personal data. In addition, since it has to fulfil the responsibilities imposed on it by law, the relationship it establishes with the customer is outside the company making the sale. For example, the rules to be followed in the payment transaction made by credit card (storing payment information such as card number, CV2, expiry date) or storing the credit card number for subsequent shopping is the direct relationship of the selling company with its customer. In these circumstances, the company providing payment services is the data controller in terms of the personal data it collects and assumes full responsibility for the protection of personal data.
- In another example, a hospital sends the laboratory results of its customers to their addresses by post. There is no doubt that the information contained in the sealed envelope is personal data. In this case, what kind of relationship can be mentioned in terms of the relationship between the data controller and the data processor and how should the responsibility for the protection of personal data be distributed?
- Assume that an employee of an engineering company has taken the information of the company’s customers before leaving and used it to increase the business of a competitor company and to simplify the case, assume that the customer information does not belong to real persons. In this case, it is obvious that customer information will not fall within the scope of the law. The company whose customer information has been stolen calls its lawyers to find out how the use of this customer information can be prevented. The information about the former employee they provide to the lawyer is among the personal data covered by the law. In order to stop the ex-employee, the lawyer decides which personal data such as address, telephone information, history in the company is necessary.
The lawyer will start the necessary actions with this information. He/she may want to give some of this personal data to different people to reach the former employee or to prevent the competitor from taking action. The decisions in this process are made on behalf of the company whose customer information is stolen with the expertise and guidance of the lawyer. In this case, the lawyer is the data controller. Because the lawyer decides which personal data is necessary, with whom to share it and how to use it. The fact that the lawyer is the data controller does not change the fact that the company that stores the personal data of the former employee is the data controller. The point to be emphasised here is that the lawyer is the data controller due to the possibility of making decisions on personal data.
Similarly, if a company purchases services from an accounting company to carry out accounting transactions, the accounting company is the data controller for the personal data contained in the records of its customer. Persons and companies providing similar services such as accounting and finance are under certain responsibilities under the law regarding the personal data processed. They are obliged to report financial crimes or irregularities they detect to the prosecutor’s office or the relevant units. In some cases (such as the employee’s SSI-related affairs), the accountant is jointly and severally liable with the employer. In this case, accountants cannot be the data processor of the company. Persons who have legal responsibilities as a requirement of their work are data controllers, not data processors, in terms of the personal data they process. They cannot transfer or share their responsibilities with their clients. Data responsibility for the personal data stored by their customers also continues.
Data Processor and Data Controller in Terms of GDPR
The European Union General Data Protection Regulation (GDPR), of which KVKK has partial compliance, is a regulation that entered into force in 2016. In European Union law, it relates to data protection and privacy for individuals located within the entire European Union and the European Economic Area. Although operating in countries that are not included in the European Union, companies that do business with and target companies of member countries must comply with GDPR.
GDPR also includes definitions such as KVKK. If we consider the concepts of data controller and data processor in terms of GDPR;
According to Article 4 titled “Definitions”, “‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller” The concept of “data controller” in the KVKK is explained by the concept of “controller” in terms of GDPR. The same Article 4 clarifies the concept of controller as “‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”
As we mentioned before, the concept of “data controller” in KVKK can be referred to as the concept of “ controller” in terms of GDPR. There are similarities and differences in terms of both the data controller and the data processor. If we exemplify these;
While the controller determines the purposes and methods for the processing of personal data, the processor is tasked with processing this data on behalf of the controller. In this respect, it coincides with KVKK.
In both legislation, individuals can request the deletion of their processed data.
In both legislation, it is important that the country of transfer provides adequate protection and security for the data to be transferred abroad. Those responsible should pay attention to this.
The GDPR provides for much higher fines for the controller than the KVKK.
Article 26 of the GDPR regulates the concept of “joint controllers” with the regulation “ Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. ” In this way, different regulations from KVKK can also be encountered.
CONCLUSION
When the concepts of data controller and data processor are examined in terms of KVKK and GDPR, we see that there are overlapping regulations on some issues and differing on others. As a result, in each concrete case, the titles of data controller or data processor of the natural or legal person engaged in data processing activities will be evaluated separately, and their responsibilities will be determined according to this evaluation. The criteria and nuances we have explained in this article will play an important role in determining these responsibilities. Therefore, it is also important for every natural and legal person engaged in personal data processing activities to obtain consultancy from persons or institutions specialized in this field.