The Concepts of Personal Data, Data Processor, Data Controller and Contact Person within the scope of Personal Data Protection Legislation
The Law on Personal Data Protection (“Law”) numbered 6698, which has been issued as a part of the European Union compliance process, has been published in the Official Gazette numbered 29677 and dated 7 April 2016 and has entered into force. The Board of Personal Data Protection (“Board”) has been constituted in order to enforce this code, and the Personal Data Protection Authority (“Authority”) has been established and has come into operation.
The concepts such as “Personal Data,” “Data Processor,” “Data Controller,” and “Contact Person” have been introduced through enactment of the Law. In this article, we shed light on these concepts, which are important for the determination of the obligations and compliance to the Law, and which are commonly confused by data controllers, especially during their compliance processes.
Personal data is defined in paragraph (g) of Article 3 of the Law as any type of information that relates to an identified or identifiable individual. Physical, social, cultural, economic and psychological information are deemed as personal data, as well as first name, surname, place of birth and date of a real person. Ethnic origin, health, education and employment status, sexual orientation, family information, communication records with others, residential address, credit card information, social security number, union membership and shopping habits may also be counted as examples for personal data.
Processing of data with respect to legal entities is not covered by the Law. However, personal data that is processed by companies is precisely protected within the scope of this legislation. Examples of this data are employee’s information, records of subcontractor’s employees, job applications and resumes, fingerprint records, payroll records, camera records, security entry and exit minutes, as well as signature circulars in the annexes of contracts.
Race, ethnic origin, political opinion, philosophic belief, religion, denomination or other faiths, clothing and attire, membership to an association, charity or union, health, sexual orientation, criminal convictions and security measures, as well as biometric and genetic data of a real person are determined to be sensitive personal data. The Law states that firmer measures should be taken for sensitive personal data since it may create discrimination when they are disclosed. Thus, required administrative and technical measures are stipulated in detail within the context of (i) Board's decision dated 31.01.2018 and numbered 2018/10 on Adequate Measures to be taken by Data Controllers in the Processing of Sensitive Personal Data, and (ii) Personal Data Security Guideline prepared by the Authority.
The Data Controller is the real person or legal entity that determines the objectives and tools of processing of personal data and is responsible for the establishment and management of the data recording system. Thus, the data controller may be a real person, a company, a public institution, an association, or a foundation.
Since the units within a company do not have separate legal personalities, these units cannot be deemed as data controllers. Accordingly, branches may not be considered as data controllers. However, since each company in a group of companies is a legal entity, these companies will be regarded as separate data controllers.
A data controller has the authority to decide on the following matters:
- Objectives and tools of collection of personal data;
- Methods of data processing;
- Types of personal data to be collected;
- Whether personal data is transferred, and conditions of transfer;
- Periods and methods of data storage;
- Administrative and technical measures to be taken; and
- Destruction methods and other relevant matters set out under the Law.
With regard to the identification of the data controller, the person (legal or real) who decides on the aforementioned matters is determinant.
Through a data processing contract to be concluded with the data processor, the data controller may authorize the data processor to determine the systems and methods to be used for data collection, how the data will be stored, the details of the security measures to be taken, and the methods to be used for data transfer and storage, and procedures for the deletion, destruction and anonymization of the personal data. However, we would like to emphasize that this authorization does not mean that the data controller can assign his / her responsibilities arising from the Law to the data processor.
The liability arising from data processing complying with the legislation would be on the data controller, in principle. In this case, legal persons, themselves, are data controllers. Within this framework, employees or authorized persons who process personal data in companies shall not be considered as data controllers. For instance, individuals delivering and receiving documents as part of data processing activities are not data controllers, but the company is.
A data controller is obliged to inform the data subjects of the identification of the controller and his representative, if any; the purpose of the data processing; the details of data transfer, the method and legal reason for the collection of personal data, as well as other rights specified in the Law. The data controller is required to take all necessary technical and administrative measures to provide a sufficient level of security in order to prevent unlawful processing of personal data and unlawful access to personal data, and to ensure the retention of personal data. Moreover, if the reasons for processing the data are extinguished, any relating personal data must be deleted, destroyed or anonymized automatically, or upon the request of a related person by the data controller. In order to fulfill these obligations, the data controller may install a system to monitor the personal data process, periodically. The data controller is obliged to conclude the applications of the data subjects within a maximum period of 30 days, to register with the Data Controllers’ Registry (“Registry”), to prepare a personal data inventory, to assign a contact person, and to notify unlawful data processing activities of the data subjects and the Board, within the context of the legislation. More detailed information regarding obligations of the data controller is stated in the Guideline of Rights and Obligations within the Law which was issued by the Authority.
In accordance with paragraph (e) of Article 3, data processing is any operation performed concerning personal data, such as the collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, taking over, making retrievable, classification or preventing the use thereof, fully or partially, through automatic means or, provided that the process is a part of any data registry system, through non-automatic means. Even the storage of the data on a hard disk drive, compact disk, flash memory, or in a file without further processing, are considered to be data processing.
A data processor is a real person or a legal entity, outside the organization of the data controller, who processes personal data on behalf of the data controller, on the authority given by the data controller. A data processor, who is authorized by the data controller through a personal data processing contract, processes personal data in accordance with the instructions given by considering the terms of the contract with the data controller. The crucial part here is that the data processor is a real person or a legal entity outside of the organization of the data controller. Therefore, even if the employees of a company process data, these employees cannot be defined as data processors. Companies serving their customers in accounting, call center, human resources and payroll, cloud computing departments are examples of data processors.
However, in the event that the data processor processes personal data on its own behalf by exceeding the authority given to it by the data controller, the data processor will be regarded as a data controller with respect to this data.
Relationship between Data Controller and Data Processor
A real person or a legal entity may be both a data controller and a data processor at the same time, depending on the nature of the situation. For example, accounting, call center or human resources and payroll companies will be considered data processors in respect of the data of its own employees, while they are considered as data processors in terms of the data processed on behalf of their customers. The details of precedents are also set forth in the Guidelines on Data Controllers and Data Processors issued by the Authority.
Upon the processing of personal data by a natural or a legal person on behalf of a data controller (e.g. an accounting company maintaining the records of the said company), the data controller shall jointly and severally be liable with these persons for taking the measures required under the Law. The controllers and processors must not unlawfully misuse nor disclose the obtained personal data to anyone. This obligation shall continue even after the conclusion of their duty.
Consequently, while signing a data processing contract between a data controller and processor, it is significant to obtain the necessary commitments regarding the measures to be taken, to determine the destruction procedures, to determine the responsibilities and authorizations, explicitly, to include recourse regulations, and to specify the right to audit of the data controller.
Real persons or legal entities that process personal data shall enroll in the Registry before proceeding with data processing. Data controllers residing in Turkey, and representatives of data controllers residing abroad shall submit the information of the contact person to the Registry in the course of the registration. Contact person may be appointed from inside of the legal entity, or from outside its organization. The contact person is solely liable for the management of communication between the Authority and the data controller, and not authorized to represent the data controller regarding the obligations set out under the Law. Receiving the notifications given by the Authority and performing transactions regarding the Registry on behalf of the data controller, and exchanging the requests and responses between the data controller and the Authority, are examples for the obligations of the contact person.
The concepts and differences of the data controller and data processor have great importance on the (i) determination of the rights and obligations of individual or legal entities that process personal data and (ii) detection of administrative fines as foreseen in the event of violation of these obligations. As a result, understanding clearly the basic concepts of the Law by taking into consideration of the detailed examples and explanations as stipulated in the Guidelines prepared by the Authority are quite beneficial for the compliance to the Law and legal data processing.
 For detailed information, please see https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/7512d0d4-f345-41cb-bc5b-8d5cf125e3a1.pdf (Access date: 19.09.2019); https://www.kvkk.gov.tr/Icerik/4110/2018-10 (Access date: 19.09.2019).
 For detailed information, please see https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/37fa799d-818b-4654-bca0-3be8e5d88ddf.pdf (Access date: 19.09.2019).
 For detailed information, please see https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/f63e88cd-e060-4424-b4b5-f6413c602060.pdf (Access date: 19.09.2019).