The Concepts of Personal Data, Data Processor, Data Controller and Contact Person within the scope of Personal Data Protection Legislation
Introduction
The Law on Personal Data Protection (“Law”) numbered 6698, which has been issued as a part of the European Union compliance process, has been published in the Official Gazette numbered 29677 and dated 7 April 2016 and has entered into force. The Board of Personal Data Protection (“Board”) has been constituted in order to enforce this code, and the Personal Data Protection Authority (“Authority”) has been established and has come into operation.
The concepts such as “Personal Data,” “Data Processor,” “Data Controller,” and “Contact Person” have been introduced through enactment of the Law. In this article, we shed light on these concepts, which are important for the determination of the obligations and compliance to the Law, and which are commonly confused by data controllers, especially during their compliance processes.
Personal Data
Personal data is defined in paragraph (g) of Article 3 of the Law as any type of information that relates to an identified or identifiable individual. Physical, social, cultural, economic and psychological information are deemed as personal data, as well as first name, surname, place of birth and date of a real person. Ethnic origin, health, education and employment status, sexual orientation, family information, communication records with others, residential address, credit card information, social security number, union membership and shopping habits may also be counted as examples for personal data.
Processing of data with respect to legal entities is not covered by the Law. However, personal data that is processed by companies is precisely protected within the scope of this legislation. Examples of this data are employee’s information, records of subcontractor’s employees, job applications and resumes, fingerprint records, payroll records, camera records, security entry and exit minutes, as well as signature circulars in the annexes of contracts.
Race, ethnic origin, political opinion, philosophic belief, religion, denomination or other faiths, clothing and attire, membership to an association, charity or union, health, sexual orientation, criminal convictions and security measures, as well as biometric and genetic data of a real person are determined to be sensitive personal data. The Law states that firmer measures should be taken for sensitive personal data since it may create discrimination when they are disclosed. Thus, required administrative and technical measures are stipulated in detail within the context of (i) Board"s decision dated 31.01.2018 and numbered 2018/10 on Adequate Measures to be taken by Data Controllers in the Processing of Sensitive Personal Data, and (ii) Personal Data Security Guideline prepared by the Authority[1].
Data Controller
The Data Controller is the real person or legal entity that determines the objectives and tools of processing of personal data and is responsible for the establishment and management of the data recording system. Thus, the data controller may be a real person, a company, a public institution, an association, or a foundation.
Since the units within a company do not have separate legal personalities, these units cannot be deemed as data controllers. Accordingly, branches may not be considered as data controllers. However, since each company in a group of companies is a legal entity, these companies will be regarded as separate data controllers.
A data controller has the authority to decide on the following matters:
- Objectives and tools of collection of personal data;
- Methods of data processing;
- Types of personal data to be collected;
- Whether personal data is transferred, and conditions of transfer;
- Periods and methods of data storage;
- Administrative and technical measures to be taken; and
- Destruction methods and other relevant matters set out under the Law.
With regard to the identification of the data controller, the person (legal or real) who decides on the aforementioned matters is determinant.
Through a data processing contract to be concluded with the data processor, the data controller may authorize the data processor to determine the systems and methods to be used for data collection, how the data will be stored, the details of the security measures to be taken, and the methods to be used for data transfer and storage, and procedures for the deletion, destruction and anonymization of the personal data. However, we would like to emphasize that this authorization does not mean that the data controller can assign his / her responsibilities arising from the Law to the data processor.
The liability arising from data processing complying with the legislation would be on the data controller, in principle. In this case, legal persons, themselves, are data controllers. Within this framework, employees or authorized persons who process personal data in companies shall not be considered as data controllers. For instance, individuals delivering and receiving documents as part of data processing activities are not data controllers, but the company is.
A data controller is obliged to inform the data subjects of the identification of the controller and his representative, if any; the purpose of the data processing; the details of data transfer, the method and legal reason for the collection of personal data, as well as other rights specified in the Law. The data controller is required to take all necessary technical and administrative measures to provide a sufficient level of security in order to prevent unlawful processing of personal data and unlawful access to personal data, and to ensure the retention of personal data. Moreover, if the reasons for processing the data are extinguished, any relating personal data must be deleted, destroyed or anonymized automatically, or upon the request of a related person by the data controller. In order to fulfill these obligations, the data controller may install a system to monitor the personal data process, periodically. The data controller is obliged to conclude the applications of the data subjects within a maximum period of 30 days, to register with the Data Controllers’ Registry (“Registry”), to prepare a personal data inventory, to assign a contact person, and to notify unlawful data processing activities of the data subjects and the Board, within the context of the legislation. More detailed information regarding obligations of the data controller is stated in the Guideline of Rights and Obligations within the Law which was issued by the Authority[2].
Data Processor
In accordance with paragraph (e) of Article 3, data processing is any operation performed concerning personal data, such as the collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, taking over, making retrievable, classification or preventing the use thereof, fully or partially, through automatic means or, provided that the process is a part of any data registry system, through non-automatic means. Even the storage of the data on a hard disk drive, compact disk, flash memory, or in a file without further processing, are considered to be data processing.
A data processor is a real person or a legal entity, outside the organization of the data controller, who processes personal data on behalf of the data controller, on the authority given by the data controller. A data processor, who is authorized by the data controller through a personal data processing contract, processes personal data in accordance with the instructions given by considering the terms of the contract with the data controller. The crucial part here is that the data processor is a real person or a legal entity outside of the organization of the data controller. Therefore, even if the employees of a company process data, these employees cannot be defined as data processors. Companies serving their customers in accounting, call center, human resources and payroll, cloud computing departments are examples of data processors.
However, in the event that the data processor processes personal data on its own behalf by exceeding the authority given to it by the data controller, the data processor will be regarded as a data controller with respect to this data.
Relationship between Data Controller and Data Processor
A real person or a legal entity may be both a data controller and a data processor at the same time, depending on the nature of the situation. For example, accounting, call center or human resources and payroll companies will be considered data processors in respect of the data of its own employees, while they are considered as data processors in terms of the data processed on behalf of their customers. The details of precedents are also set forth in the Guidelines on Data Controllers and Data Processors issued by the Authority[3].
Upon the processing of personal data by a natural or a legal person on behalf of a data controller (e.g. an accounting company maintaining the records of the said company), the data controller shall jointly and severally be liable with these persons for taking the measures required under the Law. The controllers and processors must not unlawfully misuse nor disclose the obtained personal data to anyone. This obligation shall continue even after the conclusion of their duty.
Consequently, while signing a data processing contract between a data controller and processor, it is significant to obtain the necessary commitments regarding the measures to be taken, to determine the destruction procedures, to determine the responsibilities and authorizations, explicitly, to include recourse regulations, and to specify the right to audit of the data controller.
Contact Person
Real persons or legal entities that process personal data shall enroll in the Registry before proceeding with data processing. Data controllers residing in Turkey, and representatives of data controllers residing abroad shall submit the information of the contact person to the Registry in the course of the registration. Contact person may be appointed from inside of the legal entity, or from outside its organization. The contact person is solely liable for the management of communication between the Authority and the data controller, and not authorized to represent the data controller regarding the obligations set out under the Law. Receiving the notifications given by the Authority and performing transactions regarding the Registry on behalf of the data controller, and exchanging the requests and responses between the data controller and the Authority, are examples for the obligations of the contact person.
Conclusion
The concepts and differences of the data controller and data processor have great importance on the (i) determination of the rights and obligations of individual or legal entities that process personal data and (ii) detection of administrative fines as foreseen in the event of violation of these obligations. As a result, understanding clearly the basic concepts of the Law by taking into consideration of the detailed examples and explanations as stipulated in the Guidelines prepared by the Authority are quite beneficial for the compliance to the Law and legal data processing.
[1] For detailed information, please see https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/7512d0d4-f345-41cb-bc5b-8d5cf125e3a1.pdf (Access date: 19.09.2019); https://www.kvkk.gov.tr/Icerik/4110/2018-10 (Access date: 19.09.2019).
[2] For detailed information, please see https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/37fa799d-818b-4654-bca0-3be8e5d88ddf.pdf (Access date: 19.09.2019).
[3] For detailed information, please see https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/f63e88cd-e060-4424-b4b5-f6413c602060.pdf (Access date: 19.09.2019).
All rights of this article are reserved. This article may not be used, reproduced, copied, published, distributed, or otherwise disseminated without quotation or Erdem & Erdem Law Firm's written consent. Any content created without citing the resource or Erdem & Erdem Law Firm’s written consent is regularly tracked, and legal action will be taken in case of violation.
Other Contents
On September 2025, the Court of Justice of the European Union (“CJEU”) delivered its judgment in Single Resolution Board (SRB) v. European Data Protection Supervisor (EDPS), providing some clarification on the identifiability of data under the EU data protection regime. The case examined whether information that...
As part of the 2020 European Data Strategy, the Regulation on harmonized rules on fair access to and use of data (Data Act or Act) aims to boost the European Union’s (EU) data economy by maximizing data access and data use in a competitive and fair environment.
In Türkiye, it has recently become increasingly common, especially in retail stores, to send verification codes to data subjects by SMS during the provision of goods and services and to process personal data in this way. In the complaints submitted to the Personal Data Protection Board (“Board”), it has been...
In contemporary workplaces, employers frequently implement surveillance systems for reasons such as ensuring occupational health and safety, maintaining workplace order, operating internal control mechanisms, and preventing potential misconduct. However, such monitoring practices often raise significant...
Although the Turkish Personal Data Protection Law No. 6698 (KVKK) stipulates certain rules on cross-border personal data transfer, the effective functioning of the transfer rules was limited over time due to some difficulties in practice. In particular, until late 2024, the application process for permission to transfer...
Personal Data Protection Law numbered 6698 (“PDPL”) was first drafted based on the Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals about the processing of personal data and on the free movement of such data, and entered into force in 2016...
Typically, when an employee departs, their corporate email account remains active and accessible to the employer for a period of time. During this time, the email archive and new incoming messages are forwarded to the employee's manager or another colleague...
In today's world, we now have the opportunity to purchase many products and services through e-commerce platforms with a single click from wherever we are. During these purchases, our personal data are collected and used through the websites or mobile applications of e-commerce platforms for various...
The processing of genetic data has the potential to affect not only the data subjects but also the persons with whom the data subject is genetically connected. “The Guidelines on Issues to be Considered in the Processing of Genetic Data” (“Guidelines”) published by the Personal Data Protection Authority...
In its decision regarding Case-300/21 and dated May 4, 2023, the Court of Justice of the European Union (“CJEU”) evaluates the right to compensation for an infringement of the European Union General Data Protection Regulation (“GDPR”) regulated in Article 82 of the GDPR. The CJEU decided that a mere...
The Personal Data Protection Law numbered 6698 (“PDPL”) introduces definitions for many concepts such as personal data, data controller, data processor and data subject. In terms of understanding and interpreting these concepts, secondary legislation, Personal Data Protection Authority (“Authority”) guidelines...
The Covid-19 pandemic and recent technological developments have significantly accelerated the digital transformation of all sectors. However, this rapid change especially in the financial sector (mobile banking, e-commerce, contactless payments, etc.) has brought some risks along with making life extremely...
Smartwatches have undeniably revolutionized our lives in the past decade. Apart from their core function as a timepiece, these wearable computers packaged in the form of a watch enable us to answer incoming calls, reply to messages and skim through social media notifications in seconds. Their steady rechargeable...
The Personal Data Protection Authority (“DPA”), on 16.06.2022, published the Draft Guidelines on Examination of Loyalty Programs within the Scope of Personal Data Protection Legislation (“Draft Guidelines”). The public has until 16.07.2022 to submit comments on them, and after these are evaluated...
The German Competition Authority (“Bundeskartellamt”) had previously found Meta (formerly Facebook) responsible for abusing its dominant position in the social network market by collecting and processing the personal data of its users without their consent and imposed measures on Meta and its associated...
Banks process large volumes of personal data in their daily operations. In order to deal with this sensitive information, the Turkish Personal Data Protection Authority, in cooperation with the Banks Association of Turkey, published Good Practice Guidelines on Personal Data Protection in the Banking...
The procedural rules on mass claims within European Union (“EU”) Member States is not uniform. To improve the position of consumers who might wish to make such claims, the European Parliament passed the Collective Redress Directive (“Directive”). The impact of the Directive is expected to...
In February 2020, the European Commission (“Commission”) published “A European Strategy for Data” as part of a wider drive concerning digital transformation and policy. Through this communication, the European Union (“EU”), defining itself as having a leading role in the data economy...
The Regulation on Protection and Processing of Personal Data by the Social Security Institution (the “Regulation”), the purpose of which is to determine the procedures and principles for processing data obtained within the scope of the duties and authority of...
The Personal Information Protection Law of the People’s Republic of China (“PIPL”) passed at the 30th meeting of the Standing Committee of the 13th National People’s Congress on 20 August 2021 and entered into force on 1 November 2021 as per Article 74...
In today's world, there is no doubt that data has become one of the most valuable assets and resources for some companies. The ability to collect, store, process, and analyze data on a large scale has dramatically changed...
