The Personal Data Protection Board (“Board”) issued its decision dated 30.01.2020 and no. 2020/71 regarding the matters to be taken into consideration in determining the data controller and data processor and who will fulfill obligation to inform. The decision was published on the website of the Personal Data Protection Board on 11.02.2021.
In the decision, the Board examined the data controller and the data processor in two different ways and specified some criteria to determine the data controller and data processor. The Board made the following evaluations regarding the data controller and the data processor.
Board's Evaluations Concerning the Data Controller
In accordance with the Law on the Protection of Personal Data No. 6698, (“Law”) data controller is defined as; "Natural and legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of data recording system". In this context, data controller has the power to make decisions regarding the processing of personal data, the purpose of the processing, when this activity will start and by whom it will be carried out, and other similar issues. The data controller, who determines the purposes and means of processing personal data, also determines the basic tools and purposes of data processing; and “reason” and “method” of data processing. In other words, the basic elements of data processing such as determining technical and organizational tools, who will access the data, which data will be processed, how long these data will be kept, and how they will be stored are determined by the data controller. In addition, the data controller is responsible for taking measures regarding compliance with the legislation for the protection of personal data, controlling the data processor and ensuring that the relevant persons can exercise their rights.
In the decision, the Board also mentioned the importance of the data controller’s autonomy and independence. It has been stated that the data controllers do not receive orders and instructions from anyone, but give orders and instructions in the event of data processing to another person, and have the authority to freely make decisions at any moment of the data processing proceedings.
The European Data Protection Supervisor's “Data Controller, Data Processor and Joint Data Controller Guideline in the scope of the Regulation numbered 2018/1725 and dated 07.11.2019” and “the Article 29 Working Group's recommendation numbered 1/2010” brought various criteria for determining the data controller. In the decision of the Board, it was stated that, in light of the evaluation of all the national law and European Union provisions, it is decretive who decides on the following items for the determination of the data controller, and in this context, those who fulfill most of these criteria will be considered as the data controller. The criteria to be considered in determination of the data controller are listed in the decision as follows:
- Collection and collection method of personal data,
- The types of personal data to be collected,
- Which individuals' personal data will be collected,
- Deciding on the processing of personal data and who will process it,
- Deciding on the basic elements of processing,
- Whether the collected data will be shared, and if so, with whom,
- Being able to make decisions on the processing of personal data without taking any orders or instructions,
- Appointment of a data processor to carry out data processing on her/his behalf,
- Dealing directly with the relevant persons,
- Capitalize on the processing activity.
Board’s Evaluations Concerning the Data Processor
In accordance with the Law, data processor is defined as; "The natural or legal person who processes personal data on behalf of the data controller based on the authority given by the data controller." The data processor processes
personal data on behalf of the data controller, and carries out data processing activity in line with the basic purpose and tools determined by the data controller and with the authorization given by the data controller. In this context, the data processor will process personal data in accordance with the Law to the extent that it complies with the orders and instructions given by the data controller. However, as stated in the decision of the Board, if authorized by the data controller, data processor can have a significant degree of autonomy during data processing activities and accordingly can define the non-essential elements of the processing activity.
The data controller can leave the decision-making authority on the following issues to the data processor with personal data processing agreement to be signed between the data controller and the data processor:
- Which information technology systems or other methods will be used to collect personal data,
- The method by which personal data will be stored,
- Details of security measures to be taken to protect personal data,
- The method of the personal data transfer,
- The method to be used for the correct enforcement of the personal data retention periods,
- Methods of deletion, destruction and anonymization of personal data.
The Board has included some criteria in terms of determining the data processor in its decision. Accordingly, in cases where most of these criteria exist, those who perform data processing activities will be considered as data processors. The mentioned criteria as follows:
- Getting instructions from someone else to process personal data,
- Not having the authority to make decisions in the process of collecting personal data from individuals,
- Not be able to determine the usage purposes of personal data,
- Not having the authority to decide how the personal data can be disclosed and who can access these personal data,
- Not having the authority to decide on the data retention process,
- Not being responsible for the results of data processing,
- Whether there are some decision-making mechanisms for the processing of personal data within the framework of legally binding agreements such as the contract with the data controller, within the framework of the powers granted by the data controller.
Board’s Evaluations Concerning Who Will Fulfill Obligation to Inform
The obligation to inform in Article 10 of the Law must be fulfilled in accordance with the provisions of the "Announcement on the Procedures and Principles to be Followed in Fulfilling Obligation to Inform" (Announcement on the Obligation to Inform). In accordance with the Board’s decision, although the obligation to inform belongs to the data controller, it is considered that this obligation can be fulfilled by the data processor in line with the instructions given by the data controller. In the Article 10 of the Law, two options are presented to the data controller regarding the obligation to provide information by saying "through the data controller or the person authorized by the data controller during the acquisition of personal data". In other words, the Board stated that the Law gives the data controller the right to choose whether the obligation to inform will be fulfilled by the data controller itself or by the authorized person determined by the data controller. Therefore, it was stated that, the person authorized by the data controller specified in the Article 10 of the Law may also be the data processor.