February 2021 – On 12 February 2021 the Turkish Personal Data Protection Board (the "Board") published a decision (dated 30 January 2020 and numbered 2020/71, the "Decision") in which the Board states the essential elements to distinguish between the concepts of data controller and data processor. In its Decision the Board also emphasises that a data controller may fulfil its obligation to inform itself or via another authorised party.
Elements to be considered to distinguish the concept of data controller
According to the Turkish Personal Data Protection Law (numbered 6698, the "PDPL"), a data controller is a natural or legal person who determines the purposes and means of processing personal data and who is responsible for the establishment and management of a data recording system. In this context, the Board states in its Decision that a data controller has the authority to decide on the processing of personal data independently, the purpose of the processing, when this processing activity will begin, and similar essential elements. The Board also emphasises that the concept of data controller is autonomous and independent.
In its decision, the Board expressly refers to EU legislation; "Opinion 1/2010 on the Concepts of 'Controller' and 'Processor'" published by the Article 29 Data Protection Working Party1 and "Guidelines on the Concepts of Controller, Processor and Joint Controllership Under Regulation (EU) 2018/1725" published by the European Data Protection Supervisor.2 In this respect, the Board states that a party engaged in the majority of the following activities that also fall under the mentioned EU laws will be deemed as a data controller:
- collecting and determining the collection method of personal data;
- determining the types of personal data to be collected;
- deciding on which individuals' personal data will be collected;
- deciding on the processing of personal data and who will process it;
- deciding on the essential elements of the processing activity (what personal data will be collected, for what purposes the collected data will be used and how it will be processed, the data retention period, what the data retention policy will be, who has access to the data, recipients etc.);
- deciding whether the collected data will be shared and, if the collected data will be shared, with whom it will be shared;
- being able to make decisions on the processing of personal data without taking any orders or instructions;
- dealing directly with data subjects;
- appointing a data processor to carry out processing activities on a data controller's behalf' and
- benefitting from data processing.
Elements to be considered to distinguish the concept of data processor
As to the concept of data processor, in its Decision the Board indicates that a data processor is defined as a natural or legal person who processes personal data on behalf of a data controller, based on the authority given by the data controller. The activities of a data processor are mostly related to the technical parts of data processing.
The Board emphasises that in the event that a data processor processes the personal data, the data controller is jointly responsible for any technical and administrative measures taken, together with the data processor. In addition to this, the Board created a list to distinguish a data processor and states that a party engaged in the majority of the following activities shall be considered as a data processor:
- following instructions from another party with regard to the processing of personal data;
- not having the authority to decide on the collection of personal data from individuals;
- not being involved in the decision concerning the purposes of use of personal data;
- not having the authority to decide how data can be disclosed and who can access the data;
- not having the authority to decide on the data retention period;
- not being responsible for the end result of data processing; and
- if there are some decision-making mechanisms for the processing of personal data within the framework of legally binding agreements, such as the agreement with the data controller, within the framework of the powers granted by the data controller.
In its Decision the Board underlines that a data processor is the actor that takes care of the interests of the data controller and is obliged to fulfil certain duties and assigned instructions. It also indicates that, unlike a data controller, a data processor is not autonomous and independent. The Board also states that a data controller may grant the authorisation to decide on the following matters through a personal data processing agreement;
- the information technology systems or other methods to be used to collect personal data;
- the method by which personal data will be stored;
- details of the security measures to be taken to protect personal data;
- the method by which personal data will be transferred;
- the method to be used for the correct application of the periods for the storage of personal data; and
- the methods of deletion, destruction and anonymization of personal data.
The obligation of a data controller to inform
Within the scope of the Decision, the Board explicitly states that a data controller has the right to decide whether the obligation to inform will be fulfilled by the data controller or by a person that the data controller has authorised. Accordingly, the person authorised by the data controller may also be a data processor.
In its Decision, the Board also highlights the nature of the obligation to inform. According to Article 10 of the PDPL, a data controller is obliged to inform a data subject of the following matters:
- the identity and contact details of the data controller and its representative if any;
- the purposes for processing;
- any recipients of personal data, and the purposes of the data transfer to recipients;
- the collection methods and legal basis for the processing; and
- the data subject's rights stipulated under Article 11 of Turkish Personal Data Protection Law.
The Board also remarked that the information under the privacy notice should be in line with the information registered with the Data Controllers Registry, and that the fulfilment of the obligation to inform is not subject to the consent of the data subject. The data controller performs this obligation with a unilateral declaration. However, it should be noted that the data controller is responsible for proving the fulfilment of the obligation to inform.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.