February 2021 – On 12 February 2021 the Turkish Personal Data Protection Board (the "Board") published a decision (dated 30 January 2020 and numbered 2020/71, the “Decision”) in which the Board states the essential elements to distinguish between the concepts of data controller and data processor. In its Decision the Board also emphasises that a data controller may fulfil its obligation to inform itself or via another authorised party.
Elements to be considered to distinguish the concept of data controller
According to the Turkish Personal Data Protection Law (numbered 6698, the “PDPL”), a data controller is a natural or legal person who determines the purposes and means of processing personal data and who is responsible for the establishment and management of a data recording system. In this context, the Board states in its Decision that a data controller has the authority to decide on the processing of personal data independently, the purpose of the processing, when this processing activity will begin, and similar essential elements. The Board also emphasises that the concept of data controller is autonomous and independent.
In its decision, the Board expressly refers to EU legislation; “Opinion 1/2010 on the Concepts of ‘Controller’ and ‘Processor’” published by the Article 29 Data Protection Working Party[1] and “Guidelines on the Concepts of Controller, Processor and Joint Controllership Under Regulation (EU) 2018/1725” published by the European Data Protection Supervisor.[2] In this respect, the Board states that a party engaged in the majority of the following activities that also fall under the mentioned EU laws will be deemed as a data controller:
Elements to be considered to distinguish the concept of data processor
As to the concept of data processor, in its Decision the Board indicates that a data processor is defined as a natural or legal person who processes personal data on behalf of a data controller, based on the authority given by the data controller. The activities of a data processor are mostly related to the technical parts of data processing.
The Board emphasises that in the event that a data processor processes the personal data, the data controller is jointly responsible for any technical and administrative measures taken, together with the data processor. In addition to this, the Board created a list to distinguish a data processor and states that a party engaged in the majority of the following activities shall be considered as a data processor:
In its Decision the Board underlines that a data processor is the actor that takes care of the interests of the data controller and is obliged to fulfil certain duties and assigned instructions. It also indicates that, unlike a data controller, a data processor is not autonomous and independent. The Board also states that a data controller may grant the authorisation to decide on the following matters through a personal data processing agreement;
The obligation of a data controller to inform
Within the scope of the Decision, the Board explicitly states that a data controller has the right to decide whether the obligation to inform will be fulfilled by the data controller or by a person that the data controller has authorised. Accordingly, the person authorised by the data controller may also be a data processor.
In its Decision, the Board also highlights the nature of the obligation to inform. According to Article 10 of the PDPL, a data controller is obliged to inform a data subject of the following matters:
The Board also remarked that the information under the privacy notice should be in line with the information registered with the Data Controllers Registry, and that the fulfilment of the obligation to inform is not subject to the consent of the data subject. The data controller performs this obligation with a unilateral declaration. However, it should be noted that the data controller is responsible for proving the fulfilment of the obligation to inform.
Please do not hesitate to contact our data protection team members for more information regarding the above.
Baran Gen, Partner, bgen@gentemizerozer.com
Ceren Ceyhan, Associate, cceyhan@gentemizerozer.com
Ertuğrul Keçeli, Legal Trainee, ekeceli@gentemizerozer.com
[1] https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf
[2]https://edps.europa.eu/sites/default/files/publication/19-11-07_edps_guidelines_on_controller_processor_and_jc_reg_2018_1725_en.pdf