Under Turkish Data Protection Law No. 6698 (“Law“) which came into force on April 7, 2016, it is crucial to make the distinction between the terms “data controller” and “data processor” in order to determine the liabilities of the parties in a data processing transaction.
According to the Law, data controller is defined as the real or legal person which determines the purposes and means of processing the personal data and liable for establishment and management of the data retention system. Whereas, data processor is defined as natural or legal person which processes personal data based on the authority granted by and on behalf of the data controller. In short, the party determining why and how the personal data will be processed will be considered as data controller. For example; if a company outsources the retention and operation of its customer database to an IT service provider, it would be easy to say that the company is acting as data controller and the IT service provider as data processor.
However, in some cases, the roles of the parties to a data processing transaction may not be easy to determine. For instance, when an entity purchases personal data (“Purchaser“) (such as contact information or habits and likes of individuals) from a data sourcing company (“Data Sourcing Company“) and transfers the personal data to a third-party research service provider (“Research Service Provider“) to carry out a market research, it could be difficult to determine which entity will be considered as controller. In this context, which of the following would be considered as a data controller?
- the Purchaser who determines the purpose of processing but does not establish the data retention system or
- the Data Sourcing Company which determines the type of the personal data to be collected and keeps the data ?
The Turkish Data Protection Authority (“DPA“) published a guideline to clarify the definition of the data controller and processor in case of uncertainty. According to the guideline, in order to determine the controller, it needs to be clarified as to which organization decides one of the following
- methods of collection
- types of personal data which will be collected
- the purposes that the data will be used for
- from which individuals the data will be collected
- whether to disclose the data and if so to whom
- the period that the data will be retained
Based on the above guideline, the Purchaser which does not establish the data retention system and keep the personal data, will still be considered as controller. On the other hand, since the Data Sourcing Company decides the types of personal data to be collected and retains the data in its database, it will also be considered as data controller.
To give another example, in an e-commerce transaction, the seller enters into a sales agreement with the consumer andcollects the payment via a third-party payment service provider. Despite the payment service provider does not directly enter into a sales agreement with the consumer, it will be still considered as data controller, since it determines the type of personal data which will be collected from the consumers for collection of the payment and the purpose that the data will be used for.
That being said, it is recommended to sign a data processing agreement between the controller and the processor in order to avoid any confusion and clarify the roles and obligations of the parties. However, it should be noted that, even though the data processing agreement is signed by the parties to determine the roles and obligations of the parties under the Law, the DPA would have the sole authority to determine the actual roles.