Data controller or processor under the new data protection law
April 2018 – We have prepared this article on the Law on Personal Data Protection (the “Law”) to describe certain general requirements that all corporate entities must comply with as per the Law.
I. Law on Personal Data Protection
A corporate entity may process personal data as a “controller” (veri sorumlusu) or “processor” (veri işleyen) under the terms of the Law. Such data may be related to employees, employee applicants, customers, suppliers or other business contacts. Depending on the relationship being the basis for the collection of data, an entity which processes data may be defined as a controller or processor:
- Controller means any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
- Processor means any natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Therefore, a controller is generally an entity which collects personal data for the purposes determined by itself and based on a relationship with the data subject (ilgili kişi-veri sahibi). Processor on the other hand has a subordinate role, limited to processing data as requested by the controller. Naturally, the requirements and liabilities of these parties against the data subjects are different. The Law provides certain requirements for the data controller and refers to the joint liability of processors with respect to the general data protection rules. Therefore, we will summarize the general requirements of data controllers under this memo.
II. Avoiding processing and transfer of personal data without explicit consent of data owner:
Explicit consent is one of the key requirements for data processing. Such consent should be obtained upon the data subject being fully informed of the kind, scope and purpose of processing and the consent must be limited to a specific processing. However, the Law provides certain exemptions to the requirement of explicit consent in cases where:
a. legislation requires the controller to process data;
b. processing is necessary in order to protect the vital interests of the data subject or of another natural person;
c. processing is necessary for the performance of a contract to which the data subject is party;
d. processing is necessary for compliance with a legal obligation to which the controller is subject;
e. processing is necessary to establish, use or protect a right or entitlement;
f. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data; or,
g. data is disclosed by the data subject.
In this respect for instance, keeping personal records of the employees does not require any consent as it is a requirement under Labour Law. However, collecting data of customers to send them any push messages or commercial advertisement is subject to explicit consent.
On the other hand transferring any personal data to a third country is also subject to an additional limitation for the cases where explicit consent is not required for processing. In such cases as defined above, where the third country is not listed as safe by the Turkish Data Protection Board, the controller must either obtain explicit consent of the data subject or take permission from the Board by undertaking to provide the same level of protection as in Turkey. However, such list has not been published by the Board.
In addition, the controllers shall bear the burden of proof about obtainment of explicit consent, therefore it is recommended for the controllers to obtain the consent in a provable way (i.e. written or through online system where log records may be tracked).
III. Registration with Data Controllers Register (VERBİS)
Each data controller must register with VERBİS.
IV. Preparation of data inventory
Data controllers are required to prepare a personal data processing inventory containing the data processing activities under its operations, purposes of data processing, categories of data, persons that data is transferred to and data subject, maximum period of data processing and storage, personal data which may be transferred to a third country and measures taken to provide security of personal data. This inventory shall be used for registration with VERBİS and shall be basis for Policy on Storage and Destruction of Personal Data.
V. Requirement to inform the data subject
Data controllers must inform the data subject of the reason, purpose and method of the data processing, rights of data subject and proceedings to exercise these rights. This requirement may be fulfilled through a written text which is sent to all data subjects.
VI. Preparation of Policy on Storage and Destruction of Personal Data
Data controllers are required to prepare a Policy containing provisions as to reasons, purposes and methods of the personal data, information regarding data which it processes, categories of data subjects, storage and destruction periods. Activities as to data processing should be conducted under this Policy.
Additionally, both data controllers and processors must take necessary technical and administrative measures to avoid illegal data processing, data leakage or another third party access to the personal data. Namely, conducting training and audits, informing the employees, preparation of legal documents in this respect and any technical step to increase system security may be considered as such measures.