Data Processor
"What is the difference between data controller and processor under Turkish law?"
Quick Answer
Under KVKK, a data controller determines the purposes and means of processing, while a data processor processes personal data on the controller’s behalf based on the controller’s instructions. Processors should implement appropriate technical and organisational security measures and act within the controller’s documented instructions.
KVKK Compliance Requirements
A “data processor” is the natural or legal person who processes personal data on behalf of the data controller, based on the controller’s authorisation and instructions (e.g., cloud hosting providers, payroll vendors, call centres, CRM providers). KVKK sets the main rules for processing personal data in Türkiye, including lawful processing conditions, duties of data controllers, data security obligations, and administrative sanctions.
Key Points to Remember
- A processor acts on the controller’s behalf and should not determine the purposes of processing.
- Processing should be limited to documented instructions; confidentiality and access controls are key.
- Security measures (technical/organisational) must be implemented and evidenced (policies, logs, vendor controls).
- Sub-processors should be regulated contractually, and incidents/breaches must be escalated to the controller promptly.
If a vendor determines the purposes and essential means of processing (rather than acting only on instructions), it may be a data controller (or joint controller) rather than a processor.
Practical Implementation
In a processor relationship, the controller should conduct vendor due diligence and sign processor clauses (DPA-style terms). The processor should implement security measures, keep processing within documented instructions, support audits/assistance obligations, regulate any sub-processors, and cooperate on incident response and deletion/return at the end of the service.
The Personal Data Protection Board may impose administrative fines and other corrective measures for non-compliance. Keeping processor contracts and security measures updated helps demonstrate compliance.
Need Expert Legal Guidance?
Our experienced attorneys can help you navigate data processor arrangements and vendor contracts under Turkish law.
Schedule a Consultation