Data controllers who wish to entrust their data processing activity to a third party must appoint such third party as the data processor on behalf of them with a contract. The said contract under which a data controller authorizes a third party to process personal data on their behalf and in accordance with their instructions is called data processing agreement (“DPA“).
DPA must be in compliance with the Turkish Personal Data Protection Law (“PDPL“) and relevant legislation. Following sections describe what needs to be included in a DPA in order to comply with the law.
Organisational and Technical Measures
Data processors must take the organisational and technical measures as provided for in the PDPL. The Personal Data Protection Authority has published the Guideline On personal Data Security (Technical and Organizational Measures) and it is recommended to regulate the following matters in DPA, accordingly:
- Data processors must process personal data only in accordance with data controller’s instructions, which are recommended to be given in writing.
- Data processors must comply with the purpose and scope of data processing as stipulated in the DPA,
- Data processors must comply with the personal data protection legislation,
- Data processors must be subject to a permanent non-disclosure obligation regarding the processed personal data,
- In the event of a breach of the DPA, data processors must immediately inform the data controller.
Parties to a DPA can decide that data processor shall be authorized to decide on the following matters: (i) which technologies will be used for data processing, (ii) which method will be used for data retention, (iii) details of the security measures for personal data protection, (iv) which method will be used to transfer personal data and (v) which methods will be used to delete, destroy and anonymize personal data.
DPA must also indicate the categories and types of personal data which is transferred to the data processor by the data controller.
Employees and sub-contractors of the data processor
Data processors must ensure that their employees, who have access to personal data, comply with the PDPL. Data processor must let their employees have access to personal data on a need-to-know basis. It is also recommended to have the employees sign a non-disclosure agreement or include a non- disclosure obligation in their employment agreements.
Data processor may use sub-contractors only if the data controller requests or approves it.
Rights of data subjects
Data subjects must be able to use their rights under the PDPL and this should be the priority. Thus, data processors must take organisational and technical measures and make all other necessary arrangements to ensure that data controller can fulfill their obligations towards data subjects.
Data processors must immediately inform the data controller when they receive a request from a data subject in accordance with the personal data protection law. Data processors must reply to such request in line with the data controller’s instruction or as required by law.
Audit right of the data controller
Data processors must provide the necessary information to the data controller and let them or another auditor appointed by the same, audit the data processing activities regarding the compliance with the DPA, if and when requested by the data controller.
Erasure of personal data
Once there is no purpose for processing of personal data, data processors must either erase or destroy the personal data in accordance with the PDPL.
Transfer of personal data to third countries
Data processors shall not transfer personal data without data controller’s approval.