The Turkish Data Protection Law defines a data controller as “the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system”.
According to the guidelines that the Turkish Data Protection Board has published on its website, “data processors are natural or legal person authorized by a data controller under a personal data processing agreement and who processes personal data in accordance with the instructions given by such data controller”.
If you are still not certain what your responsibilities are in case where your customer acts as the data controller and you are the data processor, this article will help you to understand what needs to be done.
Sign a data processing agreement
- You must sign a data processing agreement with your customer.
- Scope of the data processing, categories of data to be processed, categories of data subjects, purpose and duration of the processing must be determined in the DPA.
- The DPA must also include your obligations as a data processor regarding data protection and privacy.
- You can read more about what needs to be covered by a DPA here.
Compliance with the instructions
- It is very important that you must entirely comply with the instructions of the data controller while you process personal data. In order to keep track of the instructions and for purpose of establishing proof, keep records of instructions.
- Also keep records of data processing activities you conducted for your customers.
Don’t use another data processor unless the data controller approves it
- You must obtain data controller’s approval before you appoint another data processor. Such approval can be a general permission given in the data processing agreement or a specific permission for relevant data processors.
Keep the personal data safe
- You must take adequate organizational and technical measures to ensure safety and privacy of the data you process for your customer. Inform your customer about the said safety measures and share relevant documentation with them.
- Applications, tools, products etc. that you offer to your customers must be in compliance with the personal data protection legislation and its requirements. You must be certain that only the data which is necessary for the data processing activity is processed.
- As soon as the user or subscription agreement that you entered in with your customer or the purpose of the data processing terminates, delete all the data or return them to your customer. Be certain that you don’t keep any copies of the data.
Train your employees
- You must train your employees regarding data protection and data processing and make sure they are subject to confidentiality obligation.
Help your data controller customer
- You must immediately inform your customer in the event of a data breach. It is your customer’s responsibility to notify the Personal Data Protection Board regarding data breaches, but you must help them to duly fulfil their obligations.
- If a data subject demands to use any of their rights under the Data Protection Law, you must immediately inform your customer and assist them regarding their obligations to the data subjects.
Don’t do the following
- Don’t process personal data beyond the data controller’s instructions.
- Don’t be late for notifying any data breach.
- Do not use data processors who do not provide adequate safety measures for data protection.