Turkish Law Blog
Contractual Relationship between Data Controller and Data Processor in Turkish Law
Data controller and data processor which are the main subjects of the data protection law can be in a contractual relationship to sharing rights, privileges and responsibilities. Contrary to Article 28 of the GDPR, there is no statutory obligation of concluding a contract in order to determine the regime of the responsibility in Turkish Law.
Pursuant to Article 12 of the Turkish Data Protection Law (no. 6698), in the case of processing of personal data by a data processor on behalf of a data controller, both of them shall jointly be responsible for taking the security measures. A data controller can sign up with a data processor based on the contractual freedom to determine the details of joint responsibility in Turkish law.
Because of the absence of regulation in question in Turkish law, this contractual relationship is deemed an innominate contract. It is one of the modern contract types in the world, which lawyers generally tend to call as a “relationship between data controller and data processor”. Instead of this long denotation, we prefer naming this contract as a “Personal Data Processing Contract” or “Data Processing Contract”, based on the principal contractual obligation of the data processor.
Data processor’s principal obligation is processing personal data on behalf of the data controller, by pursuing the instructions, interests, and intentions of the data controller. Based on this principal obligation, personal data processing contract is considered as a kind of work contract. According to the Article 502/II of the Turkish Code of Obligations, innominate work contracts are subject to provisions of mandate contracts. Consequently, personal data processing contract is subject to provisions of mandate contracts.
With regard to form, the parties are not obliged to conclude the contract in any determined form. Nevertheless, it should be noted that Turkish Personal Data Protection Authority has published two types of standard contractual clauses like as in the EU in the period of Directive 95/46/EC. These clauses force the contracting parties to conclude the contract in written form of contract. Standard contractual clauses determine the transfer conditions from data controllers to data controllers and data processors abroad. So, it should be stated that the contracts that are entreating the transfer of personal data abroad must be concluded in a written form indirectly.
Turkish Personal Data Protection Authority has also touched upon the personal data protection contract in “Guidance on Practicing to the Personal Data Protection Code” as follows:
(for data processors) “These persons are a separate natural or legal entity that processes personal data within the framework of the instructions given to him or her, authorized by the data controller with making a personal data processing contract.” (page 56)
“… with the personal data processing contract, the data controller may leave the decision-making power to the data processor in the following example cases:
- Determining the information technology systems or other methods to be used in order to collect personal data,
- The method to be used to store personal data,
- Details of the security measures to be taken for the protection of personal data,
- The method of transferring personal data,
- The method to be used in order to ensure the proper application of the duration of the storage of personal data,
- The method of deletion, destruction, and anonymization of personal data.” (page 57)
- Personal data processing contract is an innominate contract in Turkish Law. According to the Article 502/II of the Turkish Code of Obligations, personal data processing contract is subject to provisions of mandate/agency contracts.
- In practice, data controllers and data processors conclude this contract to determine the regime of responsibility based on contractual freedom. Except for entreating the transfer of personal data abroad, the contract can enter into force without any form.
- It is possible to assign the matters of Article 28 § 3 of the GDPR in the contract. Yet, in Turkish Law, concluding a contract is not a legal requirement contrary to GDPR.
 Comparison: According to the Article 28/III of the GDPR, processing by a processor shall be governed by a contract or other legal act under Union or Member State law.
 Also see for the other kinds of relationships between data controller and data processors in Turkish law; Memiş, Tekin; “Veri Sorumlusu ve Veri İşleyen Arasındaki İlişkiler ve Sorumluluk Düzeni” (The Relationships Between Data Controller and Data Processor and Dispositions of Liabilities), Beykent Üniversitesi Hukuk Fakültesi Dergisi, Issue: 6, pages 9-23.
 Taştan, Furkan Güven; Türk Sözleşme Hukukunda Kişisel Verilerin Korunması (Protection of Personal Data in Turkish Contract Law), p. 119.