The Concepts of Controller, Processor and Joint Controllership
On November 7, 2019, based on the General Data Protection Regulation (“GDPR”), the European Data Protection Supervisor published the final version of guideline regarding the concepts of controller, processor, and joint controllership and their responsibilities. Accordingly, the Authority made the following evaluations;
1. The Data Controller
Pursuant with the paragraph 7 of Article 4 of GDPR, ‘controller’ means the natural or legal person, public authority, agency, or another body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
According to the definition, the only person authorized to determine the purposes and essential means of the processing of personal data is the data controller. In other words, the data controller is the person who decides on what legal basis the personal data will be processed and how this data processing will be performed.
Another critical clarification regulated in the Guidelines is that a data controller will still be qualified as a controller even if the controller does not have any access to the personal data processed on its behalf, as long as that the data controller determines the purpose and the means of processing. The data controller will have the authority to decide whether to start and stop the processing of personal data and will be able to prepare statistics based on personal data collected by other entities. This approach, which was revised together with the guideline again, was already common practice of certain European data protection authorities and a position upheld by the Court of Justice of the European Union.
It is important to note that there is a significant difference in the definition of the data controller between GDPR and the Law on the Protection of Personal Data (“the Law”). This difference leads to different interpretations in practice. While the Law stated that the data controller might be real or legal person, this definition in GDPR is rightly extended with the expression “or other body.” The definition in the Law raises question marks in the legal situation of liaison offices, branches of foreign companies, ordinary partnerships, and building management bodies. If one interprets the law strictly depending on the text of the Law, the result is that bodies (e.g., branches of foreign companies) which do not have legal personality should not be considered as a data controller. On the other hand, in the decision w.no.2019/225, which was published by the Personal Data Protection Authority, it is stated that the branches of foreign companies are the data controllers, although they do not have legal personality. In order for this interpretation to gain a legal basis, we consider that the definition of the data controller should be modified in a similar way to that of the GDPR by amending the Law.
2. The Data Processor
According to paragraph 8 of Article 4 of GDPR, ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
In this context, the data processor acts in accordance with the purposes and essential means of data processing specified by the data controller. The data processor also performs data processing activities under these instructions. In other words, the main responsible for compliance with the legislation is the data controller. The data processor may have considerable autonomy in performing the specific tasks assigned to him/her and may identify non-essential elements of the data processing activity. However, at the last point, the data controller should make the final decision.
3. The Joint Controller
According to paragraph 1 of Article 26 of GDPR, where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers.
The critical point is here that both controllers don't need to have access to personal data in order for them to be qualified as joint controllers. Not all data controllers need to have access to personal data in order to be defined as the data controller.
In the legislation in Turkey, the concept of the joint controller was not regulated. At this point, there is a gap in the law, and this uncertainty situation must be eliminated as soon as possible.
According to the published guideline; there are three points to consider in the processing of personal data;
1. Persons who determine the purpose and the essential means of the processing of personal data, even if they are not authorized to access personal data, are the data controller.
2. Although the data processor will perform the processing activity in accordance with the instructions of the data controller, it also has an individual autonomy.
3. Only one of the joint data controllers is authorized to have access to personal data is sufficient to be qualified as joint controllers.
If we make a table regarding the content of the concepts;