IT & Artificial Intelligence Law
Data Controller vs. Data Processor in Turkey: Contractual Obligations
Published 14 July 2026·6 min read
Att. Mona Hukuk Editorial Team - Antalya · Antalya Bar Association
When a business hosts customer data with a cloud provider, outsources payroll, or works with a software vendor, a legal question quickly surfaces: who is the "data controller" and who is the "data processor"? This is not merely an academic label. The answer directly shapes registration duties, security responsibility, and the contract that should be signed between the parties. This article examines the distinction between the two roles under Law No. 6698 on the Protection of Personal Data (KVKK), how security obligations are shared, and why a data processing agreement is indispensable in commercial practice.
The Two Roles Defined in KVKK Article 3
Article 3 of the KVKK defines both roles clearly. The data controller is "the natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system." The data processor is "the natural or legal person who processes personal data on behalf of the controller, based on the authority granted by the controller."
The heart of the distinction lies in decision-making authority. The party that decides why and by what means data will be processed is the controller. The party that carries out the processing solely on those instructions, on the controller's behalf, is the processor. For example, a hotel collects guest reservation data for its own purposes; the cloud firm hosting that data or the company supplying the reservation software acts as a processor under the hotel's instructions. To qualify as a processor, a party must process data within the framework set by the controller and not for its own purposes; the moment it begins to determine its own purposes, it becomes a controller in its own right.
Why the Distinction Matters: VERBİS and Registration
Separating the roles matters first for the Data Controllers' Registry (VERBİS) obligation. Under KVKK Article 16, the registration duty is imposed as a rule on data controllers; the Board may set exemptions according to objective criteria such as the nature and number of the data processed, whether processing arises from law, or whether data is transferred to third parties. Consequently, not every business but only controllers falling within scope must register. A firm acting purely as a processor does not register on account of that status alone; yet if it is a controller with respect to its own activities, it is obliged in that capacity. The scope, exemptions, and procedure of VERBİS registration are covered in detail in a separate guide; here it is enough to stress that the roles determine the registration obligation.
Security Obligations Fall on Both Parties (Article 12)
KVKK Article 12 governs data security obligations and makes clear that responsibility does not rest with only one side. The controller must take all technical and administrative measures to ensure an appropriate level of security, in order to prevent the unlawful processing of and unlawful access to personal data and to ensure its safekeeping (Art. 12/1).
The critical point is in the second paragraph: where data is processed by another person on the controller's behalf, the controller is jointly and severally liable with the processor for taking those measures (Art. 12/2). The controller cannot escape its obligations by outsourcing processing. Furthermore, Art. 12/4 provides that both controllers and processors may not disclose the personal data they learn contrary to the Law or use it beyond the purpose of processing, and that this duty continues even after they leave their post. The duty to notify the Board and the data subject in the event of a breach lies under Art. 12/5. In short, the burden of confidentiality and security is distributed across every link in the chain.
Why a Data Processing Agreement Is Essential
Here a point specific to Turkish law stands out: unlike Article 28 of the EU General Data Protection Regulation (GDPR), the KVKK does not contain a provision that expressly and in every case mandates a contract of specific content between controller and processor. This is a genuine difference from EU practice and deserves careful attention. It should not, however, be read to make a contract unnecessary. Given the joint liability under Art. 12/2 and the audit obligation under Art. 12/3, documenting the controller's oversight of the processor, the limits of its instructions, and the security standards through a written data processing agreement becomes, in practice, effectively mandatory. The agreement both governs the internal relationship between the parties in joint liability and serves as evidence of compliance in any Board inspection.
What the Agreement Should Address and Cross-Border Use
A well-drafted data processing agreement typically addresses the following:
- Scope and purpose of processing — that the processor may act only on the controller's instructions and for the defined purpose,
- Security measures — the minimum standard of technical and administrative measures under Article 12,
- Sub-processor consent — the controller's prior consent before the processor engages another vendor,
- Return or deletion of data at contract end — return, erasure, or destruction of the data when the relationship ends,
- Audit rights — the controller's authority to audit the processor or have it audited,
- Breach-notification chain — how and within what timeframe the processor must report a breach to the controller.
For foreign companies outsourcing processing to Turkish vendors there is an additional layer: cross-border transfer of data is subject to the regime under KVKK Article 9, and the contract must also cover those transfer conditions. Likewise, Turkish companies outsourcing processing to a provider abroad must assess both the transfer rules and the counterparty's governing law. For this reason, in cross-border arrangements the contract must state not only the roles but also the legal basis for the transfer.
Frequently Asked Questions
Can a company be a data controller and a data processor at the same time? Yes. For instance, an accounting firm is a controller regarding its own employee data and a processor when handling payroll on behalf of a client. The role is assessed separately for each processing activity.
Must data processors register with VERBİS? The registration duty applies as a rule to data controllers. A firm acting solely as a processor does not register on account of that status; but if it is a controller regarding its own activities, it may be obliged in that capacity.
Does the KVKK make a data processing agreement mandatory? The KVKK does not, as GDPR Art. 28 does, expressly mandate a specific contract form in every case. However, because of the joint liability and audit obligation under Article 12, a written agreement is effectively unavoidable in commercial practice.
Can the controller be penalized for the processor's fault? Yes. Under Art. 12/2, controller and processor are jointly and severally liable for taking security measures; the controller cannot escape its obligations by outsourcing the processing.
How Mona Hukuk Can Help
At Mona Hukuk we assist businesses with role determination (the controller/processor distinction), drafting and negotiating data processing agreements, managing the VERBİS registration process, and structuring contracts for cross-border data transfers. We provide end-to-end advice both to foreign companies working with Turkish vendors and to Turkish businesses using providers abroad.
For consultancy in Antalya, you can write to contact@monahukuk.com or call +90 (242) 606 14 32.
Want a weekly digest of developments in Turkish law?
Official Gazette notices, court decisions and legislative changes — delivered weekly. Free, unsubscribe at any time.
Related Articles
IT & Artificial Intelligence Law
.tr Domain Disputes in Turkey: A Guide for Foreign Brands
2 Jul 2026 · 6 min read
Read articleIT & Artificial Intelligence Law
Software Escrow Agreements Explained: Turkey Guide 2026
22 Jun 2026 · 6 min read
Read articleIT & Artificial Intelligence Law
Registering with VERBİS: Turkey's Data Controller Guide
9 Jun 2026 · 6 min read
Read article