Unlike Turkish Personal Data Protection Law numbered 6698 (PDPL), General Data Protection Regulation (GDPR) imposes additional obligations on data processors.
According to GDPR, processors are liable to take appropriate technical and organizational measures and process personal data based on the instructions of the controllers. Among these obligations, the following ones are very substantial:
- Controller and processor must enter into a data processing agreement and stipulate the nature and purpose of the processing, the subject-matter and duration of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.
- Upon the request the controller, processor must delete or return all personal data to the controller once the term of services expire, unless Union or Member State law requires storage of the personal data.
- Processor must make available to the controller all information necessary to demonstrate compliance with the GDPR and allow controller audits.
- Processor may engage services of another processor (sub-processor) for carrying out specific processing activities on behalf of the controller only if controller grants prior specific or general authorization. In such case processor must enter into an agreement with the sub-processor that includes same data protection obligations as set out in the contract between the controller and the processor.
- Processor must designate in writing a representative in the EU, if there is;
- Large scale processing,
- processing of sensitive data,
- processing of personal data relating to criminal convictions and offences, or
- processing that is likely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing.
Please contact Mert Yaşar for more information.