Part of our KVKK Compliance Guide — Open the guide →
What is a data controller?
A data controller (Turkish: veri sorumlusu) is the natural or legal person who determines the purposes and means of personal data processing. Under KVKK Article 3 and GDPR Article 4, the controller bears the primary obligations toward data subjects and the regulator.
Controller vs processor
The controller decides “why” and “how” data is processed. A processor only acts on the controller’s documented instructions. A SaaS company is the controller for its own customer accounts but a processor for the data customers upload via its platform — the same legal entity wears different hats by use case.
Controller obligations under KVKK
- Register with VERBİS where applicable (employee headcount thresholds)
- Publish a privacy notice (aydınlatma metni) before collecting data
- Establish a lawful basis from Article 5
- Implement technical and organizational measures (TOMs): encryption, access control, audit logs, breach detection
- Notify the KVKK Authority within 72 hours of a breach
- Operate a data subject request channel with 30-day SLA
- Sign a written DPA with every processor
- For cross-border transfers: SCC, BCR, adequacy decision, or explicit consent (Article 9, amended by Law 7499)
Practical implications
Startup founders are almost always controllers for their customer, employee, and prospect data. Map data flows before the first hire and first DPA. See the KVKK Tracker for enforcement on controller-side failures.
References
- Turkish Law No. 6698 on the Protection of Personal Data (KVKK)
- Personal Data Protection Authority of Türkiye
- EU GDPR (Regulation 2016/679) — EUR-Lex
- U.S. Internal Revenue Service (IRS)
Controller obligations and VERBİS registration
Because the controller decides why and how personal data is processed, it carries the core accountability obligations: identifying a lawful basis, providing a transparent privacy notice (aydınlatma yükümlülüğü), ensuring data security, notifying breaches, honouring data-subject requests and keeping records of processing. In Türkiye, controllers that exceed the applicable thresholds must register with the Data Controllers’ Registry (VERBİS) before they begin processing. Where two or more parties jointly determine the purposes and means, they act as joint controllers and should allocate their respective responsibilities in a written arrangement. Misclassifying the role — treating a controller as a mere processor, or vice versa — is one of the most common and consequential compliance errors, because liability follows the real role rather than the label the parties chose.