What is a data controller?
A data controller (Turkish: veri sorumlusu) is the natural or legal person who determines the purposes and means of personal data processing. Under KVKK Article 3 and GDPR Article 4, the controller bears the primary obligations toward data subjects and the regulator.
Controller vs processor
The controller decides “why” and “how” data is processed. A processor only acts on the controller’s documented instructions. A SaaS company is the controller for its own customer accounts but a processor for the data customers upload via its platform — the same legal entity wears different hats by use case.
Controller obligations under KVKK
- Register with VERBİS where applicable (employee headcount thresholds)
- Publish a privacy notice (aydınlatma metni) before collecting data
- Establish a lawful basis from Article 5
- Implement technical and organizational measures (TOMs): encryption, access control, audit logs, breach detection
- Notify the KVKK Authority within 72 hours of a breach
- Operate a data subject request channel with 30-day SLA
- Sign a written DPA with every processor
- For cross-border transfers: SCC, BCR, adequacy decision, or explicit consent (Article 9, amended by Law 7499)
Practical implications
Startup founders are almost always controllers for their customer, employee, and prospect data. Map data flows before the first hire and first DPA. See the KVKK Tracker for enforcement on controller-side failures.