What is a data processor?
A data processor (Turkish: veri işleyen) is the natural or legal person who processes personal data on behalf of a data controller, under the controller’s documented instructions. Under KVKK Article 3 and GDPR Article 4, the processor has narrower (but real) obligations.
How processors are different from controllers
A processor cannot decide WHY data is processed — that’s the controller’s call. The processor only decides operational HOW (server location choices, sub-processor selection, security configuration), within bounds set by the controller. A payroll provider, a hosting provider, an email marketing platform, an analytics SDK — all are typically processors for the data they handle for their customer.
Processor obligations under KVKK
- Process only on documented instructions from the controller
- Implement appropriate technical and organizational measures
- Notify the controller of any breach without undue delay
- Permit and contribute to controller audits
- Engage sub-processors only with controller authorization and equivalent contractual flow-down
- Return or destroy data at end of service
- Maintain records of processing activities
The DPA — Data Processing Agreement
Every controller-processor relationship requires a written DPA. AWS, Google Cloud, Stripe, HubSpot, Intercom all publish standard DPAs you sign as the controller. Read them — the security commitments and breach notification SLAs vary materially. See our VC DD Checklist for how investors evaluate your DPA coverage.
References
- Turkish Law No. 6698 on the Protection of Personal Data (KVKK)
- Personal Data Protection Authority of Türkiye
- EU GDPR (Regulation 2016/679) — EUR-Lex
- U.S. Securities and Exchange Commission (SEC)
- 17 CFR — SEC Regulations (eCFR)
The data-processing agreement (DPA)
A processor may act only on the documented instructions of the controller and may never process the data for its own purposes. KVKK and GDPR alike require a written data-processing agreement that defines the subject matter, duration and scope of processing, the technical and organisational security measures, the rules for engaging sub-processors, the return or deletion of data at the end of the engagement, and audit and assistance obligations. Under the KVKK the controller and processor are jointly responsible for data security, so the contract should mirror that allocation. A processor that engages a sub-processor without authorisation, or that processes beyond the controller’s instructions, steps outside its role and is treated as a controller for that processing — taking on the full liability that comes with it.