What is a data processor?
A data processor (Turkish: veri işleyen) is the natural or legal person who processes personal data on behalf of a data controller, under the controller’s documented instructions. Under KVKK Article 3 and GDPR Article 4, the processor has narrower (but real) obligations.
How processors are different from controllers
A processor cannot decide WHY data is processed — that’s the controller’s call. The processor only decides operational HOW (server location choices, sub-processor selection, security configuration), within bounds set by the controller. A payroll provider, a hosting provider, an email marketing platform, an analytics SDK — all are typically processors for the data they handle for their customer.
Processor obligations under KVKK
- Process only on documented instructions from the controller
- Implement appropriate technical and organizational measures
- Notify the controller of any breach without undue delay
- Permit and contribute to controller audits
- Engage sub-processors only with controller authorization and equivalent contractual flow-down
- Return or destroy data at end of service
- Maintain records of processing activities
The DPA — Data Processing Agreement
Every controller-processor relationship requires a written DPA. AWS, Google Cloud, Stripe, HubSpot, Intercom all publish standard DPAs you sign as the controller. Read them — the security commitments and breach notification SLAs vary materially. See our VC DD Checklist for how investors evaluate your DPA coverage.