When the data controller receives outsourced services (cloud, call center, accounting), he/she makes a contract with the "data processor". KVKK article 12.
Obligations of the Data Processor
- Complying with the instructions of the data controller
- Security measures
- Not using personal data for purposes other than the contractual purpose
- Destruction or return at the end of the period
- Written approval for the use of sub-data processors
Content of the Agreement
- Data to be processed categories
- Purpose of processing
- Duration
- Security measures
- Breach notification process
- Response to relevant person requests
- Right to audit
- Return/destruction process
Subsequent Liability
- Data controller primarily responsible
- Data processor, with its contractual obligation responsible
- Relevant person can apply to both
Cloud Provider Example
- Cloud services such as AWS, Azure, GCP "process data"
- Standard contract may be insufficient
- Turkish additional protocol may be required
- Data location (domestic/international) is important
KVKK Board Decision
The KVKK Board considers data controllers' "lack of a data processing agreement" in outsourcing as a violation, and even penalizes companies that use cloud providers but do not sign a contract.
Practical Recommendations
- Written contract with all 3rd party providers
- DPA (Data Processing Agreement) additional protocol
- Right to annual audit keep it
- Add a violation intervention procedure
KVKK expert lawyer recommended.