Mandatory GPS Device Installation in Rental Companies and the Identity of the GPS Provider Within the Scope of Location Data
MANDATORY GPS DEVICE INSTALLATION IN RENTAL COMPANIES AND THE IDENTITY OF THE GPS PROVIDER WITHIN THE SCOPE OF LOCATION DATA
The Law on Amendments to the Law on Internal Affairs Officers and Certain Other Laws, as well as to the Decree Law No. 375, published in the Official Gazette dated 30/11/2024, introduced a modification to the first paragraph of Additional Article 3 of the Identity Notification Law No. 1774. Within the scope of this amendment, a requirement has been imposed for vehicles belonging to car rental companies to be equipped with GPS devices.
Pursuant to the relevant regulation, the responsible operators and managers of businesses owned by natural and legal persons engaged in car rental activities are required to accurately maintain all data, including rented vehicle details, lessees’ identification information, and rental agreements, in digital form, ensuring that such records are readily available for law enforcement inspections at any time. They must also connect their computer terminals to law enforcement systems, promptly report lessee and vehicle details to law enforcement at the time of vehicle handover, and equip rented vehicles with GPS devices, retaining location data for a period of three years.
Administrative fines shall be imposed on those who:
Fail to maintain the aforementioned information, documents, and records digitally,
Fail to connect their computer terminals to law enforcement systems,
Keep false records or provide misleading information,
Fail to equip vehicles with GPS devices,
Fail to retain location data for three years,
Fail to keep information and records readily available for law enforcement inspection,
Fail to provide real-time information updates.
Information on whether individuals have an active vehicle rental, derived from data maintained by general law enforcement authorities, shall be shared with businesses owned by natural and legal persons engaged in car rental activities.
It is understood that all obligations outlined under this article must be fulfilled by the car rental company. In any potential scenario, law enforcement authorities will directly address the car rental company, and any related sanctions or administrative fines will be imposed on the company itself.
Under the relevant legal regulation, car rental companies are required to work with a third-party firm for the installation of GPS devices in their vehicles. The location data obtained through these devices must also be protected and processed in accordance with the Personal Data Protection Law (KVKK). It is important to address the responsibilities of both the car rental company and the company selling and providing GPS services within the scope of KVKK. Below, the responsibilities of car rental companies and firms selling and providing GPS devices regarding the obtained location data are evaluated from different perspectives.
Evaluation of the GPS Company as the Data Processor and the Car Rental Company as the Data Controller
In the context of the Personal Data Protection Law (KVKK) and in light of the concepts of data controller and data processor explained above;
Car Rental Company as the Data Controller
The primary responsibility of the data controller is to determine the purpose and method of processing personal data. In accordance with the relevant legal regulation, the car rental company aims to collect location data of the vehicles during the process of renting out cars to its customers. This data is used for operational purposes such as vehicle tracking and providing information to authorized institutions and organizations.
The car rental company determines the purposes for which the location data, recorded via GPS, will be used. This is the first stage of the data processing, and the car rental company is the sole authority responsible for deciding the purposes for which personal data is collected and processed.
The car rental company decides how personal data will be collected. Although the law mandates the use of GPS devices, the primary responsibility for fulfilling this obligation lies with the car rental company. The company decides which GPS device to use and which GPS provider to contract with. The car rental company also determines to whom the collected data will be transferred. In terms of transmitting data to law enforcement, the car rental company establishes a predefined process for how the data transfer will take place. Therefore, the car rental company is the final authority in deciding on the sharing of the data.
The car rental company also decides how long the collected data will be retained. Under the Identity Notification Law, the obligation to retain GPS data for three years is the responsibility of the car rental company, and it is a legal requirement for the company to regulate the conditions under which this data is stored.
The data controller is obligated to take all necessary measures to ensure the security of the collected data. While collecting the location data of the vehicles, the car rental company implements security measures to protect the data from loss, misuse, or unauthorized access. These measures include system security, data encryption, and access control, among others.
The car rental company ensures that data sharing occurs within a legal framework by entering into contracts with data processors (e.g., the GPS company). These contracts clearly outline the conditions for processing, security, transmission, and disposal of personal data. The car rental company monitors to ensure that these processes are carried out properly and in compliance with the law.
The car rental company is not only an institution that collects data but also an actor that determines the purpose and conditions of data processing. This aligns perfectly with the definition of a data controller under the KVKK (Personal Data Protection Law). The car rental company is the entity that defines and manages how the data will be processed, to whom it will be shared, how long it will be retained, and how its security will be ensured.
GPS Company as the Data Processor:
The GPS company acts as a data processor, processing the vehicle location data in accordance with the instructions provided by the car rental company. The GPS company does not have the authority to make independent decisions in data processing and must process the data solely in accordance with the purpose defined by the car rental company.
For these reasons, the GPS company follows the decisions made by the Car Rental company regarding how data will be collected, to whom it will be transferred, and how long it will be retained, acting strictly in accordance with these directives. The GPS company is obliged to process vehicle location data within the framework defined by the data controller and accepts this responsibility through a contract established with the Car Rental Company. In this context, the GPS company must take the necessary measures to ensure data security; however, decisions regarding the purpose of data processing, which data will be processed, and with whom the data will be shared remain entirely under the authority of the Car Rental Company. The GPS company processes the data in compliance with the Car Rental Company’s instructions and holds no independent decision-making authority over the data.
Therefore, the GPS company acts as a data processor, operating strictly in accordance with the instructions of the data controller.
Evaluation of the GPS Company and the Car Rental Company as Joint Data Controllers
Although the concept of joint data controllership is not explicitly regulated under the Personal Data Protection Law (KVKK), it is addressed in the Principal Decision No. 2001/1304 and the Banking Sector Good Practices Guide on the Protection of Personal Data. Analyzing these sources reveals that the concept of joint data controllership is defined as follows:
Not every joint data processing activity automatically implies joint liability nor does the mere transfer oof data between parties make them joint data controllers. To qualify as joint data controllers, the purpose of the data processing activity and the means – that is, the tools or methods used – must be jointly determined. This is, in fact, the sole criterion for establishing joint data controllership. It is essential for the parties involved to formalize their respective obligations through a contract. In this regard, if the agreements made between joint data controllers transparently outline who will fulfill the obligations on data controllers under the law and how these responsibilities will be carried out; such provisions are taken into account when determining the boundaries of each party’s liability. However, data subjects retain the right to exercise their data protection rights against any of the joint data controllers individually.[1]
As evident from the explanations, for joint data controllership to be established, the GPS company and the Car Rental Company make decisions jointly.
If both parties (the Car Rental Company and the GPS company) make joint decisions regarding the purpose and methods of data processing, this may establish joint data controllership. For instance, if the GPS company participates in determining the purpose for which the data will be used, how it will be stored, and with whom it will be shared, both parties may be considered data controllers. The key point to note here is that both parties must share equal responsibility throughout the data processing activities. Additionally, while the Car Rental Company may play a decisive role by transferring data to the GPS company and guiding the processing, the GPS company may still be required to obtain specific authorizations, carry out the processing and perform certain reporting obligations. If such processes are conducted with the active participation of both parties, joint data controllership may indeed be established.
In conclusion, the concept of joint data controllership refers to a situation where both parties jointly determine the purpose, methods, and processes of data processing. If both parties make decisions jointly, manage the data processing activities together, and ensure the security of the data collectively, both parties may be considered data controllers. However, according to the KVKK, if one party (for example, the Car Rental Company) merely provides data processing instructions to the other (the GPS company), the GPS company will be considered a data processor.
Assessment of the Situation Where the GPS Company is the Data Controller, but the Car Rental Company Does Not Process the Data
The GPS company is the data controller within the framework of its contract with the car rental company. This is because the GPS company has the authority to decide which data regarding the vehicles and drivers will be collected, and it also provides the service of collecting and storing this data. Although the purpose of data collection is determined by the car rental company, the GPS company’s broad discretion in selecting the data to be collected necessitates its recognition as a data controller alongside the rental company.
The measures that the GPS company, acting as the data controller responsible for personal data protection, must implement are as follows:
The measures that the GPS company, acting as the data controller responsible for personal data protection, must implement are as follows:
Establish policies and procedures to prevent the unlawful processing and access of the collected location data
Provide necessary information to individuals through privacy notices and obtain explicit consent when required
Implement cybersecurity measures for the systems where location data is stored
Secure the physical spaces, cloud systems, and backup systems where the data is held
Prevent the transfer of data from malfunctioning or outdated tracking devices, ensuring that the devices are removed and securely stored.
In light of this information, it is evident that the measures necessary to ensure the security of location data and comply with regulations can only be implemented by the GPS company, which acts as the data controller. This is because the GPS company stores all data obtained from GPS devices on its own servers, and the car rental company cannot take the cybersecurity measures, block access, or replace malfunctioning devices for systems that are not part of its own infrastructure, as listed above.
Similarly, since all location data obtained through the GPS device is stored and maintained within the GPS company's systems and servers, the car rental company may opt not to access the location data by notifying the relevant authorities of the devices it is legally required to install. In this scenario, the car rental company would neither exercise control over the data nor assume any decisive role regarding its processing. Consequently, the control and processing of the location data would remain solely with the GPS company, acting as the data controller.
Furthermore, considering that the devices to be installed in the rental company's vehicles will be purchased or leased from the GPS company, the GPS company will be the party both collecting the data and establishing the system that enables such data collection.
However, even in this scenario, since the car rental company retains the possibility of accessing the location data stored by the GPS company at any time, it is difficult to conclude that the car rental company bears no responsibility in this regard.
One final point that must be addressed is whether the location data obtained through GPS devices installed in vehicles owned by car rental companies can be classified as personal data. If the car rental company leases the vehicle to a legal entity, the location data collected — even if a GPS device is installed — cannot be linked to an identifiable natural person, as the identity of the vehicle’s user remains unknown. In such cases, the data would not be considered personal data. However, if the vehicle leased to a legal entity undergoes maintenance or repair at a service center known to the car rental company, or if the vehicle is involved in a single- or multi-party accident where a report is filed, the user’s identity could potentially be determined based on those records. In such scenarios, the location data could then be associated with the identified user and, therefore, qualify as personal data. Given this, even though the classification of location data as personal data requires case-by-case evaluation — depending on whether the vehicle is leased to a legal or natural person — car rental companies must take all these possibilities into account and implement the necessary safeguards accordingly.
As evident from the explanations and assessments provided above, it is clear that GPS devices – which car rental companies are legally required to install under the relevant legislation- also pose legal challenges within the scope of the Personal Data Protection Law (KVKK). The responsibilities of both the car rental company and the GPS company toward customers renting the vehicles must be evaluated separately, taking into account the agreements made between the two companies and the nature of the service provided to the rental company. However, regardless of the specific contractual arrangements, the legal obligation to install GPS devices rests with the car rental companies. Even if they do not intend to access the location data, the mere possibility of doing so at any time means that they must act as data controllers. Accordingly, car rental companies are obligated to inform their customers and prepare the necessary documentation. Moreover, it is crucial that any contracts established with GPS companies include provisions covering data protection laws (KVKK), privacy, and data transfer commitments – clearly defining the GPS company’s responsibilities as well. This ensures that both parties’ obligations are properly regulated, enhancing accountability and compliance with data protection requirements.
MANDATORY GPS DEVICE INSTALLATION IN RENTAL COMPANIES AND THE IDENTITY OF THE GPS PROVIDER WITHIN THE SCOPE OF LOCATION DATA
The Law on Amendments to the Law on Internal Affairs Officers and Certain Other Laws, as well as to the Decree Law No. 375, published in the Official Gazette dated 30/11/2024, introduced a modification to the first paragraph of Additional Article 3 of the Identity Notification Law No. 1774. Within the scope of this amendment, a requirement has been imposed for vehicles belonging to car rental companies to be equipped with GPS devices.
Pursuant to the relevant regulation, the responsible operators and managers of businesses owned by natural and legal persons engaged in car rental activities are required to accurately maintain all data, including rented vehicle details, lessees’ identification information, and rental agreements, in digital form, ensuring that such records are readily available for law enforcement inspections at any time. They must also connect their computer terminals to law enforcement systems, promptly report lessee and vehicle details to law enforcement at the time of vehicle handover, and equip rented vehicles with GPS devices, retaining location data for a period of three years.
Administrative fines shall be imposed on those who:
Fail to maintain the aforementioned information, documents, and records digitally,
Fail to connect their computer terminals to law enforcement systems,
Keep false records or provide misleading information,
Fail to equip vehicles with GPS devices,
Fail to retain location data for three years,
Fail to keep information and records readily available for law enforcement inspection,
Fail to provide real-time information updates.
Information on whether individuals have an active vehicle rental, derived from data maintained by general law enforcement authorities, shall be shared with businesses owned by natural and legal persons engaged in car rental activities.
It is understood that all obligations outlined under this article must be fulfilled by the car rental company. In any potential scenario, law enforcement authorities will directly address the car rental company, and any related sanctions or administrative fines will be imposed on the company itself.
Under the relevant legal regulation, car rental companies are required to work with a third-party firm for the installation of GPS devices in their vehicles. The location data obtained through these devices must also be protected and processed in accordance with the Personal Data Protection Law (KVKK). It is important to address the responsibilities of both the car rental company and the company selling and providing GPS services within the scope of KVKK. Below, the responsibilities of car rental companies and firms selling and providing GPS devices regarding the obtained location data are evaluated from different perspectives.
Evaluation of the GPS Company as the Data Processor and the Car Rental Company as the Data Controller
In the context of the Personal Data Protection Law (KVKK) and in light of the concepts of data controller and data processor explained above;
Car Rental Company as the Data Controller
The primary responsibility of the data controller is to determine the purpose and method of processing personal data. In accordance with the relevant legal regulation, the car rental company aims to collect location data of the vehicles during the process of renting out cars to its customers. This data is used for operational purposes such as vehicle tracking and providing information to authorized institutions and organizations.
The car rental company determines the purposes for which the location data, recorded via GPS, will be used. This is the first stage of the data processing, and the car rental company is the sole authority responsible for deciding the purposes for which personal data is collected and processed.
The car rental company decides how personal data will be collected. Although the law mandates the use of GPS devices, the primary responsibility for fulfilling this obligation lies with the car rental company. The company decides which GPS device to use and which GPS provider to contract with. The car rental company also determines to whom the collected data will be transferred. In terms of transmitting data to law enforcement, the car rental company establishes a predefined process for how the data transfer will take place. Therefore, the car rental company is the final authority in deciding on the sharing of the data.
The car rental company also decides how long the collected data will be retained. Under the Identity Notification Law, the obligation to retain GPS data for three years is the responsibility of the car rental company, and it is a legal requirement for the company to regulate the conditions under which this data is stored.
The data controller is obligated to take all necessary measures to ensure the security of the collected data. While collecting the location data of the vehicles, the car rental company implements security measures to protect the data from loss, misuse, or unauthorized access. These measures include system security, data encryption, and access control, among others.
The car rental company ensures that data sharing occurs within a legal framework by entering into contracts with data processors (e.g., the GPS company). These contracts clearly outline the conditions for processing, security, transmission, and disposal of personal data. The car rental company monitors to ensure that these processes are carried out properly and in compliance with the law.
The car rental company is not only an institution that collects data but also an actor that determines the purpose and conditions of data processing. This aligns perfectly with the definition of a data controller under the KVKK (Personal Data Protection Law). The car rental company is the entity that defines and manages how the data will be processed, to whom it will be shared, how long it will be retained, and how its security will be ensured.
GPS Company as the Data Processor:
The GPS company acts as a data processor, processing the vehicle location data in accordance with the instructions provided by the car rental company. The GPS company does not have the authority to make independent decisions in data processing and must process the data solely in accordance with the purpose defined by the car rental company.
For these reasons, the GPS company follows the decisions made by the Car Rental company regarding how data will be collected, to whom it will be transferred, and how long it will be retained, acting strictly in accordance with these directives. The GPS company is obliged to process vehicle location data within the framework defined by the data controller and accepts this responsibility through a contract established with the Car Rental Company. In this context, the GPS company must take the necessary measures to ensure data security; however, decisions regarding the purpose of data processing, which data will be processed, and with whom the data will be shared remain entirely under the authority of the Car Rental Company. The GPS company processes the data in compliance with the Car Rental Company’s instructions and holds no independent decision-making authority over the data.
Therefore, the GPS company acts as a data processor, operating strictly in accordance with the instructions of the data controller.
Evaluation of the GPS Company and the Car Rental Company as Joint Data Controllers
Although the concept of joint data controllership is not explicitly regulated under the Personal Data Protection Law (KVKK), it is addressed in the Principal Decision No. 2001/1304 and the Banking Sector Good Practices Guide on the Protection of Personal Data. Analyzing these sources reveals that the concept of joint data controllership is defined as follows:
Not every joint data processing activity automatically implies joint liability nor does the mere transfer oof data between parties make them joint data controllers. To qualify as joint data controllers, the purpose of the data processing activity and the means – that is, the tools or methods used – must be jointly determined. This is, in fact, the sole criterion for establishing joint data controllership. It is essential for the parties involved to formalize their respective obligations through a contract. In this regard, if the agreements made between joint data controllers transparently outline who will fulfill the obligations on data controllers under the law and how these responsibilities will be carried out; such provisions are taken into account when determining the boundaries of each party’s liability. However, data subjects retain the right to exercise their data protection rights against any of the joint data controllers individually.[1]
As evident from the explanations, for joint data controllership to be established, the GPS company and the Car Rental Company make decisions jointly.
If both parties (the Car Rental Company and the GPS company) make joint decisions regarding the purpose and methods of data processing, this may establish joint data controllership. For instance, if the GPS company participates in determining the purpose for which the data will be used, how it will be stored, and with whom it will be shared, both parties may be considered data controllers. The key point to note here is that both parties must share equal responsibility throughout the data processing activities. Additionally, while the Car Rental Company may play a decisive role by transferring data to the GPS company and guiding the processing, the GPS company may still be required to obtain specific authorizations, carry out the processing and perform certain reporting obligations. If such processes are conducted with the active participation of both parties, joint data controllership may indeed be established.
In conclusion, the concept of joint data controllership refers to a situation where both parties jointly determine the purpose, methods, and processes of data processing. If both parties make decisions jointly, manage the data processing activities together, and ensure the security of the data collectively, both parties may be considered data controllers. However, according to the KVKK, if one party (for example, the Car Rental Company) merely provides data processing instructions to the other (the GPS company), the GPS company will be considered a data processor.
Assessment of the Situation Where the GPS Company is the Data Controller, but the Car Rental Company Does Not Process the Data
The GPS company is the data controller within the framework of its contract with the car rental company. This is because the GPS company has the authority to decide which data regarding the vehicles and drivers will be collected, and it also provides the service of collecting and storing this data. Although the purpose of data collection is determined by the car rental company, the GPS company’s broad discretion in selecting the data to be collected necessitates its recognition as a data controller alongside the rental company.
The measures that the GPS company, acting as the data controller responsible for personal data protection, must implement are as follows:
The measures that the GPS company, acting as the data controller responsible for personal data protection, must implement are as follows:
Establish policies and procedures to prevent the unlawful processing and access of the collected location data
Provide necessary information to individuals through privacy notices and obtain explicit consent when required
Implement cybersecurity measures for the systems where location data is stored
Secure the physical spaces, cloud systems, and backup systems where the data is held
Prevent the transfer of data from malfunctioning or outdated tracking devices, ensuring that the devices are removed and securely stored.
In light of this information, it is evident that the measures necessary to ensure the security of location data and comply with regulations can only be implemented by the GPS company, which acts as the data controller. This is because the GPS company stores all data obtained from GPS devices on its own servers, and the car rental company cannot take the cybersecurity measures, block access, or replace malfunctioning devices for systems that are not part of its own infrastructure, as listed above.
Similarly, since all location data obtained through the GPS device is stored and maintained within the GPS company's systems and servers, the car rental company may opt not to access the location data by notifying the relevant authorities of the devices it is legally required to install. In this scenario, the car rental company would neither exercise control over the data nor assume any decisive role regarding its processing. Consequently, the control and processing of the location data would remain solely with the GPS company, acting as the data controller.
Furthermore, considering that the devices to be installed in the rental company's vehicles will be purchased or leased from the GPS company, the GPS company will be the party both collecting the data and establishing the system that enables such data collection.
However, even in this scenario, since the car rental company retains the possibility of accessing the location data stored by the GPS company at any time, it is difficult to conclude that the car rental company bears no responsibility in this regard.
One final point that must be addressed is whether the location data obtained through GPS devices installed in vehicles owned by car rental companies can be classified as personal data. If the car rental company leases the vehicle to a legal entity, the location data collected — even if a GPS device is installed — cannot be linked to an identifiable natural person, as the identity of the vehicle’s user remains unknown. In such cases, the data would not be considered personal data. However, if the vehicle leased to a legal entity undergoes maintenance or repair at a service center known to the car rental company, or if the vehicle is involved in a single- or multi-party accident where a report is filed, the user’s identity could potentially be determined based on those records. In such scenarios, the location data could then be associated with the identified user and, therefore, qualify as personal data. Given this, even though the classification of location data as personal data requires case-by-case evaluation — depending on whether the vehicle is leased to a legal or natural person — car rental companies must take all these possibilities into account and implement the necessary safeguards accordingly.
As evident from the explanations and assessments provided above, it is clear that GPS devices – which car rental companies are legally required to install under the relevant legislation- also pose legal challenges within the scope of the Personal Data Protection Law (KVKK). The responsibilities of both the car rental company and the GPS company toward customers renting the vehicles must be evaluated separately, taking into account the agreements made between the two companies and the nature of the service provided to the rental company. However, regardless of the specific contractual arrangements, the legal obligation to install GPS devices rests with the car rental companies. Even if they do not intend to access the location data, the mere possibility of doing so at any time means that they must act as data controllers. Accordingly, car rental companies are obligated to inform their customers and prepare the necessary documentation. Moreover, it is crucial that any contracts established with GPS companies include provisions covering data protection laws (KVKK), privacy, and data transfer commitments – clearly defining the GPS company’s responsibilities as well. This ensures that both parties’ obligations are properly regulated, enhancing accountability and compliance with data protection requirements.
Turkish
