SECTION ONE

INTRODUCTION

A personal data processing agreement is a contract in which the data processor undertakes to process personal data in accordance with the instructions of the data controller, and the data controller, in return, undertakes to pay a fee for this performance. [1] The personal data processing agreement is based on the principle of freedom of contract. The essential elements of this agreement are the processing of personal data, the payment of a fee, and the mutual consent of the parties to the contract.

Although the relationship between the data processor and the data controller is not explicitly named in the Law, the term “personal data processing agreement” has been used in the implementation guides published by the Authority to refer to this contractual relationship.

In Turkish law, the data processor, as a party to the personal data processing agreement, is regulated under Article 3(1)(ğ) of the Law on the Protection of Personal Data (KVKK). This provision allows the data controller to authorize a data processor through a personal data processing agreement. For instance, if a company that qualifies as a data controller authorizes one of its employees to act on its behalf, the employee will be considered a data processor. In such a case, it will be deemed that a representation relationship exists between the data controller company and the data processor employee.

The personal data processing agreement is regulated in detail under the GDPR (General Data Protection Regulation). Article 28(3) of the GDPR emphasizes that, in order for the data processor to carry out processing activities, there must be a data processing agreement or a legal act in place between the data controller and the data processor, and it sets out the minimum requirements for such an arrangement.

A personal data processing agreement may be concluded not only between a data controller and a data processor but also between one data controller and another data controller, or between a data controller and a sub-processor. Specifically, when the data processor has a sub-processor process the personal data that it has undertaken to process on behalf of the data controller, a personal data processing agreement is concluded between the data processor and the sub-processor.

DEFINITION AND PARTIES OF THE PERSONAL DATA PROCESSING AGREEMENT

1.1. Definition

A personal data processing agreement is a contract in which a data controller grants a data processor the authority to process personal data for the purpose of performing a specific service or task.

According to Article 3(1)(ğ) of the Law on the Protection of Personal Data (KVKK), a data processor is a natural or legal person who processes personal data on behalf of the data controller, based on the authority granted by the controller. Essentially, the personal data processing agreement arises from the data controller’s need to authorize a data processor for data processing purposes. For this reason, it is the data controller who decides on the collection of personal data, the types of personal data to be processed, the purposes of processing, the retention period of the data, and whether the data will be transferred. The data processor, on the other hand, is obliged to process the data in accordance with the data controller’s decisions and instructions.

In this context, the data controller is the party that makes decisions regarding the collection of personal data, the purpose of processing, the types of personal data, the duration for which the data will be retained, and whether the data will be transferred. The data processor, on the other hand, is responsible for processing the personal data in accordance with the instructions given by the data controller and within the framework determined by the data controller.

1.2. Parties

A personal data processing agreement involves two parties: the data processor and the data controller. The data processor is obligated to process personal data in accordance with the instructions set by the data controller. The data controller, in return, is obligated to pay a fee for this performance.

According to KVKK, the data processor refers to the natural or legal person who processes personal data on behalf of the data controller, based on the authority granted by the controller. The data controller, on the other hand, refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.

1. THE LEGAL NATURE OF THE PERSONAL DATA PROCESSING AGREEMENT

A personal data processing agreement is a contract formed by the mutual and consistent declarations of will of the parties. The law regulates the elements related to the obligations of the parties to the personal data processing agreement. However, in Turkish law, there is no specific regulation regarding the formation and termination of the personal data processing agreement. [1]

The personal data processing agreement is an atypical (unnamed) contract, as it is not specifically regulated in the Law, the Turkish Code of Obligations (TCO), or any other law. However, one of the primary obligations under the personal data processing agreement is the data processor’s responsibility to process personal data in accordance with the instructions of the data controller. In this context, the personal data processing agreement also includes elements of a mandate contract. For this reason, many scholars in the doctrine apply the elements of the mandate contract, as regulated in Articles 1149-1530 of the TCO, by analogy to the personal data processing agreement. [2] This is because the personal data processing agreement, like the mandate contract, is based on a trust relationship. In this agreement, one party (the data controller) places trust in the other party (the data processor) regarding data processing.

2. THE FORM OF THE PERSONAL DATA PROCESSING AGREEMENT

There are some different regulations regarding the form of the personal data processing agreement under Turkish Law and European Union Law. As previously mentioned, Turkish law does not have any explicit regulation regarding the form of the personal data processing agreement. However, under European Union law, according to Article 28(11) of the GDPR, the legal act or contract between the data processor and the data controller must be in writing.

3. ELEMENTS OF THE PERSONAL DATA PROCESSING AGREEMENT

The essential elements of the personal data processing agreement are:

• Processing of personal data,
• Payment of a fee,
• Agreement between the parties of the contract.

4.1. Processing of Personal Data

According to the definition published by the Authority, “Any activity carried out in the process from the collection of personal data in the specified manner to the deletion, destruction, or anonymization of the data is considered the processing of personal data under the Law.”

The act of personal data processing is a type of action carried out by the data processor. For the personal data processing act to have an effect, the data processor must commit to the outcome of the processing. Therefore, the act of personal data processing is not result-oriented but commitment-oriented. However, it also includes a “non-action” obligation, as it imposes a duty not to process personal data in violation of the contract and the law.

4.2. Payment of Fee

Another primary obligation of the contract is the duty to pay a fee. The data processor, who performs the data processing action in accordance with the instructions given by the data controller, is obligated to pay a fee in return for this performance.

It is sufficient for a valid personal data processing agreement to be established for the fee claim to arise. For the fee claim to become due, the data processor must fulfill the personal data processing obligation in accordance with the proper procedures. If the data processing obligation is initiated but later becomes impossible to fulfill due to reasons beyond the data processor's control, the data processor will not be entitled to the full fee. However, a proportionate part of the fee determined by the contract, in accordance with fairness, should be paid to the data processor. [3]

However, it should be noted that if Article 502(3) of the Turkish Code of Obligations (TCO) regarding the fee payment obligation in a mandate contract is considered applicable by analogy to the personal data processing agreement, the fee is not an essential element of the mandate contract. Therefore, it should be possible for a personal data processing agreement to be made without any fee.

Article 147 of the Turkish Code of Obligations stipulates that fee claims arising from a mandate contract are subject to a five-year statute of limitations. In this case, if the provisions of the mandate contract are applied by analogy to the personal data processing agreement, the statute of limitations for these agreements should also be considered to be five years.

If the data controller and the data processor operate within the same organizational structure, the data controller should not be obligated to pay a fee to the data processor. Moreover, in cases where the data controller and the data processor are part of the same organizational structure, the data processing activity is already a part of the employee's job description. For example, in a law firm, if the human resources department requests health information from an employee for job entry, it should not be required to charge an additional fee for this process.

4.3. Agreement of the Parties

In order for the personal data processing agreement to be established, the mutual and consistent declarations of will between the data controller and the data processor are sufficient. This element indicates that the personal data processing agreement is a contract based on consent.

As previously stated, the primary obligation of the data processor is to process personal data in accordance with the instructions of the data controller, while the primary obligation of the data controller is to pay a fee in return for this performance. The agreement is considered established once the parties have reached an agreement on the primary obligations of the contract.

4. OBLIGATIONS OF THE PARTIES IN THE PERSONAL DATA PROCESSING AGREEMENT

The personal data processing agreement is not regulated in the Law and other relevant legislation. However, the obligations of the parties arising from this agreement can be found in the KVKK and the Turkish Code of Obligations (TCO). The provisions of the TCO related to mandate and work contracts are applied to the personal data processing agreement to the extent they are applicable.

A. Obligations of the Data Processor

When the personal data processing agreement is established, the data processor's task of processing data becomes its primary obligation. While fulfilling this primary obligation, that is, when processing data, the data processor must comply with the instructions of the data controller. This is a reflection of the mandate contract on the personal data processing agreement.

a. Obligation to Process Personal Data

The primary obligation of the data processor is to commit to the outcome of the act of processing personal data. Within the scope of this responsibility, the data processor is expected to perform all actions related to the data, including the processing, collection, storage, and destruction of personal data.

Article 506 of the Turkish Code of Obligations (TCO) states that the agent has an obligation to personally perform the mandate duty. When this provision is applied to the personal data processing agreement, the doctrine suggests that the rule of personal performance will also apply to personal data processing agreements.

However, the first exception to the agent’s obligation to personally perform the mandate duty under the TCO is the ability of the data processor to seek assistance from third parties while fulfilling their obligation. In this case, the data processor does not carry out the data processing activity alone but seeks help from another person for this task. In such a case, the data processor and the sub-processor will be jointly liable.

Another exception provided in the law is the situation where it is mandatory for personal data to be processed by a third party that is not a party to the contract. As an option, if personal data needs to be processed by an authorized third party, it can be stated that in such cases, the data processing activity will be carried out by the sub-processor.

The final exception stipulated in the Law refers to the existence of a customary practice in the processing of personal data by others. If such a custom exists, the personal data processing obligation may be fulfilled by third parties without the data controller’s explicit consent.

b. Duty of Care

By analogy to Article 506(2) of the Turkish Code of Obligations (TBK), it can be concluded that the data processor is required to carry out the tasks and services constituting the subject of the personal data processing obligation with due diligence, while taking into account the legitimate interests of the data controller.

According to Article 506(3) of the Turkish Code of Obligations (TBK), the degree of diligence expected from an agent is determined based on objective criteria. When this provision is applied by analogy to the duty of care in a personal data processing agreement, it is concluded that the scope of the data processor’s duty of care should be assessed by referring to the behavior that a prudent and diligent data processor would be expected to exhibit under similar conditions, in line with ordinary business practices and general life experience.[4]

The data processor's duty of care entails taking necessary measures to ensure the security of personal data. According to Article 12(2) of the Turkish Personal Data Protection Law (KVKK), both the data controller and the data processor, along with any sub-processors acting on behalf of the data controller, are jointly and severally liable to third parties for implementing data security measures.

In a personal data processing agreement, the duty of care is considered a secondary obligation. Therefore, if the data controller suffers damage due to a breach of this duty, the data processor will be responsible for compensating the damage. However, in such cases, there is a presumption of fault. That is, if the data processor can prove they were not at fault for the damage, they may be exempt from liability.

c. Obligation to Act in Accordance with the Instructions of the Data Controller

By analogy with Article 505(1) of the Turkish Code of Obligations, which regulates the obligation of the agent to comply with the instructions of the principal, it can be said that the data processor is obligated to follow the explicit instructions of the data controller. An instruction is a unilateral expression of will from the data controller to the data processor, outlining how the data processing activity should be carried out, providing directives and guidance on the scope of the work.

The data controller can give instructions to the data processor by determining the purpose, scope, and conditions of the data processing activity, and the data processor must act in accordance with these instructions. For example, the data controller may instruct the processor to handle data on a website using SSL (Secure Socket Layer) standards or to regularly back up data with cloud-based applications.[5]

The data processor is not obligated to follow instructions that violate the law, ethics, or principles of honesty. If the processor receives such instructions, they must warn and inform the data controller about the nature of the instruction. If the controller insists on following the unlawful instruction, the data processor may have the right to terminate the contract under Article 512 of the Turkish Code of Obligations. It would not be fair to hold the processor responsible for not following such instructions.

If the data processor does not follow instructions that violate the law, ethics, or honesty rules, they will be held responsible for any resulting damages. By not following the data controller's instructions and causing a security breach, the data processor could lead to a fine for the data controller under the KVKK. In many cases, data controllers have faced significant administrative fines due to security vulnerabilities. However, the processor may still be liable for compensating the fine, even if they acted correctly in other aspects of the task.

d. Loyalty Obligation

The personal data processing agreement fosters trust between the parties, expecting the data processor to carry out their duties in an honest and loyal manner while safeguarding the interests of the data controller. The loyalty obligation requires the data processor to perform their tasks in a way that best protects the data controller’s interests.

The loyalty obligation complements the duty of care. It encompasses both positive and negative duties: avoiding actions that could harm the data controller and taking actions beneficial to the data controller. The loyalty obligation encompasses duties such as providing information and maintaining confidentiality.

 After the contract ends, the data processor's responsibility to keep information confidential remains, as per the KVKK, particularly the provision that prohibits disclosing or misusing the data acquired during the data processing activities. The data processor is required to regularly update the data controller on tasks, issue necessary warnings, and retain relevant information. A personal data processing agreement establishes a relationship between the parties, allowing the processor to learn certain secrets about both the controller and the individuals whose data is processed. According to Article 12, Paragraph 5 of the KVKK, the data processor must refrain from disclosing information obtained during the data processing activities to others and using the data for purposes outside of the agreed processing purpose. This duty of confidentiality, also known as the data processor's obligation to maintain secrecy, remains valid even after the data processing contract ends.

e. Obligation to Inform the Data Subjects

According to Article 10 of the Turkish Civil Code (TBK), if an agreement is made between the parties, the data processor is obligated to inform the data subjects about the identity of the data controller and its representative (if applicable), the purposes for which personal data will be processed, the recipients of the data, the methods of data collection, the legal basis, and other rights specified by law. [6]

f. Accountability and Personal Data Return Obligation

The data controller has the right to request an account from the data processor regarding the work performed. Accountability includes providing information on whether the obligations under the contract have been fulfilled and the methods used in doing so. This right to request information may be exercised by the data controller both during the term of the agreement and after its termination.[7]

For the accountability obligation to be fulfilled fully and accurately, the data processor must keep records (logging) related to the data processing activities. [8] Although there is no explicit provision on this matter in the Turkish Personal Data Protection Law (KVKK), Article 30 of the GDPR imposes a record-keeping obligation on data processors.[9]

The accountability obligation is of great significance in reviewing whether the data processor has fulfilled their duties. Although it is considered an ancillary obligation, it plays a crucial role in determining whether the data processor has complied with the controller's instructions.

B. Obligations of the Data Controller

According to Article 502(3) of the Turkish Code of Obligations (TBK), if it is stipulated in the contract or there is an established custom, the agent is entitled to receive remuneration. Additionally, under Article 510(1) of the TBK, the principal is obligated to reimburse the agent for any expenses incurred and advances paid for the proper performance of the mandate, along with interest, and must release the agent from any liabilities assumed in the course of the mandate.

a. Obligation to Pay Remuneration

In a personal data processing agreement, the data controller is obliged to pay a fee if such remuneration is stipulated in the contract or established by custom. However, it is also legally permissible to conclude a personal data processing agreement without specifying a fee. In fact, remuneration is not considered an essential element of a mandate (agency) agreement under Turkish Code of Obligations.

b. Obligation to Cover Expenses and Advances

According to Article 510(1) of the Turkish Code of Obligations (TBK), the principal is obliged to reimburse the agent for expenses incurred and advances made, along with interest. When this provision is applied by analogy to personal data processing agreements, it is concluded that the data controller is similarly obliged to cover the expenses and advances made by the data processor in connection with the performance of the processing task, including applicable interest.

Even if no fee is agreed upon in a personal data processing agreement, the data processor may still request reimbursement for the expenses incurred and advances paid during the performance of their duties.

For the obligation to pay expenses and advances to arise, the data processing activity to be performed by the data processor must be carried out properly. However, the data processor will only be able to request expenses and advances from the data controller after fulfilling their obligations and completing the tasks as required.

c. Obligation of the Data Processor to Save the Data Controller from Liabilities Incurred on Their Behalf

According to the analogous application of Article 510, paragraph 1 of the Turkish Code of Obligations (TBK), the data controller is required to pay the debts incurred by the data processor as a result of carrying out data processing activities.[10]

The obligation of the data processor to be relieved from debt arises when the data processor enters into a debt obligation while acting both on their own behalf and in accordance with the data controller's interests. For this obligation to be valid, the data processor must have entered into a debt obligation for the purpose of personal data processing.

d. Obligation of the Data Processor to Compensate for Damages Incurred

According to Article 510/2 of the Turkish Code of Obligations (TBK), an agent may demand compensation for damages from the principal. However, the principal may be exempt from liability if they can prove they were not at fault. This rule also applies to personal data processing agreements. By analogy, it can be concluded that the data controller is obligated to compensate the data processor for any damages incurred.

The data processor's damage must result from the data controller's failure to fulfill their obligations. There must be a causal link between the damage and the data processing, and the data controller must not be able to prove they were not at fault. If these conditions are met, the data controller is required to compensate the data processor for the damage incurred. Additionally, the data controller's liability applies even in cases of free data processing, where strict liability applies.

SECTION TWO

1. TERMINATION OF PERSONAL DATA PROCESSING AGREEMENT

The general reasons for termination, such as performance completion, expiration of the contract term, impossibility of performance, or mutual termination (cancellation) agreements between the parties, are also applicable to personal data processing agreements. Specific termination reasons should also be considered by analogously applying the provisions related to the termination of agency agreements.

Article 512 of the Turkish Code of Obligations (TBK) states that the parties may unilaterally terminate an agency contract. A personal data processing agreement, on the other hand, terminates upon the fulfillment of obligations and the achievement of the contract's purpose.

Article 512 of the Turkish Code of Obligations (TBK) states that the parties may unilaterally terminate an agency contract. This provision also applies to personal data processing agreements. While one party may have the right to terminate the contract, terminating it at an inappropriate time may require compensation for any damages incurred.

In case of unilateral termination, the obligations of the data processor and the payment obligations of the data controller end, but the processor may still claim an appropriate fee for prior services. Additionally, Article 513, paragraph 1 of the Turkish Code of Obligations (TBK) provides that the agency contract ends in cases such as the death, loss of capacity, or bankruptcy of one of the parties. This provision can also apply to personal data processing contracts, terminating the agreement under such circumstances.

LIABILITY ARISING FROM BREACH OF PERSONAL DATA PROCESSING AGREEMENT

When a party to a contract fails to fulfill its obligations, it is considered a breach of the contract. In such a case, the party who breached the contract is obligated to compensate for the damages incurred, unless they prove their innocence.

For liability to arise under a personal data processing contract, there must be a resulting damage from the failure or improper performance of the data processor’s obligations, and a causal link between the damage and the breach of the contract.

In the personal data processing contract between the data controller and the data processor, the act of processing personal data constitutes a primary obligation. If this primary obligation is not properly performed, resulting in damage, the liable party is responsible for the damage. In this case, the provisions of Article 112 of the Turkish Code of Obligations (TBK) are applied. If the debtor fails to fulfill the obligation or performs it inadequately, they are required to compensate the creditor for the resulting damages unless the debtor proves that they are not at fault. According to an example given by Başara, “If a data processing agreement between the data processor and data controller states that the processor is responsible for backing up company employees' emails, and the emails of an employee are lost due to the processor's failure to regularly back them up, the company may suffer damage. In such a case, the data processor may be held liable for compensating the resulting damages.[11]”

Additionally, according to Article 11 of the KVKK, individuals whose personal data is processed have the right to request the data controller to remedy the damage. In the event of harm, the affected person can demand compensation from the data controller based on Article 11 of the KVKK.

The factors that sever the causal link are also applicable when determining responsibility arising from a violation of personal data processing. Force majeure, gross fault by the affected party, or the gross fault of a third party should be considered as events that break the causal connection. According to Başara, “If a cloud computing company responsible for backing up personal data suffers a server crash due to an unavoidable hacker attack, the data processor will not be held responsible for the damage caused by the third party’s gross negligence.[12]”

For liability to arise from a breach of contract, the data processor must be at fault. Fault can manifest as negligence if the data processor fails to exercise the expected care, or it can be more severe, appearing as intentional misconduct (intent).

CONCLUSION

A personal data processing agreement can be defined as a contract in which the data processor commits to processing personal data in accordance with the data controller’s instructions and in consideration of their interests, while the data controller agrees to pay a fee for the service rendered. The parties to the personal data processing agreement are the data controller and the data processor.

The elements of a personal data processing agreement include the processing of personal data, payment of fees, and the agreement between the parties. This agreement is not subject to any specific validity conditions.

The personal data processing agreement is a type of contract not specifically regulated by law, making it an unnamed (atypical) agreement. It is primarily governed by the provisions of a mandate contract. Similar to a mandate contract, the data processor undertakes to perform actions in accordance with the instructions and interests of the data controller. The data processor is also committed to ensuring the outcome of personal data processing.

The data processor's obligations arising from this agreement include carefully performing the data processing task in accordance with the data controller's instructions, providing information, maintaining confidentiality, enlightening data subjects, providing accountability, and returning personal data. The data controller is obliged to pay a fee if it is agreed upon in the contract or if there is an established practice to that effect.

In the termination of a personal data processing agreement, general reasons for termination such as the completion of the debt, expiration of the contract, impossibility of performance, or the mutual termination (cancellation) of the contract are applicable. Additionally, as a rule, the personal data processing agreement ends upon the death, incompetence, or bankruptcy of either the data processor or the data controller.

In the personal data processing agreement between the data controller and the data processor, the processing of personal data is considered a core obligation of the contract. If a loss occurs due to the failure to fulfill this core obligation, the data processor is responsible for compensating the damage unless they can prove that no fault can be attributed to them.

[1] TURAN BAŞARA, Gamze, Kişisel Veri İşleme Sözleşmesi, Dispute Court Journal, Issue 16, 2020, p.1

[2] OĞUZMAN and ÖZ p. 12

[3] ZEVKLİLER, Aydın/GÖKYAYLA, Emre, Özel Borç İlişkileri, 22^nd Edition, İstanbul, Vedat Kitapçılık, 2024, p. 12. (Direct Quotation: Taştan, p.130)

[4] EREN, p.742.

[5] TAŞTAN, p. 139.

[6] TAŞTAN, p. 143

[7] EREN, p.746 et seq.

[8] BAŞARA TURAN, p.

[9] BAŞARA TURAN, p.

[10] EREN, p.752.

[11] BAŞARA TURAN, p. 29.

[12] BAŞARA TURAN, p. 29.

REFERENCES

ARAL, Fahrettin / AYRANCI, Hasan, “Özel Borç İlişkileri,” 1^st Edition, İstanbul, Yetkin Yayıncılık, 2024.

AYÖZGER ÖNGÜN, Çiğdem A., “Kişisel Verilerin Korunması Hukuku,” 2^nd Edition, İstanbul, Beta Yayıncılık, 2019. Personal Data Protection Authority, “Implementation Guide on the Law on the Protection of Personal Data,” https://tls.tc/MeFDS, (Access Date: 24.10.2024.)

OĞUZMAN Kemal and ÖZ Turgut, “Borçlar Hukuku Genel Hükümler,” 17^th Edition, İstanbul, Vedat Kitapçılık, 2020.

TAŞTAN, Furkan Güven, “Türk Sözleşme Hukukunda Kişisel Verilerin Korunması,” 2^nd Edition, İstanbul, Oniki Levha Yayıncılık, 2017.

TURAN BAŞARA, Gamze, “Kişisel Veri İşleme Sözleşmesi,” Dispute Court Journal, Issue16, 2020, pp. 57-90.

UYARER Göçmen, “Kişisel Verilerin Korunması,” 2^nd Edition, Ankara, Seçkin Yayıncılık, 2020.

ZEVKLİLER, Aydın/GÖKYAYLA, Emre, “Özel Borç İlişkileri,” 22^nd Edition, İstanbul, Vedat Kitapçılık, 2024.