Obligations of Personal Data Processors in the Processing of Personal Data

In the concept of Personal Data Protection (PDP), not only Personal Data Controllers but also Personal Data Processors play a crucial role. According to Law 27/2022 (PDP Law), a Personal Data Processor can be individual, public body, or international organization that processes personal data on behalf of a Personal Data Controller.

When a Personal Data Controller delegates the processing of personal data to another entity, the Personal Data Processor must adhere to certain obligations to ensure compliance with PDP regulations.

Key Obligations of Personal Data Processors (Article 51 of the PDP Law):

1. Follow Controller Instructions: Personal Data Processors must process personal data strictly according to the instructions given by the Personal Data Controller.

2. Comply with PDP Law: All data processing activities must align with the provisions of the PDP Law.

3. Controller Responsibility: The Personal Data Controller remains accountable for the data processing carried out by the Processor.

4. Involving Other Processors: Personal Data Processors can involve other processors in data processing activities.

5. Obtain Consent: Before engaging additional processors, the Personal Data Processor must get written consent from the Personal Data Controller.

6. Liability for Unauthorized Processing: If a Personal Data Processor processes data beyond the instructions or intended purposes set by the Controller, the Processor assumes responsibility for that processing.

In addition, there are obligations of the Personal Data Controller that also apply to the Personal Data Processor, as follows:

1. Maintain the accuracy, completeness, and consistency of personal data.

2. Keep records of all personal data processing activities.

3. Develop and implement technical and operational measures to protect personal data from disruptions.

4. Assess the security level of personal data considering its nature and associated risks.

5. Monitor all parties involved in data processing.

6. Protect the personal data from unauthorized access or processing.

7. appoint an official or officer who carries out the function of Personal Data Protection.

These obligations ensure that both Personal Data Controllers and Processors handle personal data responsibly and in compliance with legal standards, safeguarding the rights and privacy of data subjects.