With the principle decision of the Personal Data Protection Board (“Board”) dated 23.12.2021 which was published on 20.01.2022, the definition of joint data controller which was not present in Turkish legislation is put in place.
While pursuant to GDPR a joint controller relationship arises where two or more controllers jointly determine the purposes and means of processing of personal data, Personal Data Protection Law or the secondary legislation did not include this concept. During the evaluation of a complaint with respect to the black list programs of vehicle leasing companies, the Board defined the joint data controller for the first time.
With this respect, while the leasing company that collects the personal data from customers is deemed as data controller, considering that other leasing companies which use blacklist programs can access and have control on the collected personal data, other leasing companies and software company which use the black list records for their own agenda are also deemed joint data controllers.
The Board also took another step and ruled that while determining the liability and fault with respect to data controllers, a case by case basis evaluation should be made. Accordingly, it is ruled that the criteria such as who the initial and last user of the data is, who made the entry of the personal data, the purpose of such entry, who decides the alteration or deletion or transmission of personal data, and the activities conducted by the other data controllers with such data should be taken into account.