ERDEM-NEWSLETTER-2018-metin

335 PERSONAL DATA PROTECTION Data Controller and Processors Data Controller The data controller is a natural or legal person, public authority, agency or other body which, solely or jointly with others, determines the purposes and means of the processing of personal data. In other words, the organization that determines ‘why’ and ‘how’ the personal data should be processed, is called the data controller. The data control- ler shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with the Regulation. Data Processor The data processor is a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the data controller. Data processors shall process personal data only upon the instruction of the data controller. The processor shall not engage with another processor without having prior written authorization of the data controller. The responsibilities of the processor shall be governed by a contract or other legal act under the EU or Member State law. Also, the data processor, along with the data controller, shall imple- ment appropriate technical and organizational measures to ensure a level of security appropriate to the risk. When a personal data breach occurs, the data processor is obligated to notify the data controller without undue delay after becoming aware of such breach. Representatives of Data Controllers or Processors not established in the EU Provided that Article 3(2) 2 of the Regulation applies, the data con- troller, or the data processor who are not established in the EU, shall designate, in writing, a representative in the EU. The representative shall be established in one of the Member States where the data subjects 2 Please seeArticle 3(2) of the Regulation, as follows: “ This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behavior, insofar as their behaviour takes place within the Union ”.