NEWSLETTER-2019-metin

273 PERSONAL DATA PROTECTION Adata controller has the authority to decide on the following mat- ters: (i) Objectives and tools of collection of personal data; (ii) Methods of data processing; (iii) Types of personal data to be collected; (iv) Whether personal data is transferred, and conditions of trans- fer; (v) Periods and methods of data storage; (vi) Administrative and technical measures to be taken; and (vii) Destruction methods and other relevant matters set out under the Law. With regard to the identification of the data controller, the person (legal or real) who decides on the aforementioned matters is determi- nant. Through a data processing contract to be concluded with the data processor, the data controller may authorize the data processor to de- termine the systems and methods to be used for data collection, how the data will be stored, the details of the security measures to be taken, and the methods to be used for data transfer and storage, and proce- dures for the deletion, destruction and anonymization of the personal data. However, we would like to emphasize that this authorization does not mean that the data controller can assign his / her responsibili- ties arising from the Law to the data processor. The liability arising from data processing complying with the leg- islation would be on the data controller, in principle. In this case, legal persons, themselves, are data controllers. Within this framework, em- ployees or authorized persons who process personal data in companies shall not be considered as data controllers. For instance, individuals delivering and receiving documents as part of data processing activi- ties are not data controllers, but the company is.