A Comparative Approach to Joint Controllers
Introduction
The Personal Data Protection Law numbered 6698 (“PDPL”) introduces definitions for many concepts such as personal data, data controller, data processor and data subject. In terms of understanding and interpreting these concepts, secondary legislation, Personal Data Protection Authority (“Authority”) guidelines and Personal Data Protection Board (“Board”) decisions play a key role. On the other hand, the concept of “joint controller”, which is frequently brought up in data processing activities but not included within the scope of the PDPL, was considered and referenced for the first time by the Board with its decision dated 23/12/2021 and numbered 2021/1303.[1] Although the PDPL’s definition of data controller does not exclude the possibility of joint controllers, the decision addressing this concept for the first time, is noteworthy. In this Newsletter, the concept of joint controller will be discussed with respect to European and Turkish data protection legislation.
Joint Data Controller in European Union Legislation
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“Directive”), which is a guiding source for the preparation process of the PDPL and shares many similarities with, defines data controller as a person who, alone or jointly with others, determines the purposes and means of data processing. With this definition, it is clearly regulated that data controller can determine the purposes and means of data processing alone or jointly with others, while under the PDPL, data controller is defined as a natural or legal person who determines the purposes and means of processing and is responsible for the establishment and management of the data recording system. Considering the definition by the PDPL, although it does not explicitly exclude such concept, it does not offer any clarification as regards to joint controllers.[2]
On the other hand, the European Union General Data Protection Regulation (“GDPR”) elaborates the regulation introduced by the said Directive. Article 26/1 of the GDPR similarly recognizes the persons who jointly determine the purposes and means of data processing as joint controllers. In other words, the parties who jointly participate in determining the purposes and means of data processing are joint controllers. This participation may take place in the form of making decisions jointly, or it may take place in the form of complementary decisions and having a concrete effect on the determination of the purposes and means of processing. Another important criteria for determining joint controllers is that the processing is not possible without the participation of both parties, and that the participation of the parties is inseparably linked to each other.[3] On the other hand, the relationship between joint controllers may take different forms; they may not undertake data processing activities equally. Joint controllers may establish a close relationship by jointly determining all the purposes and means of processing, or they may have loose ties and determine purposes or means only.[4]
Article 26/1 of the GDPR further provides that, joint controllers shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject.[5] The second paragraph of the same Article provides that an agreement must be concluded between joint controllers and that their roles and relationships with data subjects must be accurately reflected in this agreement. This facilitates the determination of liability for data processing activities where there is more than one data controller and the purposes and means of data processing are determined jointly by the parties.[6] However, if the arrangement between joint controllers does not fully reflect the relationship in accordance with Article 26/2 of the GDPR, actual arrangement should be considered.[7] Moreover, the last paragraph states that data subjects may assert their rights against any controller, regardless of the arrangement between the joint controllers, thereby reinforcing the protection provided to data subjects under the GDPR. Thus, the minimum level of protection established for data subjects under the GDPR is maintained and at least one controller is held liable for the data processing activities carried out.[8]
The opinion 1/2010 on the concepts of “controller” and “processor” by the Working Party which was established pursuant to Article 29 of the Directive sets out some scenarios for joint controllers. In one example, a travel agency sends personal data of its customers to airlines and hotel chain for travel booking. The correspondent airline and hotel confirm the availability of the requested seats and rooms, and the travel agency issues travel documents and invoices for its customers. In this scenario, the travel agency, the airline and the hotel are individually data controllers. There is no processing with common purposes and means; data is transferred between different data controllers. In another scenario, the travel agency, hotel chain and airline establish a common platform to establish cooperation for reservation management.[9] They agree on what data will be stored, how reservations will be received and confirmed, who will have access to data, and share customer data to conduct integrated marketing activities. In this case, the travel agency, airline and hotel chain have joint control over how data of their respective customers will be processed and therefore considered as joint controllers for data processing activities to be carried out on the platform.[10]
The principal decision (“Decision”) by the Board on blacklisting in the car rental industry
The Board decision dated 23.12.2021 and numbered 2021/1304, published in the Official Gazette dated 20.01.2022 and numbered 31725, introduced the concept of joint controller which is not regulated by the PDPL for the first time.[11] In the decision, it is stated that blacklisting in the car rental industry was identified in accordance with the notifications received by the Authority. The blacklisting practices by the car rental companies in question compile personal data of the customers and negative circumstances that arise during the use of the rented cars, and it is stated that a system that allows data sharing between car rental companies using the same software has been established. The software company manages the software and the database, and the car rental companies cannot intervene with the software, but only provide content. As a result, it has been determined that the personal data provided by real persons to companies in order to rent a car are transferred to the software with a blacklisting feature and data in question are shared with many users using the same software.
In the decision mentioned above, the Board repeats the conditions for data processing under Article 5 and the conditions for transfer under Article 8, and states that data controllers must take all kinds of administrative and technical measures to prevent unlawful processing of personal data in accordance with Article 12 of the PDPL. In addition, pursuant to the Identity Notification Law numbered 1774, car rental companies are obliged to keep the identity information and records of renting agreements, and to render information, documents and records available for the examination by law enforcement officers. Accordingly, companies are obliged to submit necessary data to the Rental Vehicle Notification System and process data in order to do so. In light of these explanations, it is stated that data processing activities of car rental companies, pursuant to Article 5/2 of the PDPL, satisfy the conditions of “being explicitly required by law”, “being mandatory for data controller to fulfill its legal obligation”; and also, it is possible for companies to process data because it is mandatory for the establishment and performance of a contract between the company and its customers. On the other hand, when the fundamental rights and freedoms of data subjects being the customers and the legitimate interests of data controllers for sharing personal data collected through certain practices such as blacklisting with other car rental companies is considered, it is concluded by the Board that the fundamental rights and freedoms of the data subject prevail. Therefore, the condition regulated under Article 5/2/f of the PDPL which suggest that “data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject” does not exist in the concrete case. In addition, the Board finds that rendering personal data accessible to third parties using the same software is contrary to the principles of being in compliance with the law and good faith; being processed for specific, explicit and legitimate purposes; and being connected, limited and proportionate to the purpose.
In light of the evaluations made, the Board considers car rental companies as data controllers. Most importantly, the Board considers car rental companies and software companies that use the blacklisting feature for their own benefit as joint controllers. It is stated that the responsibility of joint controllers is based on the course of data processing. The criteria taken as basis in this direction are exemplified as; (i) who is the first and last user of the data processed, (ii) by whom the data entry is made, (iii) for what purpose the data entry is made, (iv) who decides on modification, deletion or transfer of data, (v) what activities data controllers, excluding data collectors, carry out with the processed data. Finally, the Board draws attention to the fact that in the concrete case where personal data processed is shared with many car rental companies using the same software, it may be difficult for the data subjects to exercise their rights regulated under Article 11 of the PDPL against data controllers, as it is very difficult to identify the parties with whom data is shared.
- Please see for the summary of the decision. https://www.kvkk.gov.tr/Icerik/7288/2021-1303 (Access date: 06.03.2023)
- Dülger, Murat Volkan: Kişisel Verilerin Korunması Hukuku, İstanbul, Hukuk Akademisi, 3. Edition, 2020, p. 196-197.
- European Data Protection Board, “Guidelines 07/2020 on the concepts of controller and processor in the GDPR”, 02.09.2020, p. 3.
- Working Party 29; “Opinion 1/2010 on the concepts of “controller” and “processor”, 16.02.2010, p. 19.
- For the full text of the regulation, please see. https://gdpr-info.eu/
- Dülger, p. 197.
- WP29, p. 18 and 24.
- Dülger, p. 199. , Develioğlu, Hüseyin Murat: 6698 Sayılı Kişisel Verilerin Korunması Kanunu ile Karşılaştırmalı Olarak Avrupa Birliği Genel Veri Koruma Tüzüğü uyarınca Kişisel Verilerin Korunması Hukuku, İstanbul, On İki Levha Yayıncılık, 2017. Please see for Turkish translation of GDPR.
- WP29, p. 18.
- WP29, p. 19.
All rights of this article are reserved. This article may not be used, reproduced, copied, published, distributed, or otherwise disseminated without quotation or Erdem & Erdem Law Firm's written consent. Any content created without citing the resource or Erdem & Erdem Law Firm’s written consent is regularly tracked, and legal action will be taken in case of violation.
Other Contents
On September 2025, the Court of Justice of the European Union (“CJEU”) delivered its judgment in Single Resolution Board (SRB) v. European Data Protection Supervisor (EDPS), providing some clarification on the identifiability of data under the EU data protection regime. The case examined whether information that...
In Türkiye, it has recently become increasingly common, especially in retail stores, to send verification codes to data subjects by SMS during the provision of goods and services and to process personal data in this way. In the complaints submitted to the Personal Data Protection Board (“Board”), it has been...
In contemporary workplaces, employers frequently implement surveillance systems for reasons such as ensuring occupational health and safety, maintaining workplace order, operating internal control mechanisms, and preventing potential misconduct. However, such monitoring practices often raise significant...
Although the Turkish Personal Data Protection Law No. 6698 (KVKK) stipulates certain rules on cross-border personal data transfer, the effective functioning of the transfer rules was limited over time due to some difficulties in practice. In particular, until late 2024, the application process for permission to transfer...
Personal Data Protection Law numbered 6698 (“PDPL”) was first drafted based on the Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals about the processing of personal data and on the free movement of such data, and entered into force in 2016...
Typically, when an employee departs, their corporate email account remains active and accessible to the employer for a period of time. During this time, the email archive and new incoming messages are forwarded to the employee's manager or another colleague...
In today's world, we now have the opportunity to purchase many products and services through e-commerce platforms with a single click from wherever we are. During these purchases, our personal data are collected and used through the websites or mobile applications of e-commerce platforms for various...
The processing of genetic data has the potential to affect not only the data subjects but also the persons with whom the data subject is genetically connected. “The Guidelines on Issues to be Considered in the Processing of Genetic Data” (“Guidelines”) published by the Personal Data Protection Authority...
In its decision regarding Case-300/21 and dated May 4, 2023, the Court of Justice of the European Union (“CJEU”) evaluates the right to compensation for an infringement of the European Union General Data Protection Regulation (“GDPR”) regulated in Article 82 of the GDPR. The CJEU decided that a mere...
The Covid-19 pandemic and recent technological developments have significantly accelerated the digital transformation of all sectors. However, this rapid change especially in the financial sector (mobile banking, e-commerce, contactless payments, etc.) has brought some risks along with making life extremely...
Smartwatches have undeniably revolutionized our lives in the past decade. Apart from their core function as a timepiece, these wearable computers packaged in the form of a watch enable us to answer incoming calls, reply to messages and skim through social media notifications in seconds. Their steady rechargeable...
The Personal Data Protection Authority (“DPA”), on 16.06.2022, published the Draft Guidelines on Examination of Loyalty Programs within the Scope of Personal Data Protection Legislation (“Draft Guidelines”). The public has until 16.07.2022 to submit comments on them, and after these are evaluated...
The German Competition Authority (“Bundeskartellamt”) had previously found Meta (formerly Facebook) responsible for abusing its dominant position in the social network market by collecting and processing the personal data of its users without their consent and imposed measures on Meta and its associated...
Banks process large volumes of personal data in their daily operations. In order to deal with this sensitive information, the Turkish Personal Data Protection Authority, in cooperation with the Banks Association of Turkey, published Good Practice Guidelines on Personal Data Protection in the Banking...
The procedural rules on mass claims within European Union (“EU”) Member States is not uniform. To improve the position of consumers who might wish to make such claims, the European Parliament passed the Collective Redress Directive (“Directive”). The impact of the Directive is expected to...
In February 2020, the European Commission (“Commission”) published “A European Strategy for Data” as part of a wider drive concerning digital transformation and policy. Through this communication, the European Union (“EU”), defining itself as having a leading role in the data economy...
The Regulation on Protection and Processing of Personal Data by the Social Security Institution (the “Regulation”), the purpose of which is to determine the procedures and principles for processing data obtained within the scope of the duties and authority of...
The Personal Information Protection Law of the People’s Republic of China (“PIPL”) passed at the 30th meeting of the Standing Committee of the 13th National People’s Congress on 20 August 2021 and entered into force on 1 November 2021 as per Article 74...
In today's world, there is no doubt that data has become one of the most valuable assets and resources for some companies. The ability to collect, store, process, and analyze data on a large scale has dramatically changed...
