Data Processing Agreements in Turkey: Key Clauses for Businesses

Introduction

Data processing agreements in Turkey have become essential for businesses that outsource services involving personal data. Companies increasingly rely on cloud providers, payroll companies, call centers, CRM systems, SaaS platforms, marketing agencies, payment service providers, cargo companies, IT support firms, accounting offices, HR software vendors, cybersecurity providers, analytics tools, and artificial intelligence service providers. In almost every outsourcing relationship, one party may process personal data on behalf of another.

Turkey’s main personal data protection legislation is Law No. 6698 on the Protection of Personal Data, commonly known as KVKK. KVKK defines a data controller as the person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system. It defines a data processor as the person who processes personal data on behalf of the data controller based on the controller’s authorization.

Although KVKK does not contain a detailed “Article 28 GDPR-style” mandatory contract clause list, data processing agreements are highly important under Turkish law. The reason is simple: Article 12 of KVKK imposes data security obligations on the data controller and provides that where personal data is processed by another person on behalf of the controller, the controller is jointly responsible with that person for taking security measures.

Therefore, a well-drafted data processing agreement is not merely a commercial document. It is a compliance tool, a risk allocation mechanism, an evidence document, and an operational roadmap for how personal data must be handled.

What Is a Data Processing Agreement?

A Data Processing Agreement, often abbreviated as DPA, is a contract or contractual addendum between a data controller and a data processor. Its purpose is to regulate how the processor may process personal data on behalf of the controller. It defines the processor’s authority, limits, confidentiality obligations, security duties, sub-processor rules, breach notification duties, deletion or return obligations, audit rights, cross-border transfer restrictions, and liability framework.

For example, a Turkish e-commerce company using a foreign cloud provider may need a DPA with that provider. An employer outsourcing payroll operations to a third-party payroll firm should have a DPA. A hospital using a medical software vendor should regulate how patient data is processed. A company using a call center should define what customer data the call center may access and for what purposes.

A DPA should not be confused with a privacy notice, explicit consent form, service agreement, or standard contract for cross-border transfers. These documents may be connected, but they serve different legal functions. A privacy notice informs data subjects. Explicit consent records the data subject’s approval where consent is required. A service agreement regulates the commercial relationship. A DPA regulates data processing duties between the controller and processor. A cross-border transfer standard contract under KVKK Article 9 is a specific transfer mechanism for international data transfers.

Why Data Processing Agreements Matter Under KVKK

Under KVKK Article 12, the data controller must take all necessary technical and organizational measures to provide an appropriate level of security for preventing unlawful processing, preventing unlawful access, and ensuring protection of personal data. Where personal data is processed by another person on behalf of the controller, the controller is jointly responsible with that person for taking these measures.

This joint responsibility makes DPAs commercially and legally important. If a vendor mishandles personal data, the controller may still face regulatory scrutiny. A company cannot simply say, “The vendor caused the breach.” The controller must show that it selected the vendor carefully, imposed proper contractual obligations, monitored compliance where appropriate, and ensured that the vendor followed adequate security measures.

For this reason, vendor contracts involving personal data should not remain silent on privacy and data security. A vague confidentiality clause is not enough. A DPA should specify what the processor can and cannot do with personal data.

Controller and Processor: Correct Role Classification

The first step in drafting a DPA is determining the roles of the parties. A data controller determines why and how personal data is processed. A data processor processes personal data on behalf of the controller and according to its authorization.

Role classification is not always obvious. A cloud hosting provider may be a processor when it stores customer data for a business. A payroll company may be a processor when it processes employee salary data according to the employer’s instructions. A marketing agency may be a processor if it sends campaigns only on behalf of the client and does not use the data for its own purposes.

However, some service providers may act as independent data controllers. For example, a bank, insurance company, public authority, courier company, or payment institution may process some personal data for its own legal obligations and operational purposes. A platform provider may be a processor for customer-uploaded data but a controller for its own billing, analytics, support, security, and account management data.

A DPA should not be used blindly. If both parties are independent controllers, a controller-to-controller data sharing agreement may be more appropriate. If one party processes data only under the other party’s instructions, a controller-to-processor DPA is usually appropriate.

Key Clause 1: Subject Matter and Scope of Processing

Every DPA should define the subject matter and scope of processing. This clause should answer several basic questions: What services are being provided? What personal data will be processed? Which data subjects are affected? Why is the processor processing the data? How long will the processing continue?

For example, a payroll DPA may state that the processor will process employee identity, salary, bank account, social security, tax, and leave data solely for payroll calculation and related reporting services. A cloud services DPA may state that the processor will store and host customer account data, order data, logs, and support records only to provide hosting services.

A vague clause such as “the processor may process all necessary data for service provision” is weak. The scope should be specific enough to support transparency, accountability, and auditability.

Key Clause 2: Processing Only on Documented Instructions

A core DPA clause should require the processor to process personal data only on the controller’s documented instructions. The processor should not use the data for its own marketing, analytics, product development, resale, profiling, or unrelated commercial purposes unless a separate lawful basis and role assessment exists.

This clause is especially important for SaaS providers, AI tools, marketing platforms, analytics providers, and cloud vendors. Some vendors may want to use customer data to improve their services or train algorithms. If the controller has not authorized such use and if the processing lacks a valid legal basis, this may create KVKK risk.

The DPA should also state what happens if the processor believes an instruction violates Turkish data protection law. A practical clause may require the processor to notify the controller promptly and suspend the disputed processing until clarified.

Key Clause 3: Confidentiality Obligations

The processor should ensure that persons authorized to process personal data are bound by confidentiality obligations. Article 12 of KVKK states that data controllers and processors must not disclose personal data contrary to the law or use it for purposes other than processing, and that this obligation continues after they leave office.

A DPA should require the processor to impose confidentiality duties on employees, contractors, temporary staff, support teams, and sub-processors. This is crucial for call centers, IT support providers, HR providers, accounting firms, software vendors, and healthcare service vendors.

Confidentiality should not be limited to trade secrets. It should expressly include personal data, special categories of personal data, customer records, employee files, health data, financial data, login credentials, and any other data processed under the agreement.

Key Clause 4: Technical and Organizational Security Measures

Security measures are one of the most important DPA sections. KVKK Article 12 requires appropriate technical and organizational measures to prevent unlawful processing, prevent unlawful access, and ensure protection of personal data.

A strong DPA should list or attach the security measures expected from the processor. These may include access control, encryption, secure authentication, multi-factor authentication, logging, malware protection, network security, secure backups, vulnerability management, patch management, physical security, secure deletion, role-based authorization, employee training, incident response procedures, and periodic audits.

The exact measures should depend on the nature of the data and service. A vendor processing health data, biometric data, financial data, children’s data, or large-scale customer data should be held to stronger standards than a vendor processing limited business contact information.

Key Clause 5: Special Categories of Personal Data

If the processor handles special categories of personal data, the DPA should contain stricter clauses. Special categories under KVKK include data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance, association, foundation or trade union membership, health, sexual life, criminal convictions and security measures, biometric data, and genetic data.

Examples include a hospital software vendor processing patient records, an employer’s occupational health provider processing medical reports, a biometric access system provider processing fingerprint or facial recognition templates, or an HR vendor processing criminal record data.

For sensitive data, the DPA should require enhanced access control, encryption, separate storage where appropriate, strict retention limits, confidentiality training, logging, restricted sub-processing, and specific incident response measures.

Key Clause 6: Sub-Processor Restrictions

A processor should not be allowed to appoint sub-processors freely. Sub-processing means that the processor engages another party to process personal data on behalf of the controller. This is common in cloud hosting, customer support, software development, email delivery, analytics, storage, and technical maintenance.

The DPA should require the controller’s prior specific or general written authorization before sub-processors are used. If general authorization is given, the processor should notify the controller before adding or replacing sub-processors and give the controller a reasonable opportunity to object.

The processor should also impose equivalent data protection obligations on sub-processors. If the original processor is required to maintain encryption, confidentiality, breach notification, deletion, and audit duties, the sub-processor should be bound by similar obligations.

Key Clause 7: Data Breach Notification

Data breach clauses are critical. Under KVKK Article 12, if processed personal data is obtained by others through unlawful means, the controller must notify the data subject and the Personal Data Protection Board within the shortest time.

Because the controller has notification duties, the processor must report incidents quickly. A DPA should require the processor to notify the controller immediately after becoming aware of a suspected or confirmed personal data breach. The clause should avoid vague wording such as “within a reasonable time.” A stronger clause may require notification without delay and, where possible, within a defined short period such as 24 hours.

The processor should provide available details about the incident, including affected systems, categories of personal data, affected data subjects, likely consequences, containment measures, forensic findings, and remedial steps. The processor should also cooperate with the controller in Board notifications and data subject communications.

Key Clause 8: Assistance With Data Subject Requests

Data subjects have rights under KVKK, including the right to learn whether their personal data is processed, request information, learn the purpose of processing, know third parties to whom data is transferred, request correction, request deletion or destruction under legal conditions, object to adverse results from automated analysis, and claim compensation for unlawful processing.

A controller may need the processor’s help to respond to these requests. For example, a SaaS provider may need to export or delete user data. A cloud provider may need to assist with retrieval. A call center may need to locate recordings. A payroll provider may need to correct employee data.

The DPA should require the processor to promptly forward any data subject request it receives and to assist the controller in responding within legal time limits.

Key Clause 9: Return, Deletion, or Destruction of Data

At the end of the service relationship, the processor should not keep the controller’s personal data indefinitely. KVKK requires personal data to be erased, destroyed, or anonymized when the reasons requiring processing no longer exist. The By-Law on Erasure, Destruction or Anonymization also defines the relevant concepts and regulates disposal obligations.

The DPA should state whether the processor must return, delete, destroy, or anonymize personal data after termination. It should also address backups, logs, archived records, legal retention obligations, and confirmation certificates.

For example, a cloud vendor may need to delete active data within a short period after termination and delete backup copies according to a defined backup rotation period. A payroll provider may be legally required to retain some records for statutory reasons, but should not keep unnecessary copies beyond that purpose.

Key Clause 10: Audit and Compliance Rights

A DPA should give the controller reasonable rights to verify the processor’s compliance. This does not always mean unlimited on-site audits. Depending on the relationship, audit rights may include security questionnaires, independent audit reports, ISO certificates, penetration test summaries, documentation review, remote audits, or on-site inspections for high-risk processing.

Audit clauses are particularly important where the processor handles large-scale data, special categories of data, financial data, health data, or critical business systems. The controller should be able to demonstrate that it selected and monitored the processor responsibly.

The DPA should also require the processor to maintain records showing compliance with contractual obligations, security measures, breach response procedures, sub-processor controls, and deletion duties.

Key Clause 11: International Data Transfers

Many data processing relationships involve cross-border transfers. A Turkish controller may use foreign cloud infrastructure, global SaaS tools, overseas support teams, international payroll platforms, foreign CRM systems, or multinational group databases.

KVKK Article 9 was amended in 2024. Under the amended regime, personal data may be transferred abroad if one of the processing conditions under Articles 5 or 6 exists and there is an adequacy decision. If no adequacy decision exists, transfers may be possible through appropriate safeguards such as standard contracts, binding corporate rules, or written commitments approved by the Board. Standard contracts must be notified to the Authority within five business days after signature.

The Turkish Personal Data Protection Authority has published four standard contract modules for transfers abroad: controller-to-controller, controller-to-processor, processor-to-processor, and processor-to-controller.

A DPA should therefore regulate whether the processor may transfer personal data abroad, which countries are involved, which systems are used, whether foreign support teams may access data, whether sub-processors are located abroad, and which Article 9 mechanism applies. The DPA and any standard contract should be consistent, but they should not be confused with each other.

Key Clause 12: Purpose Limitation and Prohibition on Unauthorized Use

The processor should be prohibited from using personal data for purposes outside the agreement. This includes unauthorized marketing, data enrichment, model training, analytics, profiling, resale, employee training, or internal product improvement unless clearly permitted and legally assessed.

This clause is increasingly important for AI vendors and SaaS providers. If a vendor uses customer data to train artificial intelligence models, improve algorithms, or develop new products, the parties must assess whether the vendor remains a processor or becomes an independent controller for that use. The controller must also consider transparency, legal basis, special category data, and cross-border transfer issues.

Key Clause 13: Data Minimization and Access Limitation

A processor should access only the data necessary to provide the service. The DPA should require role-based access, least-privilege principles, access reviews, and prompt revocation of access when personnel leave or change roles.

For example, a customer support provider may need access to names, contact details, orders, and support tickets, but not full payment card data or unrelated marketing profiles. A payroll provider may need employee salary and tax data, but not workplace camera footage. An IT support vendor may need temporary technical access, but not unrestricted permanent access to all files.

Data minimization should also apply to data copies. The processor should not create unnecessary local copies, exports, spreadsheets, or backups unless required for the service.

Key Clause 14: Liability and Indemnity

A DPA should include liability provisions for violations of data protection obligations. These may include liability for unauthorized processing, security failures, breach notification delays, unlawful sub-processing, failure to delete data, unlawful transfers, or breach of confidentiality.

The commercial allocation of liability depends on bargaining power, sector, risk, insurance, and the nature of the processing. However, from a compliance perspective, the DPA should not leave privacy obligations without consequences.

Businesses should also review whether cyber insurance, professional liability insurance, or contractual indemnities cover data breaches, regulatory investigations, notification costs, forensic costs, and third-party claims.

Key Clause 15: Cooperation With Authorities

The DPA should require the processor to cooperate with the controller in case of regulatory inquiries, Personal Data Protection Board requests, audits, complaints, or investigations. If the Board requests information about a processing activity handled by the processor, the controller may need quick access to logs, contracts, technical documents, security measures, incident records, and sub-processor details.

Without a cooperation clause, the controller may struggle to respond to regulators in time.

Data Processing Agreements and VERBIS

VERBIS is the Data Controllers’ Registry Information System. The By-Law on Data Controllers Registry states that data controllers must register with the Registry before starting data processing unless exempt, and that registration information is based on the personal data processing inventory.

A DPA should be consistent with the controller’s VERBIS records and data inventory. If VERBIS states that data is transferred to certain recipient groups or abroad, vendor contracts should reflect those relationships. If a company’s inventory lists cloud providers, payroll providers, call centers, or marketing vendors, DPAs should exist where appropriate.

Inconsistencies between VERBIS, privacy notices, vendor contracts, and actual processing activities may create compliance risk.

Common Mistakes in Data Processing Agreements

One common mistake is using a generic DPA copied from foreign templates without adapting it to KVKK. Another mistake is relying only on confidentiality clauses without regulating security, sub-processors, breaches, deletion, and audit rights.

A third mistake is failing to classify roles correctly. Some parties are independent controllers, not processors. Using the wrong agreement may create legal confusion.

A fourth mistake is ignoring cross-border transfers. A processor may use foreign servers, foreign support teams, or foreign sub-processors. This must be assessed under Article 9.

A fifth mistake is allowing vendors to use personal data for their own analytics or AI training without clear authorization and legal basis.

A sixth mistake is failing to impose prompt breach notification duties on processors. If the processor delays, the controller may miss regulatory deadlines.

A seventh mistake is failing to update DPAs when services change. New modules, new sub-processors, new data categories, or new countries may require revised contractual terms.

Practical DPA Checklist for Businesses in Turkey

A strong Turkish DPA should include:

1. Identification of controller and processor roles.
2. Description of services and processing activities.
3. Categories of personal data.
4. Categories of data subjects.
5. Processing purposes.
6. Processing duration.
7. Obligation to process only on documented instructions.
8. Confidentiality obligations.
9. Technical and organizational security measures.
10. Special category data safeguards where relevant.
11. Sub-processor authorization rules.
12. Domestic and international transfer restrictions.
13. Breach notification duties.
14. Assistance with data subject requests.
15. Assistance with regulatory inquiries.
16. Return, deletion, destruction, or anonymization obligations.
17. Audit and documentation rights.
18. Data minimization and access limitation duties.
19. Liability and indemnity provisions.
20. Termination and survival clauses.

Sector-Specific Considerations

E-commerce companies should use DPAs with cloud providers, payment-related service providers, call centers, cargo integrations, CRM systems, email marketing tools, SMS providers, analytics platforms, and customer support vendors.

Employers should use DPAs with payroll providers, HR software vendors, occupational health providers, recruitment platforms, employee benefit providers, and IT support companies.

Healthcare providers should use stricter DPAs with hospital information system vendors, laboratories, medical software providers, archiving companies, appointment systems, call centers, cloud providers, and medical tourism partners. Health data is a special category of personal data, so enhanced safeguards are required.

Financial and fintech companies should pay special attention to identity verification vendors, fraud detection tools, payment processors, cloud infrastructure, customer support platforms, and cybersecurity providers.

Technology companies and SaaS providers should clearly distinguish when they act as processors for customers and when they act as controllers for their own data.

Conclusion

Data processing agreements in Turkey are essential for businesses that outsource personal data processing. Even though KVKK does not provide a long mandatory clause list like the GDPR, Article 12 creates strong practical and legal reasons for controllers to regulate processor relationships carefully. The controller remains responsible for ensuring appropriate security, and where processing is carried out by another person on behalf of the controller, both parties may be responsible for security measures.

A strong DPA should define processing scope, roles, instructions, confidentiality, security measures, sub-processors, breach notification, data subject request support, deletion duties, audit rights, international transfers, and liability. It should also align with privacy notices, VERBIS records, data inventories, retention policies, and cross-border transfer documentation.

For companies operating in Turkey, DPAs are not just legal paperwork. They are core instruments of vendor governance, cybersecurity, regulatory compliance, and commercial risk management. A business that carefully drafts and manages its data processing agreements is better positioned to prevent data breaches, respond to regulatory inquiries, protect customer and employee trust, and demonstrate responsible KVKK compliance.