The Position of the Software Used by Businesses in Terms of Personal Data Protection Legislation

Pursuant to the Law on the Protection of Personal Data (‘LPPD’) and its secondary legislation, it appears that the titles that are taken into account in the obligations regarding personal data are data controller and data processor. Just like the condition of being a natural person in terms of having the title of data subject, the condition of being a ‘person recognised by the law’ comes to the fore as a condition in terms of being a data controller. Accordingly, both natural persons and legal entities can have the title of data controller.

Unlike the above explanations, a special situation occurs in the title of data processor. In addition to the above-mentioned issues, it can be said that some service provider software used by businesses also act as data processors.

Pursuant to the Data Controller and Data Processor Guide of the LPPD, ‘Cloud Service Providers’ are data processors. According to the Guideline, ‘In the event that a public organisation enters into a contract with a cloud service provider for the storage of the personal data it collects, the cloud service provider is a data processor. This is because it is not possible for the cloud service provider to use the data for its own purposes pursuant to the contract between the parties. In addition, the cloud service provider does not collect data itself. Its only activity is to store the personal data received from the public institution in accordance with the instructions of the public institution.’ and argues that service providers with legal personality have the title of data processor.

Therefore, the interpretation that the software, which we have explained in this article, has the title of data processor is made in comparison to the explanation in the relevant guide.

The reason why the same situation is not valid for the data controller is that the specific point of the definition in the LPPD includes a decision-making activity. Within the framework of Web 3.0, it was not possible for the relevant software to determine the purposes and means of processing personal data and to be responsible for the establishment and management of the data recording system.

However, if the decision-making mechanisms change with the opportunities of Web 4.0, we believe that the condition of ‘natural and legal person’ sought in the definitions of the LPPD may be relaxed in the capacity of data controller as well as in the capacity of data processor.

In this article, we will clarify the most famous software that are indispensable especially for corporate companies and their areas of use, and we will examine the positions they are and can be in terms of KVKK.

SAP – System Application Product
SAP, which stands for Systems, Applications and Products, aims to help businesses monitor business and customer interactions. SAP is a computer programme from a German software company. It has made its mark mostly in the fields of enterprise resource planning (ERP) and data management programmes.

SAP is a programme produced by five people who worked at IBM. In 1972, it started to work for only one customer in the first place. This software has adopted the vision of making a software that will process data according to the users’ request. In the same year, they developed a real-time card and payroll system as a German branch.

The SAP programme includes components that aim to provide many benefits to its customers.

ERP, known as enterprise resource planning, SCM, known as supply chain management, BI, business intelligence and CRM, used in customer relationship management, are popular SAP applications.

SAP programme also supports working over the cloud system. Future plans for the company may include mixed distribution and cloud models.

SAP computer applications can be placed in two-tier and three-tier architectures. These layers are the presentation layer, the application layer and the database layer. These layers can store data, execute customer transactions and see presentation and interface operations.

CRM – Customer Relationship Management
CRM, which stands for Customer Relationship Management, is a set of technologies, strategies and applications that companies use to strengthen commercial relations and increase profitability thanks to the data generated by recording all customer interactions.

CRM software provides organisations with a platform where all customer interactions are recorded in a single source and the sales process can be tracked; providing better internal communication, customer service and better managed sales organisation. It contains many features for easy tracking of all sales stages from the first contact with prospective customers to after-sales services.

While company managers use CRM to manage the sales organisation, measure sales performance and improve processes; sales teams use CRM to prepare proposals, track orders, access past sales, record all information and access this information in a short time whenever they wish.

The information recorded in CRM in a certain order ensures that all employees of a company can access the necessary information whenever they need it.

When a customer of a company using CRM calls the office, even if the person answering the phone does not recognise the customer, he/she can continue to provide service by quickly accessing all records, and record the customer’s new requests in CRM so that his/her teammates can see them.

The ability of the entire team to see how customers are communicated with, what products they buy, when they buy and more means increased cooperation and efficiency in companies.

ERP – Enterprise Resource Planning
ERP, which stands for Enterprise Resource Planning, is the general name of systems and software developed to ensure or support the end-to-end management and efficient use of enterprises’ resources (human resources, physical resources and financial resources) by bringing them together.

A classical ERP software uses various software and hardware of the computer to perform operations. ERP systems basically use an integrated database where different data can be stored.

ERP systems are the place where all data such as customer orders are collected until they are received by customer representatives and shipped, and invoice information sent by finance. Although ERP, which was born with the need to plan for the continuation of production, is described with the name of planning, the work is essentially management.

ERP projects provide fast and large-scale benefits. The main goal to be achieved with ERP is to obtain results that can be converted into decisions by bringing together the data of the enterprise.

ERP systems can also be presented as a software by combining two or more software. Such systems are called ERP software packages.

ERP is a structure that gathers software modules that enable the enterprise to manage different business types and activities under a single database. Within an ERP software, there are various applications that usually work independently.

These are

Production Management
Finance Management
Material Inventory Management
Sales Management
Customer Relationship Management
Human Resources Management
Budget Management
Foreign Trade Management
Quality Management
Care Management
After Sales Services
Business Intelligence
can be summarised as.

While ERP software transforms the business towards a structure that connects all departments of the business, it supports the harmonisation between departments and processes for issues and jobs that are viewed from different aspects in the business. Thus, by transforming the verbal business forms of the enterprise into numbers, data and reports, it gives the enterprise and managers the opportunity to make an objective decision.

Joint Responsibility of Data Controller and Data Processor vs. Joint Data Controller Concept

The concept of ‘joint data controller’ has been added to the titles in the Personal Data Protection Legislation with the recent principle decision. In the principle decision, it is seen that the initiation of a blacklist application by more than one car rental company using a single system is likened to the issue of ‘determination of the purposes and means of data processing by more than one data controller’, which is familiar from GDPR practices, and the joint data controller is included in the Turkish data protection legislation.

As long as the ‘decision-making activity’ mentioned in the introduction does not exist, neither data responsibility nor joint data responsibility can be mentioned. The relevant software carries out data processing activities only within the limits set by the data controllers and only for the use of the data controller. Therefore, the relevant software can only have the title of data processor under today’s conditions.

In this context, it would not be wrong to interpret that if the software goes beyond the limits set by the data controller, they will be considered as data controllers and will have joint responsibilities as joint data controllers.

It should be noted here that the joint responsibility of the data processor and the data controller within the meaning of the Personal Data Protection Law may be possible in the event of any breach arising from the relevant software even without having the title of joint data controller.

In the event of a breach that occurs in the control area of the data processor, the data controller may be relieved of its responsibility by providing ‘all possible measures’, and if there is a security vulnerability in the relevant software, it may be possible that they may be liable and sanctioned. The right of recourse that the data controller may use against the data processor is always reserved.

In the event that the personal data held by the data processor is obtained by others through unlawful means, the data processor must notify the data controller without any delay.

Although it can be interpreted that the relevant software acts as a data processor under today’s conditions, although the current dynamics have not changed and the relevant software does not act as a data controller by going beyond the limits drawn by the data controller, it is important that the data controllers who are the users of the software explained above act with the awareness that the Board is still the primary addressee.

In the case of breaches that occur through the relevant software, it is highly likely that data controllers will take all kinds of technical and administrative measures that can be taken, otherwise it is highly likely that it will be assessed that the breach was carried out by them.

However, data controllers should keep in mind that in case of breaches that do not occur in their presence, they can use their rights arising from general law such as recourse against the relevant software acting as data processors, and that they have powers such as supervision and instruction arising from the relationship between the data controller and the data processor before the breach occurs.