“Regulation on Deletion, Destruction or Anonymization of Personal Data” has been published in Official Journal No. 30224, dated 28 October 2017, and will get into force at 1st January 2018.
As is known “Law on Protection of Personal Data No. 6698,” intending to protect fundamental rights and freedoms of persons, and in particular their right to privacy with respect to the processing of personal data, and to set forth principles and procedures which bind natural or legal persons who process personal data had been issued in Official Journal No. 29677, dated 7 April 2016.
The provisions apply to natural persons whose personal data are processed as well as to natural or legal persons who process such data fully or partially through automatic or non-automatic means, which form part of a filing system or are intended to form part of a filing system.
For detailed information about “Law on Protection of Personal Data No. 6698, you can visit our website;
Although the Law on The Protection of Personal Data, No. 6698 has been issued in Official Journal on April 2016, issuance of application regulations extended over a period of time. In this respect, the published “Regulation on Deletion, Destruction or Anonymization of Personal Data will get into force at 1st January 2018.
The Regulation determines the duties of data controller as regard to removing of personal data. Data controllers, depending on their status-whether they are obliged to register in Data Controller Registry or not- will have different duties and responsibilities. However, clarifying the question of which controllers will be registered or not has been left to secondary legislation.
Outlines of the said Regulation are as follows.
THE BASE AND SCOPE
As per the article 7 of Law No. 6698; upon demand of the data subject, or ex officio, personal data which is no longer necessary for the purposes of processing shall be deleted, destroyed or anonymized by the data controller
POLICY OF KEEPING AND DESTROYING PERSONAL DATA
Data controllers, who are under the obligation of registering in Data Controller Registry, shall prepare the policy of keeping and destroying personal data. (Real and legal persons who shall be registered in “Data Controller Registry” will be determined in the secondary legislation)
Preparing such a policy doesn’t mean that the personal data deleted, destroyed or anonymized in line with the Law and the Regulation.
Responsibility of Data controllers, who are not under the obligation of preparing policy of keeping and destroying personal data, with regard to deletion, destroying or anonymizing personal data in line with the Law and Regulation shall continue.
SCOPE OF KEEPING AND DESTROYING PERSONAL DATA POLICY
Policy of keeping and destroying personal data shall contain at least the following information related to;
- Purpose of preparation of said policy,
- Recording mediums edited by the policy,
- Descriptions of legal and technical terms.
- Explanation regarding legal, technical and other reasons that make the personal data must be deleted, destroyed or anonymized,
- Technical and administrative measures taken to prevent unlawful process and access of personal data,
- Technical and administrative measures taken for destruction of personal data,
- Titles, units and job description of persons partake in keeping and destruction of personal data process.
- Table showing the destruction periods,
- Periodical destruction times,
- Updates regarding existing policy of keeping and destroying personal data, if there is any.
DELETION, DESTRUCTION OR ANONYMIZATION OF PERSONAL DATA
If the reasons of processing is no longer exist for personal data specified in Law No. 6698, these data shall be deleted, destroyed or anonymized by the data controller upon demand of the data subject, or ex officio.
All processes regarding Deletion, Destruction and Anonymization of personal data shall be recorded and kept at least three years.
Data controller shall explain his methods in related policy and procedures. Data controller is free to choose ex officio whether to destruct or delete or anonymize the personal data, unless any decision to the contrary has taken by Personal Data Protection Board.
DELETION OF PERSONAL DATA
It is the process of deleting the personal data in a way to make it inaccessible and not reutilized by the related users. Data controller shall take all technical and administrative measures for this purpose.
DESTRUCTION OF PERSONAL DATA
It is the process of making the personal data inaccessible, cannot be brought back and not reutilized by anyone.
ANONYMIZATION OF PERSONAL DATA
It is the process of making personal data by no means identified or identifiable with a natural person even by linking with other data.
PERIODS OF EX OFFICO DESTRUCTION, DELETION OR ANONYMIZATION OF PERSONAL DATA
Data controller, who prepared the “personal data keeping and destroying policy,” deletes, destruct or anonymize the personal data in the first periodical destruction time following the date the obligation arisen.
Time interval for periodical destruction is determined by data controller in the policy of keeping and destroying personal data. This duration cannot be over six month in any case.
Data controllers, who are not under the obligation of preparing “personal data keeping and destroying policy,” deletes, destruct or anonymize the personal data within three months following the date the obligation arisen.
Personal Data Protection Board may shorten the periods in case unrecoverable damages occur or in explicitly unlawful situations.
DELETION AND DEDSTRUCTION OF PERSONAL DATA UPON DEMAND OF THE DATA SUBJECT
When data subject applies to data controller for deletion or destruction of personal data belongs to him;
- If the reasons of processing are no longer exist for personal data; data controller shall delete, destroys or anonymize the related personal data. Data controller shall finalize the claim of data subject and inform him within 30 days.
- If the reasons of processing are no longer exist and personal data is transferred to third parties, data controller informs the situation to third party in order for him to carry out the necessary process in the scope of this Regulation.
- If the reason of processing data isn’t completely disappeared, the claim shall be rejected by data controller, and the written rejection shall be notified to related person within 30 days.