REGULATION ON THE DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA
Purpose, Scope, Basis and Definitions
ARTICLE 1 - (1) The purpose of this Regulation is to regulate the principles and procedures for the deletion, destruction or anonymization of personal data processed fully or partially by automatic ways as a part of any data recording system.
ARTICLE 2 - (1) Provisions of this Regulation shall be applied to data controllers in accordance with Article 7 of the Protection of Personal Data Act No. 6698 dated 24/3/2016.
ARTICLE 3 - (1) This Regulation has been prepared on the basis of the third paragraph of Article 7 of the Law No. 6698 and (e) of the first paragraph of Article 22.
ARTICLE 4 - (1) In the implementation of this Regulation;
a) Receiver group: Real or legal persons to which the data controller transfers personal data,
b) Relevant user: Except those who are responsible for the technical storage, preservation and backup of the data, those who process personal data within the organization of the data controller or with the authority given by the data controller
c) Destruction: The deletion, destruction or anonymization of personal data,
d) Law: Law No. 6698 on Protection of Personal Data dated 24/3/2016,
e) Recording medium: Any medium in which personal data is recorded to be processed fully or partially in automatic ways as a part of any data recording system.
f) Personal data processing inventory: An inventory where data controllers detail their data processing activities in accordance with business processes. The inventory shall have the following information; the details of the personal data being processed, the data categories, the recipient group and the data subject group, and the maximum period for the purposes for which the personal data are processed, the personal data are foreseen to be transferred to foreign countries, and the measures taken regarding data security,
g) Personal data retention and destruction policy: A policy prepared by Data Controllers determining the maximum period of time required for the purpose of processing personal data and rules regarding deletion, destruction or anonymization,
h) Board: Data Protection Board,
i) Periodic destruction: Periodic destruction, deletion or anoniymization of personal data that is no longer processed validly, as described in the Personal Data Retention and Destruction Policy,
j) Registry: The record of data held by the Presidency of the Data Protection Board,
k) Data recording system: The recording system in which personal data is structured according to certain criteria,
l) Data Controller: the actual or legal person determining the processing purposes and means of the personal data and responsible for the establishment and management of the data recording system,
(2) For definitions not included in this Regulation, the definitions in the Law apply.
Personal Data Retention and Destruction Policy
Principles on personal data storage and destruction policy
ARTICLE 5 - (1) Data controllers who are obliged to register to the Data Controllers Registry pursuant to Article 16 of the Law are obliged to prepare a personal data retention and destruction policy in accordance with the personal data processing inventory.
(2) Preparing a personal data retention and destruction policy; does not automatically mean that personal data has been stored, deleted, destroyed or made anonymous in accordance with the Laws and Regulations.
(3) Data controllers who are not under the obligation to prepare personal data retention and destruction policy shall continue to store, delete, destroy or anonymize personal data in accordance with the Law and this Regulation.
Scope of personal data retention and destruction policy
ARTICLE 6 - (1) The personal data retention and destruction policy shall at least cover information as to:
a) Purpose of preparing the personal data retention and destruction policy,
b) Recording mediums regulated by the Policy,
c) Definitions of legal and technical terms contained in the Policy,
d) Legal, technical or other grounds requiring the retention and destruction of personal data,
e) Technical and administrative measures taken to safeguard personal data safely and to prevent illegal processing and access to personal data,
f) Technical and administrative measures taken to ensure that personal data are destroyed in accordance with law,
g) Titles, units and job descriptions of those involved in the retention and destruction processes,
h) The table showing the retention and destruction periods,
i) Periodic destruction periods,
j) changes to the current policy if the current personal data retention and destruction policy has been updated,
Deletion, Destruction or Anonymization of Personal Data
ARTICLE 7 - (1) When processing conditions in Articles 5 and 6 of the Law cease to exist, the personal data must be deleted, destroyed or anonymized by the data controller ex-officio or upon the request of the data subject.
(2) It is necessary to comply with the general principles in Article 4 of the Law and the technical and administrative measures to be taken within the scope of Article 12, the provisions of the relevant legislation, decisions of the Board, and personal data retention and destruction policy while deleting, destructing or anonymizing personal data.
(3) All actions relating to the deletion, destruction and anonymization of personal data shall be recorded and shall be kept for at least three years.
(4) The data controller is responsible to disclose the methods used for the deletion, destruction, and anonymization of personal data in the relevant policies and procedures.
(5) The data controller shall select the appropriate method among deleting, destroying or anonymizing personal data unless a decision is taken by the Board. If data will be deleted, destroyed or anonymized upon the request of the data subject, the data controller shall inform the data subject of the method to be used for reasons of choosing such method.
Deleting personal data
ARTICLE 8 - (1) Deletion of personal data is the process of making personal data inaccessible to and not-usable by the relevant users.
(2) The data controller is obliged to take all necessary technical and administrative measures to ensure that deleted personal data is inaccessible to the relevant users and cannot be reused.
Destruction of personal data
ARTICLE 9 - (1) Deletion of personal data is the process of making personal data inaccessible to and not-usable by anyone.
(2) The Data Officer is obliged to take all necessary technical and administrative measures concerning the destruction of personal data.
Anonymization of personal data
ARTICLE 10 - (1) The anonymization of personal data is to make it impossible for such data to be associated with any identified or identifiable person in any way, even if the personal data is matched with other data.
(2) For personal data to be anonymized; the identity must be made irrelevant to a specific or identifiable person and this must be irrevocable. Personal data shall be in a state that cannot be retrieved by data controllers and third parties which received the data by matching such with other data or using certain techniques specific to the field.
(3) Data controller is obliged to take all necessary technical and administrative measures regarding anonymization of personal data.
Time to permanently delete, destroy or anonymize personal data
ARTICLE 11 - (1) Data controllers that have prepared a “personal data retention and destruction policy” shall delete, destroy or anonymize personal data in the first periodic destruction event when the obligation to destroy personal data materializes.
(2) The periodic destruction intervals shall be stipulated in the personal data retention and destruction policy. This period cannot exceed six months.
(3) Data controllers that are not under an obligation to prepare a “personal data retention and destruction policy” shall delete, destroy or anonymize personal data within three months as of the obligation to destroy personal data materializes.
(4) The Board may shorten the deadlines set forth in this article if a risk arises as to materialization of damages that are unavoidable or difficult to compensate or for cases that are openly against the law.
Deletion and destruction periods upon request by data subject
ARTICLE 12 - (1) When a data subject requests for the deletion or destruction of his / her personal data by applying to the Data Controller in accordance with Article 13 of the Law;
a) If all of the conditions for processing personal data have ceased to exist; the data controller deletes, destroys or anonymizes the personal data subject to the request. The data controller must conclude the request of the data subject within thirty days at the latest and must inform the data subject.
b) If all of the conditions for processing personal data have ceased to exist and personal data of the data subject has been transferred to a third party, the Data Controller shall notify the third party of this situation; and make sure that the third party shall carry out the necessary procedures within the scope of this Regulation.
c) If all of the processing conditions of the personal data have not ceased to exist, data subject’s request may be rejected by the Data Controller explaining the reasons in accordance with the third paragraph of Article 13 of the Law. Data Controller shall send a response to the data subject within 30 days of the request in written or electronic form.
Miscellaneous and Final Provisions
Elimination of hesitations
ARTICLE 13 - (1) The Board is authorized to make decisions about issues that are not stipulated in this Regulation in order to avoid any hesitations and issues related to the implementation of this Regulation. Further, the Board is authorized to direct and implement the application, to set the principles and standards and make necessary arrangements to ensure cooperation in the implementation of the Regulation and to request all kinds of information and documents required for this issue,
Entry into force
ARTICLE 14 - (1) This Regulation shall enter into force on 1/1/2018.
ARTICLE 15 - (1) The provisions of this Regulation shall be executed by the President.