Article 7 of Data Protection Law provides that personal data, which was processed in accordance with the Law and other legislation shall be erased, destructed or anonymized either ex officio or upon request of the data subject in case the reasons necessitating their processing cease to exist. The article also stipulates that conditions and procedures regarding erasure, destruction or anonymizing of personal data will be determined by a regulation. Accordingly, the new regulation on Erasure, Destruction or Anonymizing of Personal Data was published in Official Gazette on October 28, 2017 and entered into force on January 1, 2018. You may find below our explanations on data controllers’ liabilities with respect to erasure, destruction and anonymizing of personal data and the respective conditions and procedures determined under the regulation.
I. LEGAL BACKGROUND
Data Protection Law numbered 6698 (published in the Official Gazette dated April 7, 2016 and numbered 29677) (the “Law”);
Regulation on Erasure, Destruction or Anonymizing of Personal Data (published in the Official Gazette dated October 28, 2017 and numbered 30224) (the “Regulation”);
Turkish Criminal Code numbered 5237 (published in the Official Gazette dated October 12, 2004 and numbered 25611) (the “Criminal Code”).
II. ERASURE, DESTRUCTION OR ANONYMIZING OF PERSONAL DATA
According to the Regulation all records with regard to erasure, destruction and anonymizing of personal data shall be kept by the Data Controllers for at least three years.
Pursuant to Article 7 of the Law; personal data processed in accordance with the Law and other relevant laws shall be erased, destructed or anonymized either ex officio or upon request of the data subject in case the reasons necessitating their processing cease to exist.
The Regulation defines the respective actions as follows: (i) erasure means making personal data inaccessible and unusable for all relevant parties; (ii) destruction means making personal data inaccessible, unusable and unrecoverable; (iii) anonymizing means ensuring that the personal data cannot be associated with an identifiable real person even if it is combined with another data.
Data Controller shall take all necessary technical and administrative measures to ensure that respective actions are duly performed.
A. EX OFFICIO
As per Article 16 of the Law, natural or legal persons who process personal data shall register to the Data Controllers Registry prior to commencing processing. These registered Data Controllers shall prepare a data retention and destruction policy in accordance with the personal data inventory and this policy shall include timing of data retention and destruction and periodical destruction timing details. Data Controllers which have such policy shall follow the periods determined. Information regarding data retention and destruction policy is explained in more detail in Section
Moreover, in the event of ex officio erasure, destruction or anonymizing, Data Controller is free to choose which action to be taken, if Board did not decide otherwise.
B. UPON REQUEST OF THE DATA SUBJECT
In the event of data subject requests erasure, destruction or anonymizing of personal data and if all of the conditions are eliminated in order to process data, Data Controller is obliged to erase, destruct or anonymize such Personal Data subject to the request. Data Controller shall complete such process and inform the data subject within thirty days.
In case of reasons of processing data are eliminated and personal data is transferred to third parties, Data Controller shall inform the situation to the related third party. Therefore, such third party shall carry out the necessary process pursuant to the Regulation.
In the event of data processing conditions does not fully disappear, Data Controller may reject such request by explaining the reason and rejection shall be notified to the related person within thirty days.
III. DATA RETENTION AND DESTRUCTION POLICY
According to the Regulation, data retention and destruction policy shall be open to public and must include the following information:
- Purpose of preparation of the policy,
- Data recording medium designated by the policy,
- Definitions of legal and technical terms used in the policy,
- Legal, technical or any other explanation regarding causes of the data retention and destruction,
- Technical and administrative measures taken in order to protect personal data and prevent unlawful data processing and access,
- Technical and administrative measures taken in order to lawfully destruct personal data,
- Title, department and job definition of the people who involved in the process of data retention and destruction,
- A chart which indicates timing of data retention and destruction,
- Periodical destruction timing,
- Information regarding amendments made to the data recording and destruction, if available.
The policy shall also include periodic destruction periods but in any case, periodical destruction period shall not exceed six months.
Data Controllers who are not obliged to prepare data processing and destruction policy shall erase, destruct and anonymize personal data within three months starting from the date the obligation arisen.
Pursuant to Article 138 of Turkish Criminal Code, in case of non-fulfillment of destruction obligation within the time specified by the Regulation, imprisonment between six months to one year shall be imposed.
The information provided in this article is general and may not apply in a specific situation. Legal advice should always be sought before taking any legal action based on the information provided. The information is not intended create, nor does receipt of it constitute, an attorney-client relationship.
For any questions regarding the article, please contact us: