Draft Regulation on Deleting, Disposal and Anonymization of Personal Data Has Been Published

As per the Law on Protection of Personal Data (“Law”) numbered 6698, data controllers have an obligation to delete, dispose or anonymize personal data if the purposes of processing are no longer existing pursuant to the Article 7 of the Law. The principles and procedures with respect to this will be set out by a regulation as per the Law.

Within the scope explained above, a draft Regulation on Deleting, Disposal and Anonymization of Personal Data (“Regulation”) has been published by the Personal Data Protection Agency (“Agency”).[1]

The Regulation determines the procedures and principles with regards to deleting, disposal and anonymization of personal data and it shall be applied to real and legal persons that are responsible.

I. The circumstances which require deleting, disposing or anonymizing personal data

As stated above, personal data shall be deleted, disposed or anonymized if the purposes of processing are no longer existing pursuant to the Law. The grounds for processing personal and sensitive data are set out under Article 5 and Article 6 of the Law. In parallel with these provisions, the grounds for processing will be deemed to have disappeared under the circumstances set out within the second subparagraph of the Article 5 of the Regulation which are detailed below:

  1. Amendment or repealment of the legislation which form a basis for processing personal data,
  2. If the contract between the parties is not established or valid, discharging the contract per se, termination or rescinding from the contract,
  3. Disappearance of the ground of processing personal data,
  4. Processing personal data being against the law or breaching good faith,
  5. Withdrawal of consent by the related person if personal data is processed through an explicit consent,
  6. Acceptance of application of the related person by the data controller within the scope of the related person’s rights with respect to act of processing personal data which are regulated by the Law,
  7. Filing a complaint to the Board and the Board’s acceptance of this complaint under the circumstances in which the data controller has rejected the related person’s request for deleting, disposing or anonymizing personal data, the reply was found not sufficient or were not given within the period stipulated by the Law,
  8. Non-existence of a valid ground that will require retaining personal data for a longer period despite the lapse of maximum time which requires retaining personal data,
  9. Disappearance of the grounds under Article 5 and Article 6 of the Law which require processing personal data.

The personal data shall be deleted, disposed or anonymized by the data controller per se or upon the related person’s request under the circumstances described above.

Upon review of the Article 5 of the Regulation, it is understood that detailed provisions are set out with reference to some circumstances together with the non-existence of the grounds for processing under the Article 5 and Article 6 of the Law. Personal data may be processed without explicit consent if it is directly related with performance of a contract as per the Law. The Regulation determines that the grounds of processing shall cease to exist in case of a termination of the contract between the parties.

II. The principles which shall be applied to retaining and disposing personal data

The principles that will be complied with for retaining and disposing personal data are set out under the second paragraph of Article 6 as follows:

  1. The general principles under the Article 4 shall be complied with.
  2. Preparation of a policy on retaining and disposing personal data shall not mean that the personal data has been deleted, disposed and anonymized as per the Law and Regulation.
  3. The liabilities of the parties which are not under an obligation to prepare a policy on retaining and disposing personal data with reference to retaining, deleting, disposing and anonymizing personal data shall continue.

In addition, with regards to retaining and disposing personal data, it is obligatory to act in accordance with the seurity measures under the Article 12 of the Law, the provisions of the related legislation, Board’s decisions and the policy on retaining and disposing personal data.

There is no specific provision under the Law or Regulation with regards to circumstances in which the requirement of preparing a policy on retaining and disposing personal data will not be applied. Nevertheless, the Article 7 of the Regulation sets out that the Board is authorized to determine the principles and procedures for preparing a policy on retaining and disposing personal data and its application. Therefore, it is understood that the Board’s decisions should be awaited for exemptions.

III. Policy on retaining and disposing personal data

As per the Article 6 of the Regulation, a policy on retaining and disposing personal data shall be prepared as per personal data processing inventory if there is an obligation to register to the data controllers’ registry. The information which shall be included within this policy are set out under Article 7 of the Regulation as follows:

  1. The purpose of preparing a policy on retaining and disposing personal data,
  2. The recoding medium which are regulated by the policy on retaining and disposing personal data,
  3. The definitions of the legal and technical terms under the policy on retaining and disposing personal data,
  4. The explanations with regards to legal, technical or other grounds requiring retaining and disposing personal data,
  5. The technical and administrative measures that are taken to retain personal data securely and to prevent illegal processing or access,
  6. Technical and administrative measures that are taken for disposing personal data as per the law,
  7. The names and responsibilities of the persons whom are assigned within the procedures of retaining and disposing personal data,
  8. The table which shows the periods of retaining and disposing personal data,
  9. The period of disposing.

IV. Deleting personal data

The Article 8 of the Regulation defines deleting personal data which are processed by fully or partially automatic ways as the procedure of making personal data inaccessible and not reusable under any circumstance.

Together with this, if deleting personal data will cause other data within the system to become inaccessible or not usable, the data will be deemed to have been duly deleted provided that the below are fulfilled:

  1. Archiving the personal data in a way that it may not be associated with the related person,
  2. Not being accessible by another establishment, corporation and/or a person,
  3. Taking all the necessary technical and administrative measures which will enable access to personal data by only authorized persons.

On the other hand, deleting personal data which are a part of a data recording system and are processed by non-automatic ways shall be made as follows:

  1. Obfuscating unnecessary personal data,
  2. Masking unnecessary personal data in the form of paper which are transmitted electronically through scanning or without digitization.

V. Disposing personal data

Under Article 9 of the Regulation disposal is defined as making all physical recording medium that are suitable for retaining data in which information is retained, non-retrievable and not re-usable. No exemptions are provided with regards to disposing as for deleting.

VI. Anonymizing personal data

Anonymizing is defined as making personal data not associable with a real person who is identifiable or may be identifiable even when matched with other data. The personal data is required to be made not associable with a real person who is identifiable or may be identifiable by the receiver or receiving groups that the personal data have been transferred to by the data controller through:

  1. using appropriate technics in terms of the recording medium and related area of activity,
  2. using returning technics or matching data with other data.

VII. Periods for deleting, disposing or anonymizing personal data

As per the Article 11 of the Regulation, data controllers shall take into consideration the following periods for deleting, disposing or anonymizing personal data:

The personal data shall be deleted, disposed or anonymized,

  1. at the first periodic process of disposing following the date of occurrence of obligation if policy on retaining and disposing personal data is prepared,
  2. within the first thirty days following the date of occurrence of obligation if policy on retaining and disposing is not prepared.

Time intervals in which the periodic disposal shall be made may be determined by the Board by taking into consideration the area of activity and features of the sector. This period may not exceed ninety days under any circumstances.

VIII. Periods for deleting, disposing or anonymizing personal data upon the related person’s request

When an application is made to the data controller for deleting or disposing personal data by the real person whose personal data is processed:

  1. If the grounds for processing personal data have completely disappeared; the data controller may delete, dispose or anonymize the personal data which are the subject matter of the request. The requests of related persons for deleting or disposing personal data shall be finalized by the data controller within thirty days.
  2. If the grounds for processing personal data continue to exist; this request may be rejected by the data controller as per the third paragraph of the Article 13 of the Law including the reasoning and this rejection shall be notified to the related person in writing or through electronic mediums within thirty days.

It should be emphasized that the related person may file a complaint to the Board in case of rejection of request, an insufficient reply has been given or a reply has not been provided within the required period.

We provide legal assistance to our clients within the scope of procedures of compliance to the Law on Protection of Personal Data numbered 6698. In this context, our services include preparing the necessary documents for notifications under the Law; reviewing and revising the contracts executed with employees, customers and third parties with respect to compliance; preparing the necessary information for registration to the registry and monitoring the registration application and establishing, reviewing and revising the internal documentation and policies that are necessary for adhering to the law. You may contact us from info@engblaw.com for detailed information and questions about the legislation.

[1] http://www.kvkk.gov.tr/haber-yonetmelik2.html (last date of access 08.06.2017)