On 29 May 2017, the Personal Data Protection Authority ("DPA") published the Draft Regulation on the Erasure, Destruction or Anonymization of Personal Data ("Draft Regulation") on its official website, and invited public comment on the relevant secondary legislation. The Draft Regulation was open for public comment until 12 June 2017, and the DPA is currently in the process of finalizing the text.
The Draft Regulation is based on Articles 7 and 22 of the Law No. 6698 on the Protection of Personal Data ("DP Law"). Article 22 authorizes the DPA to draft secondary legislation related to the DP Law. As a general rule, as promulgated under Article 7 of the DP Law, in the event that the reasons for which the personal data are processed cease to exist or are no longer valid, personal data should be erased, destroyed or anonymized by the data controller ex officio, or upon the request of the data subject, regardless of whether the personal data has been processed in accordance with the DP Law and other relevant legislation. Moreover, as per Article 138 of the Turkish Criminal Code, when the data controller fails to destroy or erase personal data in cases where personal data processing is against the law and in breach of the good faith principle, the data controller may be sentenced to a prison term of 1-2 years. Therefore, this obligation may have criminal consequences and it is critical to understand the circumstances in which the "grounds of data processing are deemed to be no longer valid."
As per Article 5 of the Draft Regulation, the necessary conditions for processing personal data cease to exist or are deemed not to be fulfilled, in the particular circumstances set out below:
(i) In case of an amendment or abolition being made to the provisions in the relevant legislation that constitutes the basis of personal data processing,
(ii) Where there is no agreement between the parties, where the agreement is invalid, or where the agreement is automatically terminated, in case of termination or revocation of a contract,
(iii) Where the underlying purpose of personal data processing ceases to exist,
(iv) Where personal data processing is against the law and in violation of the good faith principle,
(v) If the data subject withdraws its consent, where the personal data processing can only be carried out subject to the condition of explicit consent,
(vi) Where the data controller accepts the data subject's request regarding deletion, erasure or anonymization of personal data within the scope of their rights under Article 11 of the DP Law,
(vii) Where a complaint is submitted to the DPA and such complaint is approved by the DPA, in case the data controller denies the data subject's request for the erasure or destruction of their personal data,
(viii) Where there are no conditions that could justify the retention of personal data for an extended period of time, after the maximum required period for the retention of personal data has already elapsed or expired,
(ix) Where the conditions requiring the processing of personal data as per Articles 5 and 6 of the DP Law cease to exist.
If any of the conditions above is met, then the data controller is required to erase, destroy or anonymize personal data on its own, or upon the request of the data subject, as per Article 5 of the Draft Regulation. Therefore, it should be emphasized that the data controller does not need to receive the data subject's request in order to initiate the erasure, destruction or anonymization process, and that the data controller may start the process of erasure, destruction, or anonymization on its own initiative, in order to avoid falling afoul of the regulations or inadvertently engaging in any illegal activities within the scope of the foregoing provisions.
Definitions of erasure, destruction, or anonymization were also promulgated under the Draft Regulation, as explained below:
(i) According to Article 8 of the Draft Regulation, the erasure of personal data wholly or partially achieved by automatic means is defined as the process of rendering the relevant personal data inaccessible to the relevant users and unusable in any way or by any means.
(ii) According to Article 9 of the Draft Regulation, the destruction of personal data is defined as rendering the entire physical filing/archiving medium, wherein information is stored and which is capable of data storage, irrecoverable and unusable.
(iii) Finally, as per Article 10 of the Draft Regulation, anonymization is defined as rendering personal data anonymous in such a way that it cannot be related to or associated with an identified or identifiable real person, even through the process of matching such data to other data.
In conclusion, the Draft Regulation—which is not yet in effect and may be subject to change—provides, in its current published state, insight and guidance on the erasure, destruction and anonymization of personal data. In order to avoid criminal consequences, data controllers need to establish strong internal processes and procedures to monitor the conditions and purposes of processing personal data, and adjust their data processing practices to the requirements of the new regulations as necessary.
This article was first published in Legal Insights Quarterly by ELIG, Attorneys-at-Law in September 2017. A link to the full Legal Insight Quarterly may be found here
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.