Turkey: The Regulation On The Erasure, Destruction Or Anonymisation Of Personal Data

Background

While protections for personal information have always been available at general law, in the current age where online transactions are commonplace and information is being treated almost as a commodity, there is general acknowledgement of the need to set more clear and comprehensive boundaries as to the processing, storing and destruction of personal information.

Issued to this end, the Law on the Protection of Personal Data (Law No 6698) (the "Data Protection Law"), modelled on its EU counterpart, Directive 95/46/EC, entered into force on 24 March 2016 and has ever since been keeping compliance officers working overtime.

Broadly speaking, the Data Protection Law permits the processing of personal information for so long as there is a legitimate purpose for processing as described in articles 5 and 6 of the Data Protection Law.

Where such purpose no longer subsists, data controllers¹ are required, and may be requested by relevant persons, to erase, destroy or anonymise stored information. This process is subject to the regulation on the erasure, destruction or anonymisation of personal data (the "Regulation") which was published in the Official Gazette dated 28 October 2017 and numbered 30224 and the recently issued guidelines issued by the Personal Data Protection Authority on 23 November 2017 (the "Guidelines") setting out supporting examples of acceptable methods that comply with the Regulation.

Erasure

The Regulation describes erasure as the process by which information is rendered inaccessible and unusable for all relevant parties. Pursuant to the Guidelines, personal data can be erased in a number of ways, including by masking the relevant personal information, so long as the erasure is irreversible, even by the institution carrying out the erasure process.

Destruction

The Regulation describes destruction as the process by which all physical mediums capable of information storage are rendered irretrievable and unusable for everyone. Methods for this include demagnetisation, melting, burning, shredding and overwriting, depending on the relevant medium.

Anonymisation

The Regulation describes anonymisation as the complete detachment of the relevant data from the data subject in such a way that identification is not likely to take place and the data no longer constitutes "personal" data.

The Guidelines mainly focus on anonymisation methods and appears to be in line with the Opinion 05/2014 on Anonymisation Techniques of the European Commission to a large extent. The main objective of anonymisation methods, as explained in the Guidelines in the context of various supporting examples, is to avoid singling out the data subject from the data, prevent linkability of the data with the data subject and to avert any inferences that may lead to such data subject.

Pseudonymisation

While anonymisation is preferable because it enables organisations to disclose data without breaching personal data protections, it may not always be possible nor practical and it always holds the risk of being irreversible.

For these reasons, an alternative method, termed pseudonymisation, is provided under EU Directive 2016/680. The Directive defines pseudonymisation as the 'processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information provided that such additional information is kept separately and is subject to technical and organisational measures'.

In short, anonymisation renders data and data subject completely un-associable, including for the data controller and data processor, while pseudonymisation renders the relevant data un-attributable to a specific data subject without access to additional, restricted identifying information.

The Regulation and the Guidelines do not make any specific mention of pseudonymisation and for this reason it remains ambiguous as to whether pseudonymisation constitutes an acceptable method under the Regulation.

Personal Data Preservation and Annihilation Policy

The Regulation requires data controllers required to register with the Data Controllers Registry and to establish Personal Data Preservation and Annihilation Policies.

Policies will need to contain information on the purpose, conditions and duration of storage of personal data, the means of annihilation and the names and responsibilities of the persons responsible for annihilation.

Policies will also need to set out a periodic annihilation frequency which may not be longer than six months or such shorter period as determined by the Personal Data Protection Board on a sector-specific basis.

Footnotes

1 Data controllers are persons responsible for determining the purpose and means of data processing and the establishment and administration of data storage facilities.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.