Turkey: Regulation On The Deletion, Destruction And Anonymization Of Personal Data

Last Updated: 6 November 2017
Article by Burak Özdağıstanli

FIRST PART

Purpose, Scope, Basis and Definitions

Purpose

ARTICLE 1 - (1) The purpose of this Regulation is to regulate the principles and procedures for the deletion, destruction or anonymization of personal data processed fully or partially by automatic ways as a part of any data recording system.

Scope

ARTICLE 2 - (1) Provisions of this Regulation shall be applied to data controllers in accordance with Article 7 of the Protection of Personal Data Act No. 6698 dated 24/3/2016.

Basis

ARTICLE 3 - (1) This Regulation has been prepared on the basis of the third paragraph of Article 7 of the Law No. 6698 and (e) of the first paragraph of Article 22.

Definitions

ARTICLE 4 - (1) In the implementation of this Regulation;

a) Receiver group: Real or legal persons to which the data controller transfers personal data,

b) Relevant user: Except those who are responsible for the technical storage, preservation and backup of the data, those who process personal data within the organization of the data controller or with the authority given by the data controller

c) Destruction: The deletion, destruction or anonymization of personal data,

d) Law: Law No. 6698 on Protection of Personal Data dated 24/3/2016,

e) Recording medium: Any medium in which personal data is recorded to be processed fully or partially by automatic ways as a part of any data recording system.

f) Personal data processing inventory: An inventory where data controllers detail their data processing activities in accordance with business processes. The inventory shall have the following information; the details of the personal data being processed, the data categories, the recipient group and the data subject group, and the maximum period for the purposes for which the personal data are processed, the personal data foreseen to be transferred to foreign countries, and the measures taken regarding data security,

g) Personal data retention and destruction policy: A policy prepared by Data Controllers determining the maximum period of time required for the purpose of processing personal data and rules regarding deletion, destruction or anonymization,

h) Board: Data Protection Board,

i) Periodic destruction: Periodic destruction, deletion or anoniymization of personal data that is no longer processed validly, as described in the Personal Data Retention and Destruction Policy,

j) Registry: The record of data held by the Presidency of the Data Protection Board,

k) Data recording system: The recording system in which personal data is structured according to certain criteria,

l) Data Controller: the actual or legal person determining the processing purposes and means of the personal data and responsible for the establishment and management of the data recording system,

(2) For definitions not included in this Regulation, the definitions in the Law apply.

SECOND PART

Personal Data Retention and Destruction Policy

Principles on personal data storage and destruction policy

ARTICLE 5 - (1) Data controllers who are obliged to register to the Data Controllers Registry pursuant to Article 16 of the Law are obliged to prepare a personal data retention and destruction policy in accordance with the personal data processing inventory.

(2) Preparing a personal data retention and destruction policy; does not automatically mean that personal data has been stored, deleted, destroyed or made anonymous in accordance with the Laws and Regulations.

(3) Data controllers who are not under the obligation to prepare personal data retention and destruction policy shall continue to store, delete, destroy or anonymize personal data in accordance with the Law and this Regulation.

Scope of personal data retention and destruction policy

ARTICLE 6 - (1) The personal data retention and destruction policy shall at least cover information as to:

a) Purpose of preparing the personal data retention and destruction policy,

b) Recording mediums regulated by the Policy,

c) Definitions of legal and technical terms contained in the Policy,

d) Legal, technical or other grounds requiring the retention and destruction of personal data,

e) Technical and administrative measures taken to safeguard personal data safely and to prevent illegal processing and access to personal data,

f) Technical and administrative measures taken to ensure that personal data are destroyed in accordance with law,

g) Titles, units and job descriptions of those involved in the retention and destruction processes,

h) The table showing the retention and destruction periods,

i) Periodic destruction periods,

j) changes to current policy if the current personal data retention and destruction policy has been updated,

information about.

PART THREE

Deletion, Destruction or Anonymization of Personal Data

Principles

ARTICLE 7 - (1) When processing conditions in Articles 5 and 6 of the Law cease to exist, the personal data must be deleted, destroyed or anonymized by the data controller ex-officio or upon the request of the data subject.

(2) It is necessary to comply with the general principles in Article 4 of the Law and the technical and administrative measures to be taken within the scope of Article 12, the provisions of the relevant legislation, decisions of the Board, and personal data retention and destruction policy while deleting, destructing or anonymizing personal data.

(3) All actions relating to the deletion, destruction and anonymization of personal data shall be recorded and shall be kept for at least three years.

(4) The data controller is responsible to disclose the methods used for the deletion, destruction, and anonymization of personal data in the relevant policies and procedures.

(5) The data controller shall select the appropriate method among deleting, destroying or anonymizing personal data, unless a decision is taken by the Board. If data will be deleted, destroyed or anonymized upon the request of the data subject, the data controller shall inform the data subject of the method to be used with reasons of choosing such method.

Deleting personal data

ARTICLE 8 - (1) Deletion of personal data is the process of making personal data inaccessible to and not-usable by the relevant users.

(2) The data controller is obliged to take all necessary technical and administrative measures to ensure that deleted personal data is inaccessible to the relevant users and cannot be reused.

Destruction of personal data

ARTICLE 9 - (1) Deletion of personal data is the process of making personal data inaccessible to and not-usable by anyones.

(2) The Data Officer is obliged to take all necessary technical and administrative measures concerning the destruction of personal data.

Anonymization of personal data

ARTICLE 10 - (1) The anonymization of personal data is to make it impossible for such data to be associated with any identified or identifiable person in any way, even if the personal data is matched with other data.

(2) For personal data to be anonymized; the identity must be made irrelevant to a specific or identifiable person and this must be irrevocable. Personal data shall be in a state that cannot be retrieved by data controllers and third parties which received the data by matching such with other data or using certain techniques specific to the field.

(3) Data controller is obliged to take all necessary technical and administrative measures regarding anonymization of personal data.

Time to permanently delete, destroy or anonymize personal data

ARTICLE 11 - (1) Data controllers that have prepared a "personal data retention and destruction policy" shall delete, destroy or anonymize personal data in the first periodic destruction event when the obligation to destroy personal data materializes.

(2) The periodic destruction intervals shall be stipulated in the personal data retention and destruction policy. This period cannot exceed six months.

(3) Data controllers that are not under an obligation to prepare a "personal data retention and destruction policy" shall delete, destroy or anonymize personal data within three months as of the obligation to destroy personal data materializes.

(4) The Board may shorten the deadlines set forth in this article if a risk arises as to materialization of damages that are unavoidable or difficult to compensate or for cases that are openly against the law.

Deletion and destruction periods upon request by data subject

ARTICLE 12 - (1) When a data subject requests for the deletion or destruction of his / her personal data by applying to the Data Controller in accordance with Article 13 of the Law;

a) If all of the conditions for processing personal data have ceased to exist; the data controller deletes, destroys, or anonymizes the personal data subject to the request. The data controller must conclude the request of the data subject within thirty days at the latest and must inform the data subject.

b) If all of the conditions for processing personal data have ceased to exist and personal data of the data subject has been transferred to a third party, the Data Controller shall notify the third party of this situation; and make sure that the third party shall carries out the necessary procedures within the scope of this Regulation.

c) If all of the processing conditions of the personal data have not ceased to exist, data subject's request may be rejected by the Data Controller explaining the reasons in accordance with the third paragraph of Article 13 of the Law. Data Controller shall send a response to the data subject within 30 days of the request in written or electronic form.

SECTION FOUR

Miscellaneous and Final Provisions

Elimination of hesitations

ARTICLE 13 - (1) The Board is authorized to make decisions about issues that are not stipulated in this Regulation in order to avoid any hesitations and issues related to the implementation of this Regulation. Further, the Board is authorized to direct and implement the application, to set the principles and standards and make necessary arrangements to ensure cooperation in implementation of the Regulation and to request all kinds of information and documents required for this issue,

Entry into force

ARTICLE 14 - (1) This Regulation shall enter into force on 1/1/2018.

Execution

ARTICLE 15 - (1) The provisions of this Regulation shall be executed by the President.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Burak Özdağıstanli
Similar Articles
Relevancy Powered by MondaqAI
Gün + Partners
BTS & Partners
 
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Gün + Partners
BTS & Partners
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions