Turkey: Deletion, Destruction Or Anonymization Of Personal Data

Last Updated: 14 March 2019
Article by Selin Ozbek Cittone and Batuhan Aytaç

This year was an important year for Turkey in terms of Data Protection law. At the beginning of 2017, the Data Protection Authority ("DPA") began to actively work. Following the assignment of the board members, at first, the Draft Regulation on Data Controller Registry has been made available for public consultation (http://www.ozbek.av.tr/publications/draft-regulation-on-data-controller-registry/), then, the Regulation on Deletion, Destruction and Anonymization of Personal Data ("RDDA")published on the official gazette to be effective as of January 1, 2018. Not much later, the DPA published "Guideline for Deletion, Destruction or Anonymization of Personal Data" ("Guideline") to answer at least, some of the questions arisen after the issuance of the RDDA.

DATA CONTROLLERS' MAIN OBLIGATIONS UNDER THE RDDA

Data controllers, who are required to be registered with the Data Controller Registry ("Registry") must;

  1. draft a Retention & Neutralization Policy ("Policy").
  2. delete, destroy or anonymize personal data in the periodic retention dates after the expiry of the retention periods they implemented in their Retention & Neutralization Policy.
  3. respond to the requests of the data subjects, who asked for neutralization of their personal data.

The data controllers, whose registration with the Registry is not required, have different obligations. We will talk about them further in this article.

RETENTION & NEUTRALIZATION POLICY

As per Article 5 of the RDDA, the data controllers, who are required to be registered with the Registry, are obligated to draft a Policy. Such Policy must be in accordance with the personal data inventory and include the following:

  1. Purpose of drafting the Policy,
  2. Data storage mediums regulated by the Policy,
  3. Definitions of legal and technical terms used in the Policy,
  4. Legal, technical or other grounds requiring the retention and neutralization of personal data,
  5. Technical and administrative measures taken to safeguard personal data and to prevent illegal processing and access to personal data,
  6. Technical and administrative measures taken to ensure that personal data are neutralized in accordance with the laws,
  7. Titles, units and job descriptions of those involved in the retention and neutralization processes,
  8. A chart showing the retention and neutralization periods,
  9. Periodic neutralization periods,
  10. Changes to current policy if the current personal data retention and destruction policy has been updated

NEUTRALIZATION OF PERSONAL DATA

The RDDA summarizes all the deletion, destruction or anonymization of personal data actions under one definition: Neutralization.

All data controllers are obligated to neutralize personal data, whether or not they are required to register with the Registry or not.

All neutralization-related actions must be recorded, and these records must be retained for three years, excluding other legal obligations.

The data controllers are also obligated to explain the methods they use, in the Policy.

WHAT IS DELETION OF PERSONAL DATA?

RDDA defines "deletion" as the process of making personal data completely inaccessible to and unusable by the "relevant users". The RDDA defines relevant users as those who process personal data within the organization of the data controller or with the authority given by the data controller, except those administrators, who are responsible for the technical storage, preservation and backup of the data.

To conduct deletion; in a general sense, the data controllers must prevent the access of "relevant users" (as defined above) to the personal data in question and must prevent them from using such data. The Guideline emphasizes that the relevant users shall not be administrators, in order to take away all opportunities for a relevant user to gain its access back. This access restriction must not leave any open doors for that relevant user to restore or reuse that data.

  • For the personal data in electronic storages or servers; the Guideline recommends using "Delete" commands, through a deletion software or restricting access to the relevant user by preventing any possibility for the relevant user to regain access to or restore the personal data in question.
  • For the personal data on paper; the Guideline recommends cutting that data or obscuring it using special ink in a way to prevent any restoration or any reading possibility by using technological methods. Most importantly, the data controller must pay attention to identify all personal data on the paper while conducting deletion. For example, even a URL address may contain personal data, since that URL address may be leading to a web page containing information that may be associated with a real person.

WHAT IS DESTRUCTION OF PERSONAL DATA?

The RDDA defines destruction of personal data as the process of making personal data inaccessible to everyone and unusable and unrestorable by anyone.

To conduct destruction; the data controller must make sure that accessing or processing the personal data is impossible by anyone.

For physical mediums, (including but not limited to, the servers or discs, wherein the personal data are stored); the Guideline offers several methods. These methods render the physical medium in question unusable (e.g. de-magnetizing, melting, burning, dusting etc.)

For cloud services, the Guideline offers cryptographic encryption of all personal data and suggests application of separate encryption keys to all separate cloud services use. The destruction may be conducted by destroying all copies of the keys.

For paper mediums, the Guideline offers shredding the paper in a way, which makes the data on it impossible to be recognized, by shredding the paper both vertically and horizontally in non-combinable tiny pieces.

WHAT IS ANONYMIZATION OF PERSONAL DATA?

The RDDA defines the anonymization of personal data as the process of making it impossible for personal data to be associated with any identified or identifiable person in any way, even if the personal data are matched with other data. Anonymization is only possible if it is not possible for the data to be associated with any identified or identifiable real person even by using diverse techniques (e.g. restoring the data by the data controller or the transferee(s), matching a data with other data) for the storage medium or that particular field of activity.

To conduct anonymization; the data controller must make a data anonymous by using several de-identification methods such as masking, grouping, generalization, randomization etc.

The data controller must tread the anonymization carefully as there are more than one ways to re-identify the anonymized data. An adversary might combine the anonymized data with a public data, take advantage of a personal knowledge about the data subject or use its know-how in technology and information technology to discover the real person behind that anonymized data. The Guideline urges the data controllers to provide the conditions below:

  1. It shall not be possible for the anonymized data group to be de-anonymized through combination of another data group,
  2. It shall not be possible for one or more values to constitute a whole single meaningful data and
  3. It shall not be possible for anonymized data in a data group to be combined into an assumption or conclusion about a person's identity.

WHEN DOES A DATA CONTROLLER NEUTRALIZE PERSONAL DATA?

The RDAA identifies two separate cases of neutralization:

  • Ex officio neutralization
  • Neutralization upon the request of the data subject

Ex Officio Neutralization

  • The data controllers, who have obligation to issue the Policy, shall delete, destroy or anonymize personal data in the first periodic neutralization event when the obligation to delete, destroy or anonymize personal data is realized. The space between each periodic neutralization event cannot be more than 6 (six) months.

A data controller has the right the choose the most appropriate neutralization method unless the DPA requires otherwise.

  • The data controllers, who do not have the obligation to prepare the Policy, shall delete, destroy or anonymize personal data within the 3 (three) months following the date, when the obligation to delete, destroy or anonymize personal data is realized.
  • The Board may shorten the aforementioned deadlines if a risk arises for realization of damages that are unavoidable or difficult to compensate or for cases that are openly against the law.

Neutralization Upon the Request of the Data Subject

A data subject's right to request is a reflection of the "right to be forgotten" arisen after "Google Spain v AEPD and Mario Costeja González" case just like the "right to erasure" under the General Data Protection Regulation.

When a data subject makes such a request;

If the conditions for processing personal data are no longer present; the data controller shall delete, destroy or anonymize personal data in question. The data controller must fulfill this request of the data subject within 30 (thirty) days and must inform the data subject.

As per Article 7 of the RDDA, the data controller does not have to apply the neutralization method the data subject requested; but must explain the reason for its preferred method.

If the conditions for processing personal data are no longer present and if the personal data in question were transferred to third parties; the data controller must inform third party regarding this situation and ensure that the third party in question conducts the operations required by the RDAA.

The meaning of this "ensuring" mentioned in the Article 12/1(c) of the RDDA1 is not clear and even contradictory since the Law mentions "notifying" instead.

If the conditions for processing personal data are still present; the data controller may refuse this request by explaining the reason of such refusal in accordance with the applicable law. This refusal shall be informed to the data subject, electronically or in written, within 30 (thirty) days following the data subject's request.

The data subject, whose request was refused, has a right to file a complaint to the DPA within 30 (thirty) days from notification of the refusal or 60 (sixty) days from the date of the request. If the DPA identifies a violation, the data controller shall comply with the DPA's relevant decision within 30 (thirty) days.

WHAT IS THE CURRENT SITUATION?

The Regulation on Data Controller Registry came into force on January 1, 2018. The DPA informed the public that the registries will start on the date to be set by the DPA following the Data Controller Registry Information System (VERBİS) going live. The DPA will clarify which Data controllers will be required to register and which will be exempted. The data controllers required to register to VERBİS, will have to adopt a Retention & Neutralization Policy.

Footnote

[1] "If all of the conditions for processing personal data have ceased to exist and personal data of the data subject has been transferred to a third party, the data controller shall notify the third party of this situation; and ensure that the third party carries out the necessary procedures within the scope of this Regulation."

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
Ozbek Attorney Partnership
 
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Practice Guides
by Mondaq AdviceCentre
Relevancy Powered by MondaqAI
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Ozbek Attorney Partnership
Related Articles
 
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Sign Up
Gain free access to lawyers expertise from more than 250 countries.
 
Email Address
Company Name
Password
Confirm Password
Country
Position
Industry
Mondaq Newsalert
Select Topics
Select Regions
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions