ARTICLE
14 March 2019

The Data Protection Board's Guidelines On Deletion, Destruction And Anonymization Of Personal Data ("Guidelines") Are Published

OA
Ozbek Attorney Partnership

Contributor

Ozbek Attorney Partnership logo
Ozbek is a Turkish Law firm established in 1972 in Istanbul. Our law firm offers a wide spectrum of legal services to international and domestic companies, institutions and individuals. Our team of lawyers is a strong, result-oriented and responsive legal team, fluent in English, German, Italian and French.
The Guidelines prepared by the Data Protection Board ("Board") aim to answer many of our outstanding questions regarding the methods of neutralization as well as administration of the processes.
Turkey Privacy

The Guidelines prepared by the Data Protection Board ("Board") aim to answer many of our outstanding questions regarding the methods of neutralization as well as administration of the processes.

The Turkish version of the Guidelines is available on http://www.kvkk.gov.tr/yayinlar/.pdf

In the Guidelines, methods are explained technically considering the environment in which the personal data is processed and stored. The Board pays special attention on anonymization methods and de-anonymization. The Guidelines provide best practices with real life examples for different types of neutralization.

Data controllers must know that the methods and best practice examples given by the Board in the Guidelines are not legally binding. The data controllers may choice alternatives methods appropriate to their practices.

The Guidelines once more underline that the Board imposes certain duties to the data controllers and expects them to have control over the data transferred to third parties in case of neutralization as well. Data controllers must control whether processors may de-anonymize the data by using data stored by them or even by using publicly available information. The data controllers are expected to perform risk analysis and have contractual arrangements in place to prevent unauthorized re-identification.

What's next?

  • The data controllers that are required to prepare a policy for Deletion, Destruction and Anonymization must revise their policies in light of the Guidelines. They must include in their policies their respective methodologies for neutralization as well as technical and administrative measures they are taking. In parallel, it is also advisable that they work on their internal procedures. Procedures may describe how each policy will be put into action and outline who will do what, what steps needs to be taken, and which forms or documents must be used.
  • A special attention should be given to cloud solutions and the data controllers must understand that they are expected to have control on their cloud service providers when they are requested by a data subject or required by law to delete, destruct or anonymize certain personal data.

Originally published 24 November 2017

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More