This year was an important year for Turkey in terms of Data Protection law. At the beginning of 2017, the Data Protection Authority ("DPA") began to actively work. Following the assignment of the board members, at first, the Draft Regulation on Data Controller Registry has been made available for public consultation (http://www.ozbek.av.tr/publications/draft-regulation-on-data-controller-registry/), then, the Regulation on Deletion, Destruction and Anonymization of Personal Data ("RDDA")published on the official gazette to be effective as of January 1, 2018. Not much later, the DPA published "Guideline for Deletion, Destruction or Anonymization of Personal Data" ("Guideline") to answer at least, some of the questions arisen after the issuance of the RDDA.
DATA CONTROLLERS' MAIN OBLIGATIONS UNDER THE RDDA
Data controllers, who are required to be registered with the Data Controller Registry ("Registry") must;
- draft a Retention & Neutralization Policy ("Policy").
- delete, destroy or anonymize personal data in the periodic retention dates after the expiry of the retention periods they implemented in their Retention & Neutralization Policy.
- respond to the requests of the data subjects, who asked for neutralization of their personal data.
The data controllers, whose registration with the Registry is not required, have different obligations. We will talk about them further in this article.
RETENTION & NEUTRALIZATION POLICY
As per Article 5 of the RDDA, the data controllers, who are required to be registered with the Registry, are obligated to draft a Policy. Such Policy must be in accordance with the personal data inventory and include the following:
- Purpose of drafting the Policy,
- Data storage mediums regulated by the Policy,
- Definitions of legal and technical terms used in the Policy,
- Legal, technical or other grounds requiring the retention and neutralization of personal data,
- Technical and administrative measures taken to safeguard personal data and to prevent illegal processing and access to personal data,
- Technical and administrative measures taken to ensure that personal data are neutralized in accordance with the laws,
- Titles, units and job descriptions of those involved in the retention and neutralization processes,
- A chart showing the retention and neutralization periods,
- Periodic neutralization periods,
- Changes to current policy if the current personal data retention and destruction policy has been updated
NEUTRALIZATION OF PERSONAL DATA
The RDDA summarizes all the deletion, destruction or anonymization of personal data actions under one definition: Neutralization.
All data controllers are obligated to neutralize personal data, whether or not they are required to register with the Registry or not.
All neutralization-related actions must be recorded, and these records must be retained for three years, excluding other legal obligations.
The data controllers are also obligated to explain the methods they use, in the Policy.
WHAT IS DELETION OF PERSONAL DATA?
RDDA defines "deletion" as the process of making personal data completely inaccessible to and unusable by the "relevant users". The RDDA defines relevant users as those who process personal data within the organization of the data controller or with the authority given by the data controller, except those administrators, who are responsible for the technical storage, preservation and backup of the data.
To conduct deletion; in a general sense, the data controllers must prevent the access of "relevant users" (as defined above) to the personal data in question and must prevent them from using such data. The Guideline emphasizes that the relevant users shall not be administrators, in order to take away all opportunities for a relevant user to gain its access back. This access restriction must not leave any open doors for that relevant user to restore or reuse that data.
- For the personal data in electronic storages or servers; the Guideline recommends using "Delete" commands, through a deletion software or restricting access to the relevant user by preventing any possibility for the relevant user to regain access to or restore the personal data in question.
- For the personal data on paper; the Guideline recommends cutting that data or obscuring it using special ink in a way to prevent any restoration or any reading possibility by using technological methods. Most importantly, the data controller must pay attention to identify all personal data on the paper while conducting deletion. For example, even a URL address may contain personal data, since that URL address may be leading to a web page containing information that may be associated with a real person.
WHAT IS DESTRUCTION OF PERSONAL DATA?
The RDDA defines destruction of personal data as the process of making personal data inaccessible to everyone and unusable and unrestorable by anyone.
To conduct destruction; the data controller must make sure that accessing or processing the personal data is impossible by anyone.
For physical mediums, (including but not limited to, the servers or discs, wherein the personal data are stored); the Guideline offers several methods. These methods render the physical medium in question unusable (e.g. de-magnetizing, melting, burning, dusting etc.)
For cloud services, the Guideline offers cryptographic encryption of all personal data and suggests application of separate encryption keys to all separate cloud services use. The destruction may be conducted by destroying all copies of the keys.
For paper mediums, the Guideline offers shredding the paper in a way, which makes the data on it impossible to be recognized, by shredding the paper both vertically and horizontally in non-combinable tiny pieces.
WHAT IS ANONYMIZATION OF PERSONAL DATA?
The RDDA defines the anonymization of personal data as the process of making it impossible for personal data to be associated with any identified or identifiable person in any way, even if the personal data are matched with other data. Anonymization is only possible if it is not possible for the data to be associated with any identified or identifiable real person even by using diverse techniques (e.g. restoring the data by the data controller or the transferee(s), matching a data with other data) for the storage medium or that particular field of activity.
To conduct anonymization; the data controller must make a data anonymous by using several de-identification methods such as masking, grouping, generalization, randomization etc.
The data controller must tread the anonymization carefully as there are more than one ways to re-identify the anonymized data. An adversary might combine the anonymized data with a public data, take advantage of a personal knowledge about the data subject or use its know-how in technology and information technology to discover the real person behind that anonymized data. The Guideline urges the data controllers to provide the conditions below:
- It shall not be possible for the anonymized data group to be de-anonymized through combination of another data group,
- It shall not be possible for one or more values to constitute a whole single meaningful data and
- It shall not be possible for anonymized data in a data group to be combined into an assumption or conclusion about a person's identity.
WHEN DOES A DATA CONTROLLER NEUTRALIZE PERSONAL DATA?
The RDAA identifies two separate cases of neutralization:
- Ex officio neutralization
- Neutralization upon the request of the data subject
Ex Officio Neutralization
- The data controllers, who have obligation to issue the Policy, shall delete, destroy or anonymize personal data in the first periodic neutralization event when the obligation to delete, destroy or anonymize personal data is realized. The space between each periodic neutralization event cannot be more than 6 (six) months.
A data controller has the right the choose the most appropriate neutralization method unless the DPA requires otherwise.
- The data controllers, who do not have the obligation to prepare the Policy, shall delete, destroy or anonymize personal data within the 3 (three) months following the date, when the obligation to delete, destroy or anonymize personal data is realized.
- The Board may shorten the aforementioned deadlines if a risk arises for realization of damages that are unavoidable or difficult to compensate or for cases that are openly against the law.
Neutralization Upon the Request of the Data Subject
A data subject's right to request is a reflection of the "right to be forgotten" arisen after "Google Spain v AEPD and Mario Costeja González" case just like the "right to erasure" under the General Data Protection Regulation.
When a data subject makes such a request;
If the conditions for processing personal data are no longer present; the data controller shall delete, destroy or anonymize personal data in question. The data controller must fulfill this request of the data subject within 30 (thirty) days and must inform the data subject.
As per Article 7 of the RDDA, the data controller does not have to apply the neutralization method the data subject requested; but must explain the reason for its preferred method.
If the conditions for processing personal data are no longer present and if the personal data in question were transferred to third parties; the data controller must inform third party regarding this situation and ensure that the third party in question conducts the operations required by the RDAA.
The meaning of this "ensuring" mentioned in the Article 12/1(c) of the RDDA1 is not clear and even contradictory since the Law mentions "notifying" instead.
If the conditions for processing personal data are still present; the data controller may refuse this request by explaining the reason of such refusal in accordance with the applicable law. This refusal shall be informed to the data subject, electronically or in written, within 30 (thirty) days following the data subject's request.
The data subject, whose request was refused, has a right to file a complaint to the DPA within 30 (thirty) days from notification of the refusal or 60 (sixty) days from the date of the request. If the DPA identifies a violation, the data controller shall comply with the DPA's relevant decision within 30 (thirty) days.
WHAT IS THE CURRENT SITUATION?
The Regulation on Data Controller Registry came into force on January 1, 2018. The DPA informed the public that the registries will start on the date to be set by the DPA following the Data Controller Registry Information System (VERBİS) going live. The DPA will clarify which Data controllers will be required to register and which will be exempted. The data controllers required to register to VERBİS, will have to adopt a Retention & Neutralization Policy.
 "If all of the conditions for processing personal data have ceased to exist and personal data of the data subject has been transferred to a third party, the data controller shall notify the third party of this situation; and ensure that the third party carries out the necessary procedures within the scope of this Regulation."
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.