ARTICLE 7 – Despite being processed in compliance with the provisions of this Law and other relevant laws, personal data shall be erased, destructed or anonymized by the data controller, ex officio or on the request of the data subject, in the event that the reasons for the processing no longer exist.
(2) The Provisions of other laws relating to the erasure, destruction or anonymization of personal data are reserved.
(3) Procedures and principles for the erasure, destruction or anonymization of personal data shall be laid down through by-law.
Even if the personal data have been processed in accordance with the Law, it is prescribed by law that they shall be destroyed within a certain period of time. The methods of destruction of personal data can be counted as follows:
- Erasure of personal data: Making personal data inaccessible and unusable for related users.
- Destruction of personal data: Making personal data in no way accessible, retrieved and reusable by anyone.
- Anonymization of Personal Data: Making personal data unassociated to an identifiable or identifiable natural person by any means, even if it is matched with other data. This association should not be made by recipient groups and others, including the data controller.
The above stated methods should be identified according to the concrete event or the processing environment of the data. For example, since the complete destruction of data in a digital environment will not be possible, erasure or anonymization methods will be more suitable for this data. Or, erasure or destruction of data in a registry program used will not be suitable for destruction with these methods, since it will cause the possibility of a parameter running behind to be corrupted. In this case, anonymization method should be used for data held on such programs.
In addition, the authorized users who perform the said deletions should not be the ones who have the system administrator / admin authority at the same time. The main reason to separate the powers is that the person doing the deletion must not have the power to restore the data at the same time.
Personal data must be destroyed ex officio or by the data controller at the request of the data subject in cases such as:
- Amendment or relevance of the relevant legislation provisions that constitute the basis for the processing of personal data,
- Disappearance of the purpose requiring the processing or storage of personal data,
- The relevant person's withdrawal of his explicit consent, in cases where there are no other reasons for compliance with the law listed in Article 5 of the KVKK,
- Acceptance of the application made by the person requesting the destruction of his/her personal data,
- In cases where the request for the destruction of the personal data of the data subject is rejected and / or the answer is inadequate, the request is approved by the Board after the complaint made to the Board,
- Exceeding the maximum time that that requires the storage of personal data and there is no requirement to justify storing personal data for longer.
In the event of the above-mentioned situations, personal data should be deleted in accordance with the legislation by erasing, destroying or anonymizing.
It is important to note that, personal data contained in old archives, retention period of which expire, should also be destroyed using appropriate methods.
In the destruction of personal data, the general principles of the Law and the technical and administrative measures to be taken should be followed.
In addition, the legislation stipulates a policy on this. This policy, called the retention and destruction policy, should include the way, method, period and other conditions for storing and destroying data; relevant processes to be performed on personal data should comply with this policy.
In the retention policy, following points should be included:
- Purpose of preparation of the policy,
- Media where data is recorded,
- Definitions of legal and technical terms in the policy,
- Legal, administrative and technical disclosure that requires the retention and destruction of personal data,
- Administrative and technical measures taken for the retention and destruction of personal data,
- Authorization matrix for retention-destruction processes,
- Table showing the retention periods,
- Periodic destruction times,
- Revision date of the document
Periodic destruction periods stated above to be shown in the retention destruction policy cannot exceed six months in any case, the destruction process must be scheduled.
Finally, since the destruction of personal data is a data processing activity, as well, these processes should also be recorded. The mentioned records should be kept for 3 years if there is no other legal reason.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.