News and developments
Regulation on Erasure, Destruction or Anonymization of Personal Data
Regulation on Erasure, Destruction or Anonymization
of Personal Data: First Prong of the Secondary Legislation
I. Introduction
The Regulation on Erasure,
Destruction or Anonymization of Personal Data ("Regulation") is published on
the Official Gazette of October 28, 2017 and will enter into force as of
January 1, 2018. Regulation has been issued based on Article 7 of the Law No.
6698 on Protection of Personal Data ("DPL"). The article stated that personal
data shall be erased, destroyed or anonymized by the data controller ex officio
or upon the demand of the data subject, in the event that the reasons for which
it was processed are no longer valid but left the principles and procedures
regarding erasure, destruction and anonymization of personal data to be
determined by a regulation. The regulation was issued later then contemplated
by the DPL, as the DPL provided that all regulations will be put into force by
the Personal Data Protection Authority ("Authority") within a year as of
publication of the law (i.e. until April 7, 2017).
Regulation applies to data controllers which, by way of
repeating the DPL, are defined as real persons or legal entities which set the
objectives and means of processing personal data and are in charge of establishing
and managing the data filing system (Article 4/1-I of the Regulation).
Regulation is essentially a brief legal text mainly consisting
of two provisions on personal data storage and demolition policy (Section II, Articles
5 and 6 of the Regulation); and six provisions on the erasure, destruction and
anonymization of personal data (Section III, Article 7-12 of the Regulation).
II. Personal Data Storage and
Demolition Policy
Data controllers that are required to register with the data
controller's registry per DPL are obliged to prepare a personal data storage
and demolition policy in accordance with their personal data inventory (Article
5/1 of the Regulation). It should be noted that DPL requires all data
controllers to register with the relevant registry as a principle. That said
the Authority is entitled to provide an exemption
from this obligation based on objective criteria to be determined by the
Personal Data Protection Board ("Board"), such as the nature and the number of
the processed data, whether or not data processing is required by law or
whether or not data will be transferred to third parties (Article 16/2 of DPL).
Therefore, an exemption from the obligation to register means an exemption from
the obligation to prepare a storage and demolition policy.
The
Regulation also makes clear that neither preparing a personal data storage and
demolition policy nor being exempt from preparing such policy, affects data
controllers' obligation to comply with the principles, requirements and
obligations set forth in the regulation (Article 5/2 & 5/3 of the Regulation).
According to Article 6 of Regulation, a personal data storage
and demolition policy shall at least include the following:
a) Purpose of preparing
the personal data storage and demolition policy,
b) Filing mediums
regulated under the personal data storage and demolition policy,
c) Definitions of legal
and technical terms mentioned in the personal data storage and demolition
policy,
d) Explanations regarding
legal, technical or other reasons that require storage or demolition of
personal data,
e) Technical and
administrative measures taken in order to store personal data safely, and
prevent personal data from being illegally processed and accessed,
f) Technical and
administrative measures taken in order to demolish personal data in compliance
with the law,
g) Titles, departments and
job descriptions of those taking part in the personal data storage and
demolition processes,
h) Table displaying the
personal data storage and demolition periods,
i) Time periods of
periodic demolitions.
j) Changes made in the
existing personal data storage and demolition policy.
III. Erasure, Destruction and
Anonymization of Personal Data
In terms of data controllers' erasure, destruction and
anonymization responsibilities, Regulation refers to conditions, principles and
procedures set forth in DPL, other related legislation and the relevant data
controller's own policy on the matter and states that data controllers are
obliged to comply with the foregoing.
(i) General
Data controllers are obliged to register and keep records of all
transactions relating to erasure, destruction and anonymization of personal
data at least for three (3) years (Article 7/3 of the Regulation). Moreover,
data controllers are also required to disclose the methods they apply in
relation to these processes in their policies and procedures (Article 7/4 of
the Regulation). The method can be chosen by the data controller freely, in
cases of ex officio erasure, destruction or anonymization of personal data, if Board
did not decide otherwise on the matter. If erasure, destruction or anonymization
is conducted upon request of the data subject, data controller should explain
the reason behind choosing the relevant method as well (Article 7/5 of the
Regulation).
(ii) Erasure
Erasure of personal data means the operation of rendering the
relevant personal data inaccessible and non-reusable in any way for the relevant users (Article 8/1 of the
Regulation). Relevant users are those who process personal data in accordance
with the authority and the instructions given by the data controller or within
data controller's organization except persons or units responsible for
technical storage, protection and backing up of data (Article 4/1-b of the
Regulation).
(iii) Destruction
Destruction of personal data means the operation of rendering
the relevant personal data inaccessible, irrecoverable and non-reusable in any
way for everyone (Article 9/1 of the
Regulation). Therefore, while erasure only affects the relevant data controller
and relevant users thereof, in cases of destruction everyone is affected by the
process and the relevant data becomes unavailable for use by everyone.
(iv) Anonymization
Anonymization of personal
data is rendering personal data anonymous in such a way that it cannot be
related to an identified or identifiable real person in any way even through
matching that to another data (Article 10/1). According to Regulation, personal
data is anonymous, if it cannot be related to an identified or identifiable
real person by the data controller, recipient or recipient groups through
techniques appropriate in terms of the filing medium and the relevant area of
activity such as recovery and matching the data with other data (Article 10/2
of the Regulation).
(v) Time Periods
In terms of data
controllers which have personal data storage and demolition policies, personal
data shall be erased, destructed or anonymized during the first periodic
demolition operation following the date on which such obligation arises (Article
11/1 of the Regulation). The data controllers are free to determine demolition
periods. However, this time period may not exceed six (6) months. If the data
controller does not have such policy, the obligation should be fulfilled within
three (3) months of the date on which the obligation arises. These time limits
were determined in the draft of Regulation as ninety (90) days and thirty (30)
days, respectively. Board is authorized to shorten this time periods if there
may be irrevocable damages or damages that are hard or impossible to recover
and there is an obvious violation of laws.
(vi) Data Subject' Request
In terms of data subjects'
demands for erasure and destruction, Regulation requires data controllers to decide
within thirty (30) days and inform the data subjects regardless of the outcome
of their requests (Article 12 of the Regulation). Additionally, if personal
data is transferred to third parties, data controllers are also obliged to
inform third parties of the requests and ensure third parties' compliance with
data subjects' request. If all of the conditions for personal data processing
are not eliminated, data controller is entitled to reject a request by
explaining its reasons and the data subject should be notified of the rejection
within 30 days at the latest in writing or in the electronic environment.
IV. Conclusion
Regulation certainly brings more
specific and clear instructions and obligations regarding erasure, destruction
and anonymization of personal data considering the general frame provided by
the DPL. However, one might still argue that Regulation
took it too far in terms of providing specific restrictions and obligations to
the point where data controllers are left with a narrow range of flexibility to
determine their own procedures and measures particular to their needs.
Considering the speed of technological developments and change in everyday
business activities in connection with these developments, adopting an approach
based on principles rather than determination of specific limitations
applicable all data controllers regardless of the nature of their activities and
sector might be of importance for the effective enforcement of the Regulation.
Authors: Gönenç Gürkaynak Esq., İlay Yılmaz and Burak Yeşilaltay
of< ELIG, Attorneys-at-Law
(First published in Mondaq on November 8, 2017)