Regulation on Erasure, Destruction or Anonymization

of Personal Data: First Prong of the Secondary Legislation

I. Introduction

The Regulation on Erasure,

Destruction or Anonymization of Personal Data ("Regulation") is published on

the Official Gazette of October 28, 2017 and will enter into force as of

January 1, 2018. Regulation has been issued based on Article 7 of the Law No.

6698 on Protection of Personal Data ("DPL"). The article stated that personal

data shall be erased, destroyed or anonymized by the data controller ex officio

or upon the demand of the data subject, in the event that the reasons for which

it was processed are no longer valid but left the principles and procedures

regarding erasure, destruction and anonymization of personal data to be

determined by a regulation. The regulation was issued later then contemplated

by the DPL, as the DPL provided that all regulations will be put into force by

the Personal Data Protection Authority ("Authority") within a year as of

publication of the law (i.e. until April 7, 2017).

Regulation applies to data controllers which, by way of

repeating the DPL, are defined as real persons or legal entities which set the

objectives and means of processing personal data and are in charge of establishing

and managing the data filing system (Article 4/1-I of the Regulation).

Regulation is essentially a brief legal text mainly consisting

of two provisions on personal data storage and demolition policy (Section II, Articles

5 and 6 of the Regulation); and six provisions on the erasure, destruction and

anonymization of personal data (Section III, Article 7-12 of the Regulation).

II. Personal Data Storage and

Demolition Policy

Data controllers that are required to register with the data

controller's registry per DPL are obliged to prepare a personal data storage

and demolition policy in accordance with their personal data inventory (Article

5/1 of the Regulation). It should be noted that DPL requires all data

controllers to register with the relevant registry as a principle. That said

the Authority is entitled to provide an exemption

from this obligation based on objective criteria to be determined by the

Personal Data Protection Board ("Board"), such as the nature and the number of

the processed data, whether or not data processing is required by law or

whether or not data will be transferred to third parties (Article 16/2 of DPL).

Therefore, an exemption from the obligation to register means an exemption from

the obligation to prepare a storage and demolition policy.

The

Regulation also makes clear that neither preparing a personal data storage and

demolition policy nor being exempt from preparing such policy, affects data

controllers' obligation to comply with the principles, requirements and

obligations set forth in the regulation (Article 5/2 & 5/3 of the Regulation).

According to Article 6 of Regulation, a personal data storage

and demolition policy shall at least include the following:

a)  Purpose of preparing

the personal data storage and demolition policy,

b)  Filing mediums

regulated under the personal data storage and demolition policy,

c)  Definitions of legal

and technical terms mentioned in the personal data storage and demolition

policy,

d) Explanations regarding

legal, technical or other reasons that require storage or demolition of

personal data,

e)  Technical and

administrative measures taken in order to store personal data safely, and

prevent personal data from being illegally processed and accessed,

f)  Technical and

administrative measures taken in order to demolish personal data in compliance

with the law,

g)  Titles, departments and

job descriptions of those taking part in the personal data storage and

demolition processes,

h)  Table displaying the

personal data storage and demolition periods,

i)   Time periods of

periodic demolitions.

j)   Changes made in the

existing personal data storage and demolition policy.

III. Erasure, Destruction and

Anonymization of Personal Data

In terms of data controllers' erasure, destruction and

anonymization responsibilities, Regulation refers to conditions, principles and

procedures set forth in DPL, other related legislation and the relevant data

controller's own policy on the matter and states that data controllers are

obliged to comply with the foregoing.

(i) General

Data controllers are obliged to register and keep records of all

transactions relating to erasure, destruction and anonymization of personal

data at least for three (3) years (Article 7/3 of the Regulation). Moreover,

data controllers are also required to disclose the methods they apply in

relation to these processes in their policies and procedures (Article 7/4 of

the Regulation). The method can be chosen by the data controller freely, in

cases of ex officio erasure, destruction or anonymization of personal data, if Board

did not decide otherwise on the matter. If erasure, destruction or anonymization

is conducted upon request of the data subject, data controller should explain

the reason behind choosing the relevant method as well (Article 7/5 of the

Regulation).

(ii) Erasure

Erasure of personal data means the operation of rendering the

relevant personal data inaccessible and non-reusable in any way for the relevant users (Article 8/1 of the

Regulation). Relevant users are those who process personal data in accordance

with the authority and the instructions given by the data controller or within

data controller's organization except persons or units responsible for

technical storage, protection and backing up of data (Article 4/1-b of the

Regulation).

(iii) Destruction

Destruction of personal data means the operation of rendering

the relevant personal data inaccessible, irrecoverable and non-reusable in any

way for everyone (Article 9/1 of the

Regulation). Therefore, while erasure only affects the relevant data controller

and relevant users thereof, in cases of destruction everyone is affected by the

process and the relevant data becomes unavailable for use by everyone.

(iv) Anonymization

Anonymization of personal

data is rendering personal data anonymous in such a way that it cannot be

related to an identified or identifiable real person in any way even through

matching that to another data (Article 10/1). According to Regulation, personal

data is anonymous, if it cannot be related to an identified or identifiable

real person by the data controller, recipient or recipient groups through

techniques appropriate in terms of the filing medium and the relevant area of

activity such as recovery and matching the data with other data (Article 10/2

of the Regulation).

(v) Time Periods

In terms of data

controllers which have personal data storage and demolition policies, personal

data shall be erased, destructed or anonymized during the first periodic

demolition operation following the date on which such obligation arises (Article

11/1 of the Regulation). The data controllers are free to determine demolition

periods. However, this time period may not exceed six (6) months. If the data

controller does not have such policy, the obligation should be fulfilled within

three (3) months of the date on which the obligation arises. These time limits

were determined in the draft of Regulation as ninety (90) days and thirty (30)

days, respectively. Board is authorized to shorten this time periods if there

may be irrevocable damages or damages that are hard or impossible to recover

and there is an obvious violation of laws.

(vi) Data Subject' Request

In terms of data subjects'

demands for erasure and destruction, Regulation requires data controllers to decide

within thirty (30) days and inform the data subjects regardless of the outcome

of their requests (Article 12 of the Regulation). Additionally, if personal

data is transferred to third parties, data controllers are also obliged to

inform third parties of the requests and ensure third parties' compliance with

data subjects' request. If all of the conditions for personal data processing

are not eliminated, data controller is entitled to reject a request by

explaining its reasons and the data subject should be notified of the rejection

within 30 days at the latest in writing or in the electronic environment.

IV. Conclusion

Regulation certainly brings more

specific and clear instructions and obligations regarding erasure, destruction

and anonymization of personal data considering the general frame provided by

the DPL. However, one might still argue that Regulation

took it too far in terms of providing specific restrictions and obligations to

the point where data controllers are left with a narrow range of flexibility to

determine their own procedures and measures particular to their needs.

Considering the speed of technological developments and change in everyday

business activities in connection with these developments, adopting an approach

based on principles rather than determination of specific limitations

applicable all data controllers regardless of the nature of their activities and

sector might be of importance for the effective enforcement of the Regulation.

Authors: Gönenç Gürkaynak Esq., İlay Yılmaz and Burak Yeşilaltay

of< ELIG, Attorneys-at-Law

(First published in Mondaq on November 8, 2017)