The Regulation on Erasure, Destruction or Anonymization of Personal Data (“Regulation”) is published on the Official Gazette of October 28, 2017 and will enter into force as of January 1, 2018.
Regulation has been issued based on Article 7 of the Law No. 6698 on Protection of Personal Data (“DPL”). The article stated that personal data shall be erased, destroyed or anonymized by the data controller ex officio or upon the demand of the data subject, in the event that the reasons for which it was processed are no longer valid but left the principles and procedures regarding erasure, destruction and anonymization of personal data to be determined by a regulation. The regulation was issued later then contemplated by the DPL, as the DPL provided that all regulations will be put into force by the Personal Data Protection Authority (“Authority”) within a year as of publication of the law (i.e. until April 7, 2017).
Regulation applies to data controllers which, by way of repeating the DPL, are defined as real persons or legal entities which set the objectives and means of processing personal data and are in charge of establishing and managing the data filing system (Article 4/1-I of the Regulation).
Regulation is essentially a brief legal text mainly consisting of two provisions on personal data storage and demolition policy (Section II, Articles 5 and 6 of the Regulation); and six provisions on the erasure, destruction and anonymization of personal data (Section III, Article 7-12 of the Regulation).
II. Personal Data Storage and Demolition Policy
Data controllers that are required to register with the data controller’s registry per DPL are obliged to prepare a personal data storage and demolition policy in accordance with their personal data inventory (Article 5/1 of the Regulation). It should be noted that DPL requires all data controllers to register with the relevant registry as a principle. That said the Authority is entitled to provide an exemption from this obligation based on objective criteria to be determined by the Personal Data Protection Board (“Board”), such as the nature and the number of the processed data, whether or not data processing is required by law or whether or not data will be transferred to third parties (Article 16/2 of DPL). Therefore, an exemption from the obligation to register means an exemption from the obligation to prepare a storage and demolition policy.
The Regulation also makes clear that neither preparing a personal data storage and demolition policy nor being exempt from preparing such policy, affects data controllers’ obligation to comply with the principles, requirements and obligations set forth in the regulation (Article 5/2 & 5/3 of the Regulation).
According to Article 6 of Regulation, a personal data storage and demolition policy shall at least include the following:
a) Purpose of preparing the personal data storage and demolition policy,
b) Filing mediums regulated under the personal data storage and demolition policy,
c) Definitions of legal and technical terms mentioned in the personal data storage and demolition policy,
d) Explanations regarding legal, technical or other reasons that require storage or demolition of personal data,
e) Technical and administrative measures taken in order to store personal data safely, and prevent personal data from being illegally processed and accessed,
f) Technical and administrative measures taken in order to demolish personal data in compliance with the law,
g) Titles, departments and job descriptions of those taking part in the personal data storage and demolition processes,
h) Table displaying the personal data storage and demolition periods,
i) Time periods of periodic demolitions.
j) Changes made in the existing personal data storage and demolition policy.
III. Erasure, Destruction and Anonymization of Personal Data
In terms of data controllers’ erasure, destruction and anonymization responsibilities, Regulation refers to conditions, principles and procedures set forth in DPL, other related legislation and the relevant data controller’s own policy on the matter and states that data controllers are obliged to comply with the foregoing.
Data controllers are obliged to register and keep records of all transactions relating to erasure, destruction and anonymization of personal data at least for three (3) years (Article 7/3 of the Regulation). Moreover, data controllers are also required to disclose the methods they apply in relation to these processes in their policies and procedures (Article 7/4 of the Regulation). The method can be chosen by the data controller freely, in cases of ex officio erasure, destruction or anonymization of personal data, if Board did not decide otherwise on the matter. If erasure, destruction or anonymization is conducted upon request of the data subject, data controller should explain the reason behind choosing the relevant method as well (Article 7/5 of the Regulation).
Erasure of personal data means the operation of rendering the relevant personal data inaccessible and non-reusable in any way for the relevant users (Article 8/1 of the Regulation). Relevant users are those who process personal data in accordance with the authority and the instructions given by the data controller or within data controller’s organization except persons or units responsible for technical storage, protection and backing up of data (Article 4/1-b of the Regulation).
Destruction of personal data means the operation of rendering the relevant personal data inaccessible, irrecoverable and non-reusable in any way for everyone (Article 9/1 of the Regulation). Therefore, while erasure only affects the relevant data controller and relevant users thereof, in cases of destruction everyone is affected by the process and the relevant data becomes unavailable for use by everyone.
Anonymization of personal data is rendering personal data anonymous in such a way that it cannot be related to an identified or identifiable real person in any way even through matching that to another data (Article 10/1). According to Regulation, personal data is anonymous, if it cannot be related to an identified or identifiable real person by the data controller, recipient or recipient groups through techniques appropriate in terms of the filing medium and the relevant area of activity such as recovery and matching the data with other data (Article 10/2 of the Regulation).
(v) Time Periods
In terms of data controllers which have personal data storage and demolition policies, personal data shall be erased, destructed or anonymized during the first periodic demolition operation following the date on which such obligation arises (Article 11/1 of the Regulation). The data controllers are free to determine demolition periods. However, this time period may not exceed six (6) months. If the data controller does not have such policy, the obligation should be fulfilled within three (3) months of the date on which the obligation arises. These time limits were determined in the draft of Regulation as ninety (90) days and thirty (30) days, respectively. Board is authorized to shorten this time periods if there may be irrevocable damages or damages that are hard or impossible to recover and there is an obvious violation of laws.
(vi) Data Subject’ Request
In terms of data subjects’ demands for erasure and destruction, Regulation requires data controllers to decide within thirty (30) days and inform the data subjects regardless of the outcome of their requests (Article 12 of the Regulation). Additionally, if personal data is transferred to third parties, data controllers are also obliged to inform third parties of the requests and ensure third parties’ compliance with data subjects’ request. If all of the conditions for personal data processing are not eliminated, data controller is entitled to reject a request by explaining its reasons and the data subject should be notified of the rejection within 30 days at the latest in writing or in the electronic environment.
Regulation certainly brings more specific and clear instructions and obligations regarding erasure, destruction and anonymization of personal data considering the general frame provided by the DPL. However, one might still argue that Regulation took it too far in terms of providing specific restrictions and obligations to the point where data controllers are left with a narrow range of flexibility to determine their own procedures and measures particular to their needs. Considering the speed of technological developments and change in everyday business activities in connection with these developments, adopting an approach based on principles rather than determination of specific limitations applicable all data controllers regardless of the nature of their activities and sector might be of importance for the effective enforcement of the Regulation.
(First published in Mondaq on November 8, 2017)
By Gonenc Gurkaynak, Managing Partner, Ilay Yılmaz, Partner, Burak Yesilaltay, Associate, ELIG, Attorneys-at-Law