Erasure, Destruction and Anonymization of Personal Data
(1) Personal data shall be erased, destructed or anonymized by the controller ex officio (by its own initiative) or upon the request of the data subject, in the event that all of the conditions for processing laid down in Article 5 and Article 6 of the Law no longer exist.
(2) It is mandatory to act in accordance with general principles of Article 4 of the Law, technical and organizational measures to be taken within the scope of Article 12, provisions of the relevant legislation, Board decisions and personal data storage and disposal policy in erasure, destruction and anonymization of personal data.
(3) All operations relating to erasure, destruction and anonymization of personal data shall be recorded and those records shall be stored for minimum three years excluding other legal obligations.
(4) (Amendment: OG-28/4/2019-30758) The data controller is obliged to describe the methods used for the erasure, destruction and anonymization operations of personal data in the relevant policies and procedures.
(5) Unless otherwise decided by the Board, the data controller may choose one of the appropriate methods for periodic erasure, destruction or anonymization of personal data ex officio. Upon request of data subject, the data controller may choose appropriate method with justified grounds.