(1) The purpose of this By-Law is to determine principles and procedures regarding erasure, destruction and anonymization of personal data processed wholly or partially by automated means or by non-automated means which provided that form part of a data filing system.
By-Law on Erasure, Destruction or Anonymization of Personal Data
* This is an English translation. In case of any difference in meaning between the original Turkish text and the English translation, the Turkish text shall apply.
Chapter 1 (Art.1 - 4) — Purpose, Scope, Legal Basis and Definitions
(1) Provisions of this By-Law shall apply to data controllers in accordance with Article 7 of the Personal Data Protection Law No. 6698 and of 24/03/2016.
(1) This By-Law is issued on the basis of Article 7(3) and sub-paragraph (e) of Article 22(1) of Personal Data Protection Law No. 6698.
(1) For the purposes of this By-Law:
- a) “Recipient group” means category of natural or legal persons to which the personal data are transferred by the data controller,
- b) “User concerned” means persons who process personal data within the organization of the data controller or upon authorization and instructions received from the data controller, other than the person or department which is responsible for the technical storage, protection and back up of personal data,
- c) “Disposal” means erasure, destruction or anonymization of personal data,
- ç) “Law”: Personal Data Protection Law No. 6698 and of 24/3/2016,
- d) “Recording medium” means any type of environment that keeps the personal data processed wholly or partially by automated means or non-automated means which provided that form part of a data filing system,
- e) (Amendment:OG-28/4/2019-30758) “Personal data processing inventory” means the inventory which are detailed by explanations of the followings: personal data processing activities of data controllers according to their business processes; purposes and legal ground of personal data processing; data category; maximum data storage period required for the purposes formed relating to the recipient group to whom the data are transferred and with data subject groups, and for personal data processing; personal data envisaged to be transferred to foreign countries; and measures taken relating to the data security,
- f) “Personal data storage and disposal policy” means the policy which data controllers issues as a basis for erasure, destruction and anonymization of personal data and determination of maximum storage period for the purpose for which personal data are processed,
- g) “Board” means Personal Data Protection Board,
- ğ) “Periodic Disposal” means the erasure, destruction or anonymization process which is determined in the personal data storage and disposal policy and to be carried out periodically ex officio, in the event that all of the conditions for processing laid down in the Law no longer exist,
- h) “Registry” means Data Controllers’ Registry kept by Personal Data Protection Authority,
- ı) “Data filing system” means the filing system where personal data are processed by being structured according to specific criteria,
- i) “Data Controller” means the natural or legal person who determines the purpose and means of processing personal data and is responsible for the establishment and management of the data filing system,
(2) For the definitions not included in this By-Law, the definitions in the Law shall apply.
Chapter 2 (Art.5 - 6) — Personal Data Storage and Disposal Policy
(1) Pursuant to Article 16 of the Law; data controllers who are obliged to register with Data Controllers’ Registry system shall issue personal data storage and disposal policy in accordance with personal data processing inventory.
(2) To issue personal data storage and disposal policy shall not mean that personal data are stored, erased, destructed or anonymized in accordance with the Law and the By-Law.
(3) For data controllers who are not obliged to issue personal data storage and disposal policy, the obligation of storage, erasure, destruction or anonymization of personal data shall continue pursuant to the Law and By-Law.
(1) Personal data storage and disposal policy shall at least include the following:
- a) Purpose of issuing personal data storage and disposal policy,
- b) Recording medium arranged in accordance with personal data storage and disposal policy,
- c) Definitions of technical and legal terms indicated in personal data storage and disposal policy,
- ç) Explanations relating to legal, technical or other reasons requiring storage and disposal of personal data
- d) Technical and organizational measures taken against unlawful processing of and access to personal data and for storing personal data securely,
- e) Technical and organizational measures taken for lawful disposal of personal data,
- f) Definitions of titles, units and tasks of those who are involved in personal data storage and disposal processes
- g) Table that shows storage and disposal periods,
- ğ) Time period for periodic disposal,
- h) Any alterations being made in the current personal data storage and disposal policy, if any.
Chapter 3 (Art.7 - 12) — Erasure, Destruction and Anonymization of Personal Data
(1) Personal data shall be erased, destructed or anonymized by the controller ex officio (by its own initiative) or upon the request of the data subject, in the event that all of the conditions for processing laid down in Article 5 and Article 6 of the Law no longer exist.
(2) It is mandatory to act in accordance with general principles of Article 4 of the Law, technical and organizational measures to be taken within the scope of Article 12, provisions of the relevant legislation, Board decisions and personal data storage and disposal policy in erasure, destruction and anonymization of personal data.
(3) All operations relating to erasure, destruction and anonymization of personal data shall be recorded and those records shall be stored for minimum three years excluding other legal obligations.
(4) (Amendment: OG-28/4/2019-30758) The data controller is obliged to describe the methods used for the erasure, destruction and anonymization operations of personal data in the relevant policies and procedures.
(5) Unless otherwise decided by the Board, the data controller may choose one of the appropriate methods for periodic erasure, destruction or anonymization of personal data ex officio. Upon request of data subject, the data controller may choose appropriate method with justified grounds.
(1) Erasure of personal data is the process of rendering personal data inaccessible and non-reusable for the users concerned, by no means.
(2) The data controller is obliged to take necessary technical and organizational measures required for ensuring erased data to be inaccessible and non-reusable for its users concerned.
(1) Destruction is the process of rendering personal data inaccessible, irretrievable or non-reusable by anyone, by no means.
(2) The data controller is obliged to take any type of technical and organizational measures required for ensuring destruction of personal data.
(1) Anonymization is the process of rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data.
(2) To anonymize the personal data, personal data shall be rendered impossible to relate to identified or identifiable person, even through using appropriate techniques in respect of the recording medium and relevant field of activity, such as recovery of data by the data controller, recipient or recipient groups and matching data with other data.
(3) The data controller is obliged to take any type of technical and organizational measures required for ensuring anonymization of personal data.
(1) The data controller, who has issued data storage and disposal policy, shall erase, destruct or anonymize the personal data in the first periodic disposal process following the date when obligation of erasure, destruction or anonymization of personal data arises.
(2) Time interval for periodic disposal shall be defined in personal data storage and disposal policy by the data controller. This time interval cannot exceed six months in any case.
(3) Data controllers who are not obliged to issue personal data storage and disposal policy, shall erase, destruct or anonymize personal data within three months following the date for obligation of erasure, destruction or anonymization of personal data arises.
(4) Board may shorten the durations specified in this Article in the case of irreparable or impossible damages, and in the event of explicit infringement of the law.
(1) (Amendment- OG-28/4/2019-30758) When the data subject requests erasure or destruction of his/her personal data from the data controller, pursuant to Article 11 and 13 of the Law;
a) In the event that all of the conditions for the processing no longer exist; the data controller shall erase, destruct or anonymize the mentioned personal data which are subject to the request. The data controller shall act on the request of the data subject at the latest within thirty days and inform the data subject.
b) In the event that all of the conditions for the processing no longer exist and the personal data which are subject to the request have been transferred to any third party; the data controller shall notify the third party of such request and ensure the performance of necessary operations by the third party within the scope of this By-Law.
c) In the event that all of the conditions for the processing have not disappeared completely, the request may be rejected by the data controller in accordance with the Article 13(3) of the Law together with its justified grounds and such rejection shall be communicated to the data subject in writing or by electronic means at the latest within thirty days.
Chapter 4 (Art.13 - 15) — Miscellaneous and Final Provisions
(1) The Board is authorised to clarify the doubts and recover disruptions to occur during the implementation of this By-Law, to direct the implementation, to determine the principles and standards and make necessary arrangements to ensure the unity of implementation, to demand any type of information and documentation in this regard and to take a decision within the framework of the relevant legislation on matters which are not included in this By-Law.
(1) This By-Law shall enter into force on 1/1/2018.
(1) The President of Personal Data Protection Authority shall enforce the provision of this By-Law.