Turkey’s Data Protection Authority recently published the long-awaited draft of the Regulation on Deletion, Destruction and Anonymization of Personal Data (“Draft Regulation”). The Draft Regulation outlines proposed details of requirements for data controllers, as well as definitions and exceptions. Notably, it proposes that if deleting personal data will lead to an inability to access and use other data in the system, the personal data will be deemed to have be deleted, provided other conditions are met.
Once the reasons for processing personal data no longer exist, the Law on Data Protection No. 6698 (“Law”) requires data controllers to erase, destroy or anonymize personal data, either ex officio or at the data subject’s request. The Draft Regulation was developed to provide further details on this topic.
The Draft Regulation defines the terms “deletion”, “destruction” and “anonymization”. It also provides clarity about circumstances where reasons for processing personal data no longer exist.
Accordingly, the Draft Regulation proposes that data controllers be required to delete, destroy or anonymize personal data in any of the following circumstances:
- The legislation which forms the legal basis for processing personal data becomes invalid.
- The purpose of the processing of personal data is abolished.
- Processing personal data contradicts the law or principles of good faith.
- The data subject withdraws consent where processing the personal data is subject to explicit consent.
The Draft Regulation also proposes exemptions. Most notably, it states that if deleting the personal data will lead to an inability to access and use other data in the system, the personal data will be accepted as having been deleted, provided the data controller manages to:
- Archive personal data, by making it impossible to link to a data subject,
- Disable third party access, and
- Limit access to only authorized persons.
The Draft Regulation also addresses internal procedures for data controllers to delete, destroy, or anonymize personal data. It proposes that data controllers which are subject to registry obligations be required to prepare a Personal Data Retention and Erasure Policy.
Failure to delete or anonymize personal data could result in imprisonment for between one to two years (Article 138, Penal Code No. 5237).
Please see this link for the full text of the Draft Regulation (only available in Turkish).