Page 1

Official newspaper

Saturday, October 28, 2017

Number : 30224

REGULATION
From the Personal Data Protection Authority:
DELETING, DESTROYING OR ANONYMOUS PERSONAL DATA
text
REGULATION Original
ON IMPLEMENTATION
Kişisel Verileri Koruma Kurumundan:

FIRST PART
Purpose, Scope, Basis and Definitions
Contribute a better translation

Goal
ARTICLE 1 – (1) The purpose of this Regulation is to fully or partially automatic or any data recording.
deletion, destruction or deletion of personal data processed by non-automatic means, provided that it is part of the
to determine the procedures and principles regarding anonymization.
Scope
ARTICLE 2 - (1) The provisions of this Regulation; Protection of Personal Data dated 24/3/2016 and numbered 6698
It applies to data controllers in accordance with Article 7 of the Law.
Rest
ARTICLE 3 - (1) This Regulation is governed by the third paragraph of Article 7 and Article 22 of the Law No. 6698.
It has been prepared based on subparagraph (e) of the first paragraph.
Definitions
ARTICLE 4 – (1) In the implementation of this Regulation;
a) Recipient group: The natural or legal person category to which personal data is transferred by the data controller,
b) Relevant user: Person responsible for technical storage, protection and backup of data, or
Authority and instruction received within the organization of the data controller or from the data controller, excluding the unit
persons who process personal data in accordance with
c) Destruction: Deletion, destruction or anonymization of personal data,
ç) Law: Law on Protection of Personal Data No. 6698, dated 24/3/2016,
d) Recording medium: Being a part of any data recording system that is fully or partially automated or
Any environment where personal data is processed by non-automatic means,
e) Personal data processing inventory: The data controllers perform depending on their business processes.
personal data processing activities; personal data processing purposes, data category, transferred recipient group and data subject
the maximum period required for the purposes for which personal data are processed and created by associating with the person group,
by explaining the personal data that is foreseen to be transferred to foreign countries and the measures taken regarding data security
their detailed inventory,
f) Personal data retention and destruction policy: Data controllers must comply with the requirements for the purpose for which personal data is processed.
the policy on which they are based for the process of determining the maximum period of time and deletion, destruction and anonymization,
g) Board: Personal Data Protection Board,
ğ) Periodic destruction: Elimination of all the conditions for the processing of personal data in the law
will be carried out ex officio at repetitive intervals specified in the personal data storage and destruction policy.
deletion, destruction or anonymization,
h) Registry: The registry of data controllers kept by the Personal Data Protection Authority,
ı) Data recording system: The recording system in which personal data is processed and structured according to certain criteria,
i) Data controller: The data recording system, which determines the purposes and means of processing personal data.
the natural or legal person responsible for the establishment and management of
means.
(2) For definitions not included in this Regulation, the definitions in the Law are valid.
SECOND PART
Personal Data Retention and Disposal Policy
Principles of personal data retention and destruction policy
ARTICLE 5 – (1) In accordance with Article 16 of the Law, those who are obliged to register in the Data Controllers Registry
data controllers are responsible for preparing a personal data retention and destruction policy in accordance with the personal data processing inventory.
liable.
(2) A personal data retention and destruction policy has been prepared; personal data in compliance with the Law and the Regulation
It does not mean that it is stored, deleted, destroyed or anonymized in any form.
(3) Data controllers who are not under the obligation to prepare a personal data storage and destruction policy,
Obligations to store, delete, destroy or anonymize personal data in accordance with the Law and this Regulation
continues.
Scope of personal data retention and destruction policy
ARTICLE 6 – (1) Personal data retention and destruction policy, as a minimum;
a) The purpose of preparing the personal data storage and destruction policy,
b) Recording media regulated by the personal data retention and destruction policy,
c) Definitions of legal and technical terms included in the personal data retention and destruction policy,
ç) A statement regarding the legal, technical or other reasons that require the storage and destruction of personal data,
d) Safe storage, unlawful processing and access of personal data
technical and administrative measures taken to prevent
e) Technical and administrative measures taken for the legal destruction of personal data,
f) The titles, units and job descriptions of those involved in the storage and destruction processes of personal data,
g) The table showing the storage and destruction periods,
ğ) Periodic destruction times,
h) If the current personal data retention and destruction policy has been updated, the said change,
includes information about
THIRD PART
Deletion, Destruction or Anonymization of Personal Data

Principles
ARTICLE 7 – (1) All of the personal data processing conditions in Articles 5 and 6 of the Law
in case of disappearance, deletion of personal data by the data controller ex officio or upon the request of the person concerned,
destroyed or anonymized.
(2) In the deletion, destruction or anonymization of personal data, it is stated in Article 4 of the Law.
general principles, technical and administrative measures to be taken within the scope of Article 12, provisions of the relevant legislation,
It is obligatory to act in accordance with the Board decisions and the personal data retention and destruction policy.
(3) All transactions regarding the deletion, destruction and anonymization of personal data are recorded.
and these records are kept for at least three years, excluding other legal obligations.
(4) The data controller is responsible for the deletion, destruction and anonymization of personal data.
are obliged to explain the methods in their relevant policies and procedures.
(5) Unless a contrary decision is taken by the Board, the data controller may ex officio delete, destroy or destroy personal data.
chooses the appropriate anonymization method. At the request of the person concerned, the appropriate method is justified.
chooses to explain.
Deletion of personal data
ARTICLE 8 – (1) Deletion of personal data means that personal data cannot be accessed in any way for the relevant users and
is the process of making it unusable again.
(2) The data controller is responsible for making the deleted personal data inaccessible and reusable for the relevant users.
responsible for taking all necessary technical and administrative measures.
Destruction of personal data
ARTICLE 9 – (1) Destruction of personal data, personal data cannot be accessed by anyone in any way,
It is the process of making it irreversible and unusable.
(2) The data controller is responsible for taking all necessary technical and administrative measures regarding the destruction of personal data.
liable.
Anonymization of personal data
ARTICLE 10 – (1) Anonymization of personal data, even if personal data is matched with other data.
is to render it impossible to be associated with an identified or identifiable natural person in any way.
(2) In order for personal data to be anonymized; personal data, data controller, recipient or recipient
recording medium and related field of activity, such as returning and matching data with other data by groups
with an identified or identifiable natural person, even through the use of appropriate techniques
must be made unrelated.
(3) The data controller shall take all necessary technical and administrative measures regarding the anonymization of personal data.
liable to take.
Periods for ex officio deletion, destruction or anonymization of personal data
ARTICLE 11 – (1) The data controller, who has prepared a personal data storage and destruction policy, deletes personal data,
In the first periodical destruction process following the date on which the obligation to destroy or anonymize arises,
deletes, destroys or anonymizes personal data.
(2) The period of time when periodic destruction will be carried out, personal data storage and destruction by the data controller.
determined in the policy. This period cannot exceed six months in any case.
(3) The data controller, who is not obliged to prepare a personal data retention and destruction policy,
within three months from the date on which the obligation to delete, destroy or anonymize personal data
deletes, destroys or anonymizes.
(4) In the event that irreparable or impossible damages arise and there is a clear violation of the law, the Board
may shorten the periods specified in the article.
Periods of deletion and destruction of personal data if requested by the person concerned
ARTICLE 12 – (1) The person concerned, by applying to the data controller pursuant to Article 13 of the Law,
requests the deletion or destruction of personal data;
a) If all the conditions for processing personal data have disappeared; the data controller deletes the personal data subject to the request,
destroy or anonymize. The data controller concludes the request of the data subject within thirty days at the latest and
informs the person.
b) All the conditions for processing personal data have been removed and the personal data subject to the request will be sent to third parties.
if transferred, the data controller notifies the third party; within the scope of this Regulation before the third party
ensures that necessary actions are taken.
c) If all the conditions for processing personal data have not disappeared, this request is made by the data controller.
In accordance with the third paragraph of Article 3, it can be rejected by explaining the reason, and the refusal can be given to the relevant person within thirty minutes at the latest.
notified in writing or electronically during the day.
CHAPTER FOUR
Miscellaneous and Final Provisions
Elimination of doubts
ARTICLE 13 – (1) Hesitations that may arise during the implementation of this Regulation and
to eliminate the deficiencies and direct the application, to determine the principles and standards and to establish the unity of application.
to make the necessary arrangements to provide the necessary information, to request all kinds of information and documents required in this regard,
The Board is authorized to make decisions within the framework of the provisions of the relevant legislation.
Force
ARTICLE 14 – (1) This Regulation enters into force on 1/1/2018.
Executive
ARTICLE 15 – (1) The President executes the provisions of this Regulation.

