The Regulation on Deletion, Destruction or Anonymization of Personal Data ("Regulation") has been published in the Official Gazette dated 28 October 2017 and numbered 30224 and will enter into force on 01 January 2018. The Personal Data Protection Law numbered 6698 was given the power to regulation to Regulation: the Regulation regulates the procedures and principles regarding the deletion, destruction or anonymization of the personal data.
Some definitions has characterized in the Regulation; Receiver group: Real or legal persons to which the data controller transfers personal data; Relevant user: Except those who are responsible for the technical storage, preservation and backup of the data, those who process personal data within the organization of the data controller or with the authority given by the specialist;
Destruction: The deletion, destruction or anonymization of personal data; Recording medium: Any medium in which personal data is recorded to be processed fully or partially by automatic ways as a part of any data recording system; Personal data processing inventory: An inventory where data controllers detail their information processing activities in accordance with business processes. The inventory shall have the following information; the details of the personal data being processed, the data categories, the recipient group and the data subject group, and the maximum period for the purposes for which the personal data are processed, the personal data foreseen to be transferred to foreign countries, and the measures taken regarding data security; Personal data retention and destruction policy: A policy prepared by Data Controllers determining the maximum period of time required for the purpose of processing personal data and rules regarding deletion, destruction or anonymization; Periodic destruction: Periodic destruction, deletion or anoniymization of personal data that is no longer processed validly, as described in the Personal Data Retention and Destruction Policy.
The Regulation clarified that the Data Controllers are obliged to prepare and inspect the "Personal Data Processing Inventory" which is not contained in the Law, aside from regulating the procedures and principles regarding the processing of personal data under the Personal Data Protection Law numbered 6698. Article 7 of the Regulation regulates that all actions relating to the deletion, destruction and anonymization of personal data shall be recorded and shall be kept for at least three (3) years. The Data Controller is held responsible to take all necessary technical and administrative measures regarding deletion, destruction and anonymization procedures within the scope of the Regulation disclose the methods used for the deletion, destruction, and anonymization of personal data in the relevant policies and procedures.
The Data Controller is held responsible to disclose the methods used for the deletion, destruction, and anonymization of personal data in the relevant policies and procedures.
Data Controllers that have prepared a “personal data retention and destruction policy” shall efface personal data in the first periodic destruction event when the obligation to destroy personal data materializes; Data Controllers that are not under an obligation to prepare a “personal data retention and destruction policy” shall delete personal data within three months as of the obligation to destroy personal data materializes.