The Turkish Data Protection Authority has announced rules for deleting, destroying and anonymizing personal data, which will apply from 1 January 2018. These include details of obligations, procedures and time periods which will apply to data controllers (more).

The Regulation on Deletion, Destruction and Anonymization of Personal Data (“Regulation”) was published in Official Gazette number 30224 on 28 October 2017.

Data controllers which are subject to registry obligations must prepare a Personal Data Retention and Destruction Policy, which satisfies the minimum content and thresholds outlined in the Regulation.

The Regulation introduces definitions for “deletion”, “destruction” and “anonymization” within the concept of personal data legislation.

Data controllers must delete, destroy or anonymize personal data if the reasons for processing personal data cease to exist. Data controllers are entitled to choose whether to delete, destroy or anonymize personal data (unless the Data Protection Board decides otherwise).

Data controllers which are subject to registry obligations must introduce a data destruction scheme, where the frequency of destruction cycles is no longer than six months. If the reasons for processing personal data cease to exist, the data must be deleted in the next destruction cycle.

Other data controllers (which are not subject to the registration requirement) must delete, destroy or anonymize the personal data within three months from the date the processing reasons cease to exist.

Data controllers must respond to data subject requests about deleting, destroying or anonymizing personal data within 30 days.

Please see this link for the full text of the Regulation (only in Turkish)

Information first published in the MA | Gazette, a fortnightly legal update newsletter produced by Moroğlu Arseven.