Regulation on Deletion, Removal, or Anonymization of Personal Data (the “Regulation”), one of two anticipated regulations to be drafted within the framework of the Personal Data Protection Law no. 6698 (“PDPL”), is published in the Official Gazette no. 30224 and dated 28 October 2017.
We provide below a summary of the most prevalent provisions under the Regulation:
- The data controllers who are under the obligation to register with the data controllers’ registry shall be required to draft and implement a company-wide “Personal Data Retention and Destruction Policy”. The Regulation specifies certain information to be included in the policy and requires such data controllers to destroy the outdated personal data periodically and at maximum 6 monthly intervals.
- The data controllers shall be obliged to keep all records in relation to deletion or removal of personal data for a minimum period of 3 years.
- The data controllers shall be free to either (i) delete, (ii) remove, or (iii) anonymize the personal data which is outdated or requested by a data subject to be destroyed. These terms (i.e. deletion, removal, and anonymization) are defined under the Regulation.
The Regulation will enter into force on 1 January 2018 and its text is available in Turkish here.