ARTICLE
9 November 2017

Turkey Announces Rules And Processes For Deleting, Destroying And Anonymizing Personal Data

MA
Moroglu Arseven

Contributor

“Moroglu Arseven is a full-service law firm, with broadly demonstrated expertise and experience in all aspects of business law. Established in 2000, the firm combines a new generation of experienced international business lawyers, who hold academic, judicial and practical experience in all aspects of private law.”
The Turkish Data Protection Authority has announced rules for deleting, destroying and anonymizing personal data, which will apply from 1 January 2018.
Turkey Privacy
To print this article, all you need is to be registered or login on Mondaq.com.

The Turkish Data Protection Authority has announced rules for deleting, destroying and anonymizing personal data, which will apply from 1 January 2018. These include details of obligations, procedures and time periods which will apply to data controllers (more).

The Regulation on Deletion, Destruction and Anonymization of Personal Data ("Regulation") was published in Official Gazette number 30224 on 28 October 2017.

Data controllers which are subject to registry obligations must prepare a Personal Data Retention and Destruction Policy, which satisfies the minimum content and thresholds outlined in the Regulation.

The Regulation introduces definitions for "deletion", "destruction" and "anonymization" within the concept of personal data legislation.

Data controllers must delete, destroy or anonymize personal data if the reasons for processing personal data cease to exist. Data controllers are entitled to choose whether to delete, destroy or anonymize personal data (unless the Data Protection Board decides otherwise).

Data controllers which are subject to registry obligations must introduce a data destruction scheme, where the frequency of destruction cycles is no longer than six months. If the reasons for processing personal data cease to exist, the data must be deleted in the next destruction cycle.

Other data controllers (which are not subject to the registration requirement) must delete, destroy or anonymize the personal data within three months from the date the processing reasons cease to exist.

Data controllers must respond to data subject requests about deleting, destroying or anonymizing personal data within 30 days.

Please see this link for the full text of the Regulation (only in Turkish).

Information first published in the MA | Gazette, a fortnightly legal update newsletter produced by Moroğlu Arseven.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More