Follow us

The Draft Regulation on the Deletion, Annihilation or Anonymization of Personal Data

Since it is regulated within the Code numbered 6698 on the Protection of the Personal Data (“Code”), the data controllers are obliged to delete, annihilate or anonymize the personal data when the valid reasons to process the data no longer exist. In order to regulate the procedures and principles regarding the deletion, annihiliation or anonymization of personal data, the Committee of Protecting the Personal Data (“Committee”) has published the Draft Regulation on the Deletion, Annihilation or Anonymization of Personal Data (“Draft Regulation »). The most significant topics of the Draft Regulation are as below:

    1. The Situations That The Personal Data Should Be Deleted, Annihilated Or Anonymized
      According to Article 5 of the Draft Regulation in parallel with Articles 5 and 6 of the Code which regulate the processing of personal data and sensitive personal data, the below mentioned situations shall be accepted as the disappearance of the valid reason required for processing the personal data including sensitive personal data :

      • The legislation constituting the legal basis for processing personal data is abolished .
      • Termination, expiration or non-existence of a valid contract between parties.
      • The purpose of processing the personal data expires.
      • Processing personal data contradicts the law or principles of good faith.
      • The data subject (data owner) withdraws his/her consent where processing the personal data is subject to explicit consent.
      • Application of the data subject in order to delete the personal data,
      • The non-existence of a valid reason for the personal data processing when the maximum processing term has elapsed.

      The disappearance of the reasons stated in Articles 5 and 6 of the Code.
      In case of existence of any of the aforementioned situations, the data controllers shall delete, annihilate or anonymize the relevant personal data ex officio or upon the application of the data subject.

    2. Deletion of the Personal Data
      In Article 8 of the Draft Regulation, some exemptions are provided for deletion of the personal data. It is stated in article 8 that if deleting the personal data will lead to an inability to access and use other data in the system as well, the personal data will be accepted as having been deleted, provided that the data controller manages to:

      • Archive personal data, by making it impossible to identify the data subject through the personnal data,
      • Prevent the access of third parties and limit the access only with authorized persons.

      On the other hand, deletion of personal data that is processed as a part of any data recording system by non-automatic means shall be realized by ;

      • Fading out the unnecessary personal data,
      • Camouflaging the unnecessary personal data in the form of paper that has been scanned or transferred to the electronic environment without digitizing.
    3. Annihilation of the Personal Data
      As per Article 9 of the Draft Regulation, annihilation is to make all physical recording environments that the personal data is stored or that are available to store the personal data completely and irrevocably unusable. Data controllers shall take all technical and administrative measures regarding the annihilation of personal data. Any exemptions have not been governed in this respect.
    4. Anonymization of the Personal Data
      Anonymization is defined in the Draft Regulation as to make the personal data unidentified by itself or even when combined with other data. In order to anonymize the personal data, data controllers or data receiver or receiver groups to whom the personal data is transferred shall prevent the personal data to identify a person by using of appropriate techniques in terms of recording environments so that any real person cannot be identified through personal data even by benefitting from recovery techniques or by combining with other data.The parties who have the obligation of registration to Data Controllers Registry shall prepare a personal data protection and annihilation policy in accordance with personal data processing inventory.

      The Committee is authorized to determine the principles and procedures for preparation and implementation of this policy.

Our Law Firm remains at your disposal for any further clarifications you may require.

Copyright© Cailliau & Colakel