“Regulation on Erasure, Destruction or Anonymizing of Personal Data” (“Regulation”) prepared by the Personal Data Protection Authority was published on the Official Gazette No. 30224 on 28/10/2017.
The purpose of this Regulation is to introduce the procedures and principles in order to erase, destruct or anonymize the personal data which are processed as well as to natural or legal persons who process such data fully or partially through automatic means or provided that the process is a part of any data registry system, through non-automatic means.
The controllers, who process personal data and are obliged to enrol in the Registry of Data Controllers, must prepare personal data processing inventory and personal data retention and destruction policy.
The details on the periodic erasure, destruction or anonymizing periods of personal data shall be determined on the personal data retention and destruction policy. This period cannot exceed six (6) months at any time.
The controllers, who are not obliged to prepare personal data retention and destruction policy, shall delete, destroy or anonymize personal data within three (3) months of the date on which the obligation to delete, destroy or anonymize personal data occurs.
All transactions relating to the deletion, destruction and anonymization of personal data shall be recorded and shall be kept for a period of at least three (3) years with the exception of other legal obligations. The controller shall select the most appropriate one of the methods of publicly deleting, destroying or anonymizing personal data unless otherwise concluded by the Personal Data Protection Board. If requested by the person concerned, the Controller may choose the appropriate method by explaining the reason.
The effective date of this Regulation shall be on 01/01/2018.
Best regards,
CELIKBAS LAW OFFICE