Draft Regulation on Deletion, Disposal or Anonymization of Personal Data (“Draft Regulation”) which was one of the regulations perceived to be arranged within the context of the Law for Protection of Personal Data (KVKK) no.6698 and enacted as of 07.04.2016, has been published on the official website of the Board for the Protection of Personal Data (”The Board”) on 29 May 2017 with the purpose of gathering opinion from occupational organizations particularly within the sector.
The Board has granted a time span for public opinion until 12 June 2017 concerning the examination of the Draft Regulation that has been arranged to consist of 15 articles.
The verdicts existing in the Draft Regulation with content parallel to the EU practice will be executed by the Board’s chairman.
Pertaining to the aforementioned Draft Regulation, most remarkable parts within the upcoming regulations are provided below;
- Circumstances removing the conditions for processing personal data are arranged within the Article 5 of the Draft Regulation and in case the aforementioned circumstances exist; the deletion, destruction or anonymization of personal data is predicted ex officio by the data supplier or on demand from the concerned person. Any reference related to the deadline granted for the supplier’s performing the liability herein does not exist within the aforementioned regulation while it’s not made clear that whether the wording of “maximum time” within the sub-clause g would be set in line with the law or pertaining to the disposal policy to be designed under the Draft Regulation.
- The Draft Regulation imposes the designation of a data storage and disposal policy parallel to the EU practice through the Article 7 titled as “The scope of personal data storage and disposal policy”. However, any arrangement is not available concerning the creation or publication ways of the relevant policy. A formatted text on that scope is not shared publicly yet.
- Data supplier is liable for taking all the required technical and administrative measures to ensure the disposed data is not accessible and reusable. Similar to the Law no. 6698, the Draft Regulation does not arrange the scope of technical and administrative measures and does not contain any definition on those
measures. Therefore, it remains uncertain whether international standards as NIST and/or ISO27001 would be considered as basis in terms of those technical and administrative measures.
- Additionally, within the context of the liability for data deletion and/or disposal; the question on existence of spare systems and/or spaces for data recovery still remains.
- Regulation concerning the periods for deletion, disposal or anonymization of personal data, containing uncertainty since the Law no.6698 took effect has been arranged partially within articles 11 and 12 of the Draft Regulation. A time span of 30 days allowed for the designation of personal data storage and disposal policy is not considered enough. Accordingly, it would be appropriate to point out that any clarity does not exist whether the data supplier has got the right to demand for period extension or not concerning the 30 days period granted for the deletion and disposal of personal data following any claim for that from the concerned.
The concerning regulation will be enacted as of its promulgation date.
Our explanations provided above include general information on the issue. No responsibility can be claimed against EY and/or Kuzey YMM ve Bağımsız Denetim A.Ş. due to the implications arising from the context of this document or emerging with respect to its context.
Kuzey YMM ve Bağımsız Denetim A.Ş.