PROTECTION OF PERSONAL DATA UNDER TURKISH LAW(DECEMBER 2017)

Personal data protection became more important recently as much as e-commerce and online shopping became more popular. Since personal data is processed automatically or non-automatically in partial or in whole through data recording systems at internet environment, the necessity of determination of the procedure and principles of deleting, dispose of, or publication of personal data via Regulation has arisen. Accordingly, the related Regulation regulating the procedure and principles of deleting, dispose of, or publication of personal data published in Turkish Official Gazette on October 28, 2017. However, the enforcement date of the Regulation is January 1, 2018.

The Regulation defines and clarifies the obligations of date supervisors stipulated under Article 7 of Law on Protection of Personal Data(“Law”). Data supervisor is defined as real persons or legal entities who determine purpose and instruments of data recording system and who are responsible establishment and management of data recording system under Article 4 of the Regulation.

The most significant obligation foreseen by the Regulation for data supervisors is to prepare a personal data saving and disposal policy in accordance with the personal data processing inventory. The content of the mentioned policy must include at least the following items:  

  • Preparation purpose of the policy,
  • Recording environment organized by the policy,
  • Definitions of the legal and technical terms,
  • Legal, technical, or other explanatory disclosures that require the saving and dispose of personal data,
  • Technical and administrative measures regarding protection of personal data safely in order to prevent illegal access,
  • Technical and administrative measures regarding dispose of personal data in accordance with law,
  • Titles and job descriptions of persons involved in the process of saving and dispose of personal data,
  • Table reflecting saving and disposal intervals of personal data,
  • Intervals of disposal of personal data,
  • Information regarding any update in the policy.

However, it should be noted that preparation of such policy does not mean that the transactions conducted by the data supervisor are in comply with law. In any case data supervisors are obliged to keep, delete, dispose of, or make public the personal data whether the date supervisor is obliged to prepare policy or not.

The principles to be applied in case of deleting, dispose of or publication of personal data are regulated under Article 7 of the Regulation which are as follows:

  • In case the conditions for the processing of personal data foreseen in Articles 5 and 6 of the Law became invalid, the personal data must be deleted, disposed of or anonymized by the data supervisor or up on the request of the owner of the personal data.
  • When the above-mentioned transactions are carried out, it is obligatory to comply with the general principles stated in Article 4 of the Law and all the technical and administrative measures must be taken foreseen by Personal Data Protection Board.
  • All transactions must also be registered and kept for at least 3 (three) years’ period, besides other legal obligations.
  • Data supervisor is obliged to explain policies and procedures related to the methods (delete, dispose of or make public) applied and to choose the appropriate method, unless the Personal Data Protection Board decides otherwise, and to inform the reason regarding selection of the method upon request of owner of the personal data.

Furthermore, the periods for implementation of the procedures of deleting, dispose of or publication of personal data are determined by the Regulation. In this respect, the data supervisors are obliged to act in accordance with the periods set forth in Article 11 of the Regulation for the transactions carried out by the data supervisors at their own discretion and the period set forth in Article 12 of the Regulation for the transactions carried out up on the request of the owner of the personal data.

Consequently, the Regulation serves to eliminate any hesitation and inconvenience to be originated from practice of deleting, dispose of or publication of personal data.