Selin OZBEK CITTONE
Attorney at Law / Managing Partner, Dual qualified lawyer (Turkey and England & Wales)
10 November 2017
This year was an important year for Turkey in terms of Data Protection law. At the beginning of 2017, the Data Protection Authority (“DPA”) began to actively work. Following the assignment of the board members, at first, the Draft Regulation on Data Controller Registry has been made available for public consultation (http://www.ozbek.av.tr/publications/draft-regulation-on-data-controller-registry/), then, the Regulation on Deletion, Destruction and Anonymization of Personal Data (“RDDA”)published on the official gazette to be effective as of January 1, 2018. Not much later, the DPA published “Guideline for Deletion, Destruction or Anonymization of Personal Data” (“Guideline”) to answer at least, some of the questions arisen after the issuance of the RDDA.
DATA CONTROLLERS’ MAIN OBLIGATIONS UNDER THE RDDA
Data controllers, who are required to be registered with the Data Controller Registry (“Registry”) must;
The data controllers, whose registration with the Registry is not required, have different obligations. We will talk about them further in this article.
RETENTION & NEUTRALIZATION POLICY
As per Article 5 of the RDDA, the data controllers, who are required to be registered with the Registry, are obligated to draft a Policy. Such Policy must be in accordance with the personal data inventory and include the following:
NEUTRALIZATION OF PERSONAL DATA
The RDDA summarizes all the deletion, destruction or anonymization of personal data actions under one definition: Neutralization.
All data controllers are obligated to neutralize personal data, whether or not they are required to register with the Registry or not.
All neutralization-related actions must be recorded, and these records must be retained for three years, excluding other legal obligations.
The data controllers are also obligated to explain the methods they use, in the Policy.
WHAT IS DELETION OF PERSONAL DATA?
RDDA defines “deletion” as the process of making personal data completely inaccessible to and unusable by the “relevant users”. The RDDA defines relevant users as those who process personal data within the organization of the data controller or with the authority given by the data controller, except those administrators, who are responsible for the technical storage, preservation and backup of the data.
To conduct deletion; in a general sense, the data controllers must prevent the access of “relevant users” (as defined above) to the personal data in question and must prevent them from using such data. The Guideline emphasizes that the relevant users shall not be administrators, in order to take away all opportunities for a relevant user to gain its access back. This access restriction must not leave any open doors for that relevant user to restore or reuse that data.
WHAT IS DESTRUCTION OF PERSONAL DATA?
The RDDA defines destruction of personal data as the process of making personal data inaccessible to everyone and unusable and unrestorable by anyone.
To conduct destruction; the data controller must make sure that accessing or processing the personal data is impossible by anyone.
For physical mediums, (including but not limited to, the servers or discs, wherein the personal data are stored); the Guideline offers several methods. These methods render the physical medium in question unusable (e.g. de-magnetizing, melting, burning, dusting etc.)
For cloud services, the Guideline offers cryptographic encryption of all personal data and suggests application of separate encryption keys to all separate cloud services use. The destruction may be conducted by destroying all copies of the keys.
For paper mediums, the Guideline offers shredding the paper in a way, which makes the data on it impossible to be recognized, by shredding the paper both vertically and horizontally in non-combinable tiny pieces.
WHAT IS ANONYMIZATION OF PERSONAL DATA?
The RDDA defines the anonymization of personal data as the process of making it impossible for personal data to be associated with any identified or identifiable person in any way, even if the personal data are matched with other data. Anonymization is only possible if it is not possible for the data to be associated with any identified or identifiable real person even by using diverse techniques (e.g. restoring the data by the data controller or the transferee(s), matching a data with other data) for the storage medium or that particular field of activity.
To conduct anonymization; the data controller must make a data anonymous by using several de-identification methods such as masking, grouping, generalization, randomization etc.
The data controller must tread the anonymization carefully as there are more than one ways to re-identify the anonymized data. An adversary might combine the anonymized data with a public data, take advantage of a personal knowledge about the data subject or use its know-how in technology and information technology to discover the real person behind that anonymized data. The Guideline urges the data controllers to provide the conditions below:
WHEN DOES A DATA CONTROLLER NEUTRALIZE PERSONAL DATA?
The RDAA identifies two separate cases of neutralization:
Ex Officio Neutralization
A data controller has the right the choose the most appropriate neutralization method unless the DPA requires otherwise.
Neutralization Upon the Request of the Data Subject
A data subject’s right to request is a reflection of the “right to be forgotten” arisen after “Google Spain v AEPD and Mario Costeja González” case just like the “right to erasure” under the General Data Protection Regulation.
When a data subject makes such a request;
If the conditions for processing personal data are no longer present; the data controller shall delete, destroy or anonymize personal data in question. The data controller must fulfill this request of the data subject within 30 (thirty) days and must inform the data subject.
As per Article 7 of the RDDA, the data controller does not have to apply the neutralization method the data subject requested; but must explain the reason for its preferred method.
If the conditions for processing personal data are no longer present and if the personal data in question were transferred to third parties; the data controller must inform third party regarding this situation and ensure that the third party in question conducts the operations required by the RDAA.
The meaning of this “ensuring” mentioned in the Article 12/1(c) of the RDDA is not clear and even contradictory since the Law mentions “notifying” instead.
If the conditions for processing personal data are still present; the data controller may refuse this request by explaining the reason of such refusal in accordance with the applicable law. This refusal shall be informed to the data subject, electronically or in written, within 30 (thirty) days following the data subject’s request.
The data subject, whose request was refused, has a right to file a complaint to the DPA within 30 (thirty) days from notification of the refusal or 60 (sixty) days from the date of the request. If the DPA identifies a violation, the data controller shall comply with the DPA’s relevant decision within 30 (thirty) days.
WHAT IS THE CURRENT SITUATION?
The Regulation on Data Controller Registry came into force on January 1, 2018. The DPA informed the public that the registries will start on the date to be set by the DPA following the Data Controller Registry Information System (VERBİS) going live. The DPA will clarify which Data controllers will be required to register and which will be exempted. The data controllers required to register to VERBİS, will have to adopt a Retention & Neutralization Policy.
 “If all of the conditions for processing personal data have ceased to exist and personal data of the data subject has been transferred to a third party, the data controller shall notify the third party of this situation; and ensure that the third party carries out the necessary procedures within the scope of this Regulation.”