Selin OZBEK CITTONE
Attorney at Law / Managing Partner, Dual qualified lawyer (Turkey and England & Wales)
24 November 2017
The Guidelines prepared by the Data Protection Board (“Board”) aim to answer many of our outstanding questions regarding the methods of neutralization as well as administration of the processes.
The Turkish version of the Guidelines is available on http://www.kvkk.gov.tr/yayinlar/.pdf
In the Guidelines, methods are explained technically considering the environment in which the personal data is processed and stored. The Board pays special attention on anonymization methods and de-anonymization. The Guidelines provide best practices with real life examples for different types of neutralization.
Data controllers must know that the methods and best practice examples given by the Board in the Guidelines are not legally binding. The data controllers may choice alternatives methods appropriate to their practices.
The Guidelines once more underline that the Board imposes certain duties to the data controllers and expects them to have control over the data transferred to third parties in case of neutralization as well. Data controllers must control whether processors may de-anonymize the data by using data stored by them or even by using publicly available information. The data controllers are expected to perform risk analysis and have contractual arrangements in place to prevent unauthorized re-identification.