Data protection regime in Turkey takes shape

This article was written by Ekin Inal, lawyer at İnal Kama Attorney Partnership, affiliate firm of Norton Rose Fulbright in Turkey.

Turkey’s data protection regulation published in November gives data control personnel responsibility for removal of personal data.

Turkey continues to develop a legal framework on data protection. On October 28, 2017, the Data Protection Authority (the “Authority”) published an important regulation supplementing the Law on Protection of Personal Data (the “Data Protection Law”), namely the Regulation on the Deletion, Destruction and Anonymization of Personal Data (the “Regulation”). The Regulation was then followed by a set of guidelines detailing the process and methods of deletion, destruction and anonymization of personal data (the “Guidelines”). On November 16, 2017, the authority published another regulation setting out the rules applicable to its operation and working procedures.

As explained in our newswire article on data protection, Turkey’s long-awaited Data Protection Law was enacted on April 7, 2016 and was later followed by the Regulation on the Processing and Protecting the Privacy of Personal Health Data on October 20, 2016. The Data Protection Authority, envisaged by the Data Protection Law to be a financially and administratively independent supervisory authority, was established and members of its decision-making body, the Data Protection Board (the “Board”) took oath before the Court of Appeals in early 2017.

The recently promulgated regulation on the internal working procedures sets forth the procedures and principles according to which the Board will function. The Board’s nine members were appointed for a term of four years and may be re-elected. The Board is authorized, among others, to supervise personal data processing by entities to ensure protection of fundamental rights and freedoms, maintain the Data Controllers’ Registry, set out the regulatory framework for personal data protection, impose administrative sanctions and publish a white list of countries where sufficient data protection measures are in place for a safe data export.

The Board has been active since its establishment, working on draft regulations, seeking opinions and comments from public and private institutions on those drafts, publishing user-friendly manuals and organizing meetings, conferences and workshops to hold discussions. The Regulation is a product of such efforts. The Board is also working on the draft of the Regulation on the Registry of the Data Controllers’ Registry, which is expected to be published in due course before the end of 2017.

The Regulation, which will enter into force as of January 1, 2018, sets forth the procedures of deletion, destruction and anonymization (all three methods will be referred to as “removal”) of personal data that is processed either (i) automatically or (ii) manually, provided that the data is part of a data registry system.

The Regulation and the Guidelines define

• Deletion of data as rendering personal data inaccessible and unfit for the re-use for ‘relevant users’ (i.e. persons, other than those responsible for the storage, protection and back-up of the data, who process personal data either as part of the organization of the data controller or in accordance with the authority granted by and upon the instruction of the data controller).
• Destruction of data as rendering personal data inaccessible, un-restorable and unfit for re-use for anyone.
• Anonymization of data as turning data into a form which cannot be associated with an identified or identifiable real person, even if it is restored and/or linked or coupled by other data.

General principles

The Regulation provides that, if processing of data is no longer required, data controllers must remove the personal data, either ex officio or upon the request of data owner. The Regulation requires that any action taken for the removal of personal data be recorded and all such records be maintained for at least three years.

Policy on the retention and destruction of personal data

Unless exempt from the requirement, all data controllers must be recorded with the Data Controllers’ Registry. These data controllers are also required to prepare a policy on the retention and destruction of personal data. The policy should be in line with the inventory that the data controllers will maintain to register the details of their personal data processing activities.¹

The policy must include, among other points, information on data processing media to which the policy would apply, legal, technical and other reasons for retention and removal of personal data, measures taken to secure and remove the personal data and to avoid illegal processing, titles and job descriptions of those involved in the retention and removal process and retention and periodic removal periods.

Mere preparation of a policy does not guarantee a data controller’s compliance to the legislation.

Methods of data removal

Unless the Board decides otherwise, data controllers are free to choose the methods to be used for removal of personal data. Upon request by a data subject, a data controller must explain the reasons for choosing a particular method.

For deletion of data, the Guidelines require that data controllers fulfill the following steps: (i) determine the personal data subject to deletion, (ii) determine the relevant users of such data, (iii) determine the scope of authority and methods employed by the relevant users to access, restore and re-use personal data, and (iv) block and remove such authority and methods. The method to be used for deletion must be appropriate for the platform on which the data is stored. Accordingly, the Guidelines provide examples of methods that can be used for data stored in a cloud system, on paper, on a server, portable media device or database. For example, if stored on paper, the data must be cut out or redacted as appropriate. For data stored on portable media storage, the devices in question must be encrypted and deleted by appropriate software.

For destruction, the Guidelines list a number of methods depending on the system where data is stored and requires data controllers to use one or more of such methods, including degaussing (erasing or neutralizing magnetic data, e.g. on a hard disk), overwriting data using special software, shredding paper records (vertically and horizontally, making it impossible to reassemble the pieces), and for data maintained on cloud servers, destruction of individual keys used to encrypt data.

Similarly, in relation to anonymization, the Guidelines provide for different methods that data controllers may use, depending upon, among other factors, type and size of data, frequency of data processing and whether anonymization would be worth the effort. Methods include, among others, removing variables (where the variable is a direct identifier), generalization of data and data masking.

In any event, it is important that data cannot be retrieved by modern data recovery techniques.

Time periods

Once the obligation to remove arises, data controllers, who are required to prepare a policy, must do so on the immediately following periodic removal date. Intervals between removal dates must be set out in the policy and may not exceed six months.

Data controllers not required to have a policy in place must comply with this obligation within three months.

The Board may shorten these periods if necessary to avoid irreparable damage and in case of clear signs of illegality.

If removal of data is requested by a data subject, data controllers must respond to the request within 30 days by (i) complying with the request, if the need for processing no longer exists, or (ii) rejecting the request and explaining why there is a need for processing. If data is transferred to third parties, but there is no longer a need for processing, data controllers must request that the relevant third party takes necessary actions under the Regulation.

The Regulation marks an important step in the protection of data subjects’ rights in processing personal data. Yet it remains rather general and allows data control personnel to decide technical and administrative measures to remove data. The Board therefore issued the Guidelines to shed light on the process and set out best practice, after reviewing relevant European directives and several international resources (including publications, guidelines and court cases).

In deciding on appropriate measures, data controllers must first consider the type of data retained (e.g. paper records vs. digital records). From physical destruction (e.g. by shredding paper print-outs, melting, crushing or incinerating a storage device) to digital erasure (e.g. clearing, purging, destroying or overwriting existing data) many techniques may be employed. Due care must be exercised to ensure the data removed is not recoverable.

Data controllers must also note that there may be certain costs associated with data removal, depending on the method employed or whether the data controller consults a service provider to choose and employ the most appropriate measure to remove data.

It is extremely important to regularly review the relevant policy to make sure it is still compatible with the practices of the workplace and the data it maintains and processes.