Purpose, scope, basis and definitions
Article 1 - (1) the purpose of this regulation is to define the procedures and principles for the deletion, destruction or anonymization of personal data that is fully or partially automated or processed by non-automatic means, provided that it is part of any data recording system.
Article 2 - (1) the provisions of this regulation; 24/3/2016 dated and 6698 No. 7 article of the law on the protection of personal data in accordance with the data responsible persons are applied.
Article 3 - (1) this regulation has been prepared on the basis of the third paragraph of Article 7 of the law No. 6698 and the first paragraph (e) of Article 22.
Article 4 – (1) in the implementation of this regulation;
a) buyer group: the category of natural or legal person to whom personal data is transferred by the data officer,
b) relevant user: persons who process personal data within the organization of the data officer or in accordance with the authority and instructions received from the data officer, except for the person or unit responsible for technical storage, protection and backup of the data,
C) destruction: deletion, destruction or anonymization of personal data,
ç) law: 24/3/2016 dated and 6698 numbered Personal Data Protection Law,
d) recording media: any media in which personal data is processed by non-automatic means, whether fully or partially automated or as part of any data recording system,
e) the processing of personal data inventory: principals of Data processing personal data depending on the business processes they are accomplishing activities; purpose of processing personal data data category group and data transferred to the recipient by associating with a group of people is created and the subject of the personal data for the purposes for which they are processed, which is required for the maximum time prescribed by explaining the measures of data protection and personal data transfer to foreign countries detaylandirdik inventory of,
F) personal data retention and destruction policy: the policy that the data controllers base on the process of deleting, destroying and anonymizing the process of determining the maximum time required for the purpose for which the personal data is processed,
d) Board: Personal Data Protection Board,
d) periodic destruction: in the event that all the conditions for processing personal data contained in the law are eliminated, the process of deleting, destroying or anonymizing the personal data specified in the storage and destruction policy and will be resen at repeated intervals,
H) Registry: the registry of data responsible persons maintained by the presidency of the Personal Data Protection Authority,
I) Data Recording System: a recording system in which personal data is structured and processed according to certain criteria,
I) Data Officer: a natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system,
(2) for definitions not included in this regulation, the definitions in the law apply.
Personal Data Retention and destruction policy
Principles of personal data retention and destruction policy
Article 5 - (1) in accordance with Article 16 of the law, data controllers responsible for registering in the Registry of data controllers are obliged to prepare a personal data storage and destruction policy in accordance with the personal data processing inventory.
(2) the fact that a personal data retention and destruction policy has been prepared does not mean that personal data is stored, deleted, destroyed or anonymized in accordance with the law and regulations.
(3) data controllers who are not under any obligation to prepare a personal data retention and destruction policy continue to have obligations to store, delete, destroy or anonymize personal data in accordance with the law and this regulation.
Scope of personal data retention and destruction policy
Article 6 - (1) personal data retention and destruction policy as a minimum;
a) for the purpose of preparing a personal data retention and destruction policy,
b) personal data storage and destruction policy,
c) definitions of legal and technical terms contained in the personal data retention and destruction policy,
d) disclosure of legal, technical or other reasons requiring the storage and destruction of personal data,
d) technical and administrative measures taken to prevent the safe storage and unlawful processing and access of personal data,
e) technical and administrative measures taken for the destruction of personal data in accordance with the law,
F) names, units and definitions of duties of those involved in the processes of storing and destroying personal data,
D) A table showing the storage and destruction times,
d) periodic destruction times,
h) if an update has been made to the existing personal data retention and destruction policy, the change in question,
covers related information.
Deletion, destruction or anonymization of personal data
Article 7 - (1) if all the conditions for processing personal data contained in Articles 5 and 6 of the law are eliminated, the personal data must be deleted, destroyed or anonymized by the data officer at the request of resen or the person concerned.
(2) deletion of personal data, destruction or anonymous with the general principles in Article 4 of the law in making that need to be taken technical and administrative measures within the scope of Article 12, the provisions of the relevant legislation, policy and decisions of the board are required to act in accordance with the retention and destruction of personal data.
(3) all transactions related to the deletion, destruction and anonymization of personal data are recorded and these records are stored for at least three years, excluding other legal obligations.
(4) the data officer is obliged to explain the methods he / she applies in relation to the process of deletion, destruction, anonymization of personal data in his / her relevant policies and procedures.
(5) the data officer chooses the appropriate methods of deleting, destroying or anonymizing personal data, unless a decision is taken by the board to the contrary. At the request of the person concerned, he / she selects the appropriate method by explaining his / her justification.
Deletion of personal data
Article 8 - (1) deletion of personal data is the process of making personal data inaccessible and reusable for the relevant users in no way.
(2) the data officer is obliged to take all necessary technical and administrative measures to ensure that the deleted personal data is inaccessible and reusable for the relevant users.
Destruction of personal data
Article 9 - (1) destruction of personal data is the process of making personal data inaccessible, irrevocable and reusable by anyone in any way.
(2) The Data Officer is obliged to take all necessary technical and administrative measures related to the destruction of personal data.
Anonymization of personal data
Article 10 – (1) anonymization of personal data, personal data with other data of a specific or identifiable natural person to be linked to ID in no way even eslestirils to make.
(2) to be " anonymized personal data; personal data, data recipients or recipient groups and by the principal of matching and related with other data such as the Revert of the data recording media through the use of appropriate techniques in terms of the field of activity, even the ID cannot be associated with specific or identifiable natural person must be made.
(3) the data officer is obliged to take all necessary technical and administrative measures related to the anonymization of personal data.
Periods of official deletion, destruction or anonymization of personal data
Article 11 - (1) the data officer who has prepared a personal data retention and destruction policy deletes, destroys or anonymizes personal data in the first periodic destruction process following the date on which the obligation to delete, destroy or anonymize personal data arises.
(2) the period of time during which periodic destruction will be performed is determined by the data controller in the personal data retention and destruction policy. In any case, this period cannot exceed six months.
(3) the data officer, who has no obligation to prepare a personal data retention and destruction policy, deletes, destroys or anonymizes personal data within three months following the date on which the obligation to delete, destroy or anonymize personal data arises.
(4) The Board may shorten the periods set out in this article if irreparable or impossible damages arise and there is clearly a violation of the law.
Periods of deletion and destruction of personal data if requested by the person concerned
Article 12 – (1) when the person concerned applies to the data manager in accordance with Article 13 of the law and requests the deletion or destruction of his personal data;
a) if all conditions for processing personal data are eliminated, the data officer deletes, destroys or anonymizes the personal data subject to request. The data officer finalizes the request of the person concerned within thirty days at the latest and informs the person concerned.
b) if all the conditions for processing personal data have disappeared and the personal data subject to request has been transferred to third parties, the data officer shall notify the third party of this situation and ensure that the necessary actions are carried out in accordance with this regulation by the third party.
c) processing personal data disappeared all of the requirements of this data request in accordance with the third paragraph of Article 13 of the law sorumlusunca explaining the rationale may be rejected and a refusal is notified electronically to the relevant person or in writing at the latest within thirty days.
Miscellaneous and final provisions
Elimination of hesitations