News » Turkish Draft Anonymization Regulation 2017-05-31

Article Taken From Tolga Ismen Founder i-Wisdom

1. Introduction

Turkey adopted her first Data Privacy Law in 2016 (Law numbered 6698 and dated 7 April 2016) (“DPL”). It generally follows the principles set forth in EU Data Protection Directive 95/46/EC. The Data Privacy Authority (the “Authority”) which is authorized to enforce DPL was established on January 2017. The Authority is working on the secondary legislation for some time and they announced the draft Data Controllers Register Regulation on 5 May 2017 (the “Draft Registry Regulation”). Please refer to our previous article that reviews the crucial aspects of the Draft Registry Regulation.[1]On 29 May 2017, the Authority announced the second piece of its regulations, draft Regulation of Anonymization, Termination or Erasing of the Personal Data (the “Draft Regulation”). We will review the Draft Regulation in this article.

2. General Principles

The Draft Regulation is brief and general for my taste. Anonymization is a very complex and technical concept and the Draft Regulation shed little light to the several concepts related to this matter. Article 7 of the DPL stipulates that the Authority should issue a regulation on anonymization. However, apart from setting forth the general concept that the personal data should not processed for a period longer than permitted under the law, Article 7 was silent on the principles to be applied to this matter, as well as the techniques that can or should be used. Draft Regulation repeats this general concept. Article 5 of the Draft Regulations lists the incidents that cease the justification of processing personal data and dictates that in occurrences of such instances, the data controller should erase or anonymize the relevant personal data. The Draft Regulation puts great emphasis on the Retention and Termination Policies (the “Policy”) that should be adopted by certain data controllers.[2] The Policy should include several principles and procedures including the purpose of the policy, the storage locations, definitions, technical and administrative measures, responsible personnel, a chart indicating the retention periods, periodical termination policies. Articles 8, 9 and 10 sets forth the principles to be used for termination, erasing and anonymization of personal data. We will review these provisions in more detail below. However, it is important to note that these Articles are drafted in a very general manner and will raise serious issues of interpretation during their implementation.