The Data Protection Board’s guidelines on Deletion, Destruction and Anonymization of Personal Data (“Guidelines”) are published

The Guidelines prepared by the Data Protection Board (“Board”) aim to answer many of our outstanding questions regarding the methods of neutralization as well as administration of the processes.

The Turkish version of the Guidelines is available on http://www.kvkk.gov.tr/yayinlar/.pdf

In the Guidelines, methods are explained technically considering the environment in which the personal data is processed and stored. The Board pays special attention on anonymization methods and de-anonymization. The Guidelines provide best practices with real life examples for different types of neutralization.

Data controllers must know that the methods and best practice examples given by the Board in the Guidelines are not legally binding. The data controllers may choice alternatives methods appropriate to their practices.

The Guidelines once more underline that the Board imposes certain duties to the data controllers and expects them to have control over the data transferred to third parties in case of neutralization as well. Data controllers must control whether processors may de-anonymize the data by using data stored by them or even by using publicly available information.  The data controllers are expected to perform risk analysis and have contractual arrangements in place to prevent unauthorized re-identification.

What’s next?

  • The data controllers that are required to prepare a policy for Deletion, Destruction and Anonymization must revise their policies in light of the Guidelines. They must include in their policies their respective methodologies for neutralization as well as technical and administrative measures they are taking. In parallel, it is also advisable that they work on their internal procedures. Procedures may describe how each policy will be put into action and outline who will do what, what steps needs to be taken, and which forms or documents must be used.
  • A special attention should be given to cloud solutions and the data controllers must understand that they are expected to have control on their cloud service providers when they are requested by a data subject or required by law to delete, destruct or anonymize certain personal data.