On March 10, 2019, the Turkish Personal Data Protection Board (the “Board”) published its Policy relating to Retention and Destruction of Personal Data, in its web-site (under the link https://kvkk.gov.tr/Icerik/5383/Diger-Dokumanlar). The Board aimed to help the data controllers in preparation of their own policies on retention and destruction of personal data, by providing this policy as a sample document.
The Regulation on Deletion, Destruction and Anonymization of Personal Data published in the Official Gazette numbered 30224 on October 28, 2017 (the “Regulation”) set forth that data controllers, which are required to enroll to the Data Controller Registry Information System (“VERBIS”) as per article 16 of the Law numbered 6698 on the Protection of Personal Data (the “Data Protection Law”), are also required to prepare a policy on retention and destruction of personal data within the scope of personal data processing inventory. The Regulation further defined such policy as a reference document, to determine the maximum time period required for retention of personal data, as well as details on deletion, destruction and anonymization. The details to be included in the policy were also provided in the Regulation.
In addition, the Board published a guideline document on March 7, 2019, to help data controllers navigate through any queries they may have while registering to VERBIS. As mentioned before in our client alert published in September 2018, all data controllers processing personal data in Turkey are required to register to the VERBIS system before processing personal data. The deadlines to register to VERBİS were determined by the Board in its decision numbered 2018/88 and dated July 19, 2018 and published in the Official Gazette numbered 30513 on August 18, 2018 as follows:
- Data controllers whose annual number of employees is more than 50 or whose annual financial balance is more than TL 25 million: September 30, 2019
- Real or legal person data controllers which are residing abroad: September 30, 2019
- Data controllers whose annual number of employees is less than 50 and whose annual financial balance is less than TL 25 million, while their main scope of activity includes processing of sensitive personal data: March 31, 2020
- Data controllers which are public institutions or agencies: June 30, 2020
The guideline document provides details on the calculation method for the “annual financial balance” and the “annual number of employees”. The Board also announced that ALO 198, which is the call center of the Board, may be reached for any further details or queries relating to VERBIS registration.
This information is provided for your convenience and does not constitute legal advice. It is prepared for the general information of our clients and other interested persons. This should not be acted upon in any specific situation without appropriate legal advice. This information is protected by copyright and may not be reproduced or translated without the prior written permission of Ergün Avukatlık Bürosu.