Regulation On The Deletion, Destruction, And Anonymisation Of Personal Data, which is the first Regulation drafted based on the Law on Protection of Personal Data was published on October 28, 2017.
The Regulation stipulates Data Controller’s obligations as to deletion, destruction and anonymization of personal data and explains some concepts such as deleting data, destroying data and anonymizing data.
Under the Regulation data controllers which are required to enlist with the Data Controllers Registry are obliged to;
Create a data retention and destruction policy,
Delete, destroy or anonymize personal data after exhaustion of the data processing purpose,
Record a log of all deletion, destruction and anonymization activities for at least three years,
Explain methods used in deletion, destruction and anonymization of personal data,
Periodically delete, destroy or anonymize data within 6 months as of the exhaustion of the data processing purpose,
Delete, destroy or anonymize personal data upon request by data subject if data processing purposes have been exhausted within 30 days as of receiving the request,
Inform third parties (who received the data) of the data subject’s request.
Full English text of the Regulation can be found at: