NEW REGULATIONS WERE MADE BY THE PERSONAL DATA PROTECTION AUTHORITY
New updates were made by the Personal Data Protection Authority, taking into account the objections from the market and lawyers. The Authority has published the "Regulation on Amendments to the Regulation on Deletion, Destruction or Anonymization of Personal Data" (Destruction Regulation), "Regulation on Amendments to the Regulation on the Registry of Data Controllers" (Registry Regulation) and "Communiqué on the Procedures and Principles to be Followed in Fulfilling the Disclosure Obligation". The Communiqué on Amendments (Information Communiqué) was published on 28.04.2019 and changes were made in the said regulations and communiqués. In addition, an inventory and inventory preparation guide has been published on the institution's website. “Our Law Office predicts that this change is not the last change and that there will be new changes as well.
Changes in the Destruction Method of Personal Data
To consider the changes made in the Destruction Regulation; First of all, it was stated that as a new regulation, the disposal method should be explained in the policies published by the company. Accordingly, one of the sources announced by data controllers as a general principle will be the publication of destruction methods. While it will be published in a separate policy in practice, the methods for destruction may be explained within the Personal Data Processing Policy. These described methods will need to be compatible with the method applied by the data controller. However, with the change made, the definition of data inventory has been updated within the scope of this regulation, in parallel with the change made within the scope of the "Registry Regulation", which we will explain below.
CHANGES MADE IN THE REGISTRY REGULATION
The changes made are intended to eliminate some confusion regarding registration in the Registry. By clarifying the definition of the contact person, the relationship between the representative and the contact person and the job description of the contact person have been concretized. The contact person is to ensure communication with the Authority by the data controller for real and legal persons resident in Turkey, and by the data controller representative for real and legal persons who are not resident in Turkey, regarding their obligations within the scope of the Law and secondary regulations to be issued based on this Law. The job description of the contact person has been clarified by stating that it refers to the real person notified during registration to the Registry for this purpose, and it has been revealed that it is only required at the point of communication with the Institution. Another title has been added to the personal data inventory required for registration in the registry and it has been stated that the reason for compliance with the law should be added to the inventory. For this reason, revisions to existing inventories are required by data controllers. Integrity has been achieved by adding the "preservation period" regulation, which was not previously included in the regulation.
CHANGES WITHIN THE SCOPE OF THE CLARIFICATION COMMUNIQUE
Two amendments have been made within the scope of the Communiqué, and with these amendments, paragraph (c) of the 5th article of the Disclosure Communiqué has been removed, making it no longer an obligation to provide illumination on a unit basis. The result of this is to provide clarifications by publishing a Privacy Policy, as in the European example. In addition, the definition of data recording system and the definition of the Law have been harmonized.
