PERSONAL DATA INSTITUTION UPDATED THE VERBIS & DELETION PROCESSES
The protection of the personal data has become more of an issue day by day with the development of internet technologies and personal data stored digitally. In this manner, the Institution of Personal Data Protection (the “Institution”) is developing the national legislation and publishing additional sources for the practice to sustain both domestic information security needs and integration with the European Union.
In this regard, the Institution has published two more additional sources. The document of “VERBIS FAQ” is prepared by the Institution to guide data controllers who shall perform the obligation of register into the data controller registry info system (namely “VERBIS”) mentioned in the Art. 16 of the 6698 numbered Law. You may reach the FAQ document explains details about VERBIS in Turkish here.
In addition, a sample of the “Personal Data Retention and Destruction Policy” (the “Policy”) is published by the Institution on 10.03.2019 for the data controllers that have to register the VERBIS.
The sample Policy starts with explaining the aim, scope and definitions and states the title/unit/job description of the ones who participate the retention and destruction processes. The personal data record mediums are classified as “electronical” (e.g. software, usb etc.) and “non-electronical” with detailing each personal data classification to be recorded.
Both the legal reasons and processing tools that require to keep personal data along with the reasons to destruct personal data shall be determined in the Policy.
As is known, the data controllers are obliged to take all technical and administrative measures to prevent personal data to be processed, accessed illegally according to the Art. 12 of the Personal Data Protection Law. In this manner, the Policy to be prepared shall have technical and administrative measures to be taken.
Besides the data controllers should state “the destruction technics of the personal data” in their Policy. The disposal, destruction and anonymization of the personal data shall be explained separately for each data recording medium. The retention and destruction periods that are already took place in personal data processing inventory and VERBIS, shall also be mentioned in the Policy. These periods which should be determined for each process, shall be updated if necessary.
Our Company is providing consultancy service on the Personal Data Protection Law and General Data Protection Regulation compliance processes by combining best legal and technological substructure. Click for more information.
You may reach the full text of the sample Personal Data Retention and Destruction Policy published by the Institution, in Turkish, here.