IT & Artificial Intelligence Law
Deletion, Destruction and Anonymization of Personal Data in Turkey
Published 14 July 2026·5 min read
Att. Mona Hukuk Editorial Team - Antalya · Antalya Bar Association
What happens to the personal data your company holds once a customer contract ends, an employee leaves, or a marketing consent is withdrawn? Turkey's Personal Data Protection Law (KVKK, Law No. 6698) does not permit personal data to be kept indefinitely. Once the grounds that required processing it disappear, the data controller must delete, destroy or anonymize that data. This obligation flows from KVKK Article 7 and from the dedicated "Regulation on the Deletion, Destruction or Anonymization of Personal Data" (Official Gazette, 28/10/2017). This guide explains the difference between the three disposal methods, the retention and destruction policy requirement, and the deadlines companies must observe.
When Does the Disposal Obligation Arise?
KVKK Article 7(1) is clear: even where data was processed lawfully, once the grounds requiring its processing cease to exist, the data controller must delete, destroy or anonymize it either ex officio (on its own initiative) or at the data subject's request. The Regulation frames this as the disappearance of all processing conditions set out in Articles 5 and 6 of the Law. Those conditions typically fall away when:
- the purpose for which the data was processed has been fulfilled or has ceased to exist,
- the explicit consent underlying the processing is withdrawn,
- the maximum retention period prescribed by relevant legislation expires,
- the data is no longer needed because the underlying contract has ended.
Retention obligations under other laws (for example, minimum record-keeping periods in tax or commercial legislation) are reserved; data cannot be disposed of before those periods lapse.
The Three Methods and How They Differ
The Regulation uses "disposal" (imha) as an umbrella term covering three distinct operations, each separately defined:
- Deletion (Art. 8): rendering personal data inaccessible and non-reusable for relevant users in any way. The data may still exist technically within the system for a time; what matters is that users authorized to process it can no longer reach it.
- Destruction (Art. 9): rendering personal data inaccessible, irretrievable and non-reusable by anyone in any way. Shredding physical records or irreversibly degrading magnetic media falls within this method.
- Anonymization (Art. 10): rendering personal data impossible to associate with an identified or identifiable natural person even when matched with other data. Properly anonymized data ceases to be personal data, which is why it is the method of choice for statistics and analytics.
The Personal Data Retention and Destruction Policy
Article 5 of the Regulation requires data controllers obliged to register with the Data Controllers' Registry (VERBİS) to prepare a Personal Data Retention and Destruction Policy. At a minimum, this policy must cover (Art. 6):
- the recording media and the legal or technical reasons requiring retention,
- the technical and administrative measures adopted,
- the titles and duties of the staff involved in retention and destruction,
- a table setting out retention and destruction periods,
- the periodic destruction intervals.
One point deserves emphasis: having a policy does not by itself mean the data was actually disposed of lawfully (Art. 5(2)). Moreover, a controller that is not obliged to prepare a policy still bears the full deletion, destruction and anonymization obligation (Art. 5(3)).
Periodic Destruction and Deadlines
The deadlines differ depending on whether the controller has a policy:
- A controller with a policy disposes of the data at the first periodic destruction cycle following the date the obligation arose. The interval is fixed in the policy but may never exceed six months (Art. 11(2)) — meaning periodic destruction must occur at least every six months.
- A controller without a policy obligation carries out disposal within three months of the date the obligation arose (Art. 11(3)).
- Where disposal follows a data subject's request, and all processing conditions have ceased, the request must be concluded within thirty days (Art. 12).
The Board may shorten these periods where irreparable harm or a manifest unlawfulness is at stake (Art. 11(4)).
Documenting Compliance
The Regulation requires controllers not only to dispose of data but to document doing so. All deletion, destruction and anonymization operations must be recorded, and those records kept for at least three years, without prejudice to other legal obligations (Art. 7(3)). Controllers must also explain the methods they use in their policies and procedures. In practice, companies are advised to:
- Build a personal data processing inventory and set a maximum retention period for each data category.
- Prepare the retention and destruction policy and set the periodic destruction interval (not exceeding six months).
- Record each disposal operation in a minute and retain it for at least three years.
- Handle data subject requests within the thirty-day window.
- Review and update the policy and inventory regularly.
Frequently Asked Questions
What is the difference between deletion and destruction? In deletion, the data is made inaccessible to the relevant users authorized to process it, though it may remain in the system technically for a time. In destruction, the data is eliminated so that no one can retrieve it by any means.
Must every company prepare a retention and destruction policy? No. The obligation applies to controllers required to register with VERBİS. However, companies not required to prepare a policy still have to dispose of data once its retention period expires.
What is the latest that periodic destruction may occur? The interval is set freely in the policy, but it may never exceed six months. A controller with a policy must therefore carry out periodic destruction at least every six months.
Does anonymized data fall within the scope of KVKK? Data that is properly anonymized can no longer be linked to a specific person and thus loses its status as personal data, falling outside KVKK. If identity can still be reached through matching, however, the anonymization is not valid.
How Mona Hukuk Can Help
At Mona Hukuk we support companies in building personal data inventories, preparing retention and destruction policies, establishing periodic destruction workflows, and documenting disposal operations in a legally compliant manner. With our expertise in IT and artificial intelligence law, we help your company achieve full compliance with KVKK's disposal obligations.
For consultancy in Antalya, you can write to contact@monahukuk.com or call +90 (242) 606 14 32.
Want a weekly digest of developments in Turkish law?
Official Gazette notices, court decisions and legislative changes — delivered weekly. Free, unsubscribe at any time.
Related Articles
IT & Artificial Intelligence Law
.tr Domain Disputes in Turkey: A Guide for Foreign Brands
2 Jul 2026 · 6 min read
Read articleIT & Artificial Intelligence Law
Software Escrow Agreements Explained: Turkey Guide 2026
22 Jun 2026 · 6 min read
Read articleIT & Artificial Intelligence Law
Registering with VERBİS: Turkey's Data Controller Guide
9 Jun 2026 · 6 min read
Read article