NEWSLETTER-2017

325 PERSONAL DATA PROTECTION mized by the data controller upon request of the relevant person when the ‘reasons for processing are eliminated,’ despite the fact that it has been processed in accordance with the provisions of Law No. 6698 and other related laws. The deletion, removal and anonymization of personal data are clarified in the Regulation and Guideline, and these cases are sepa- rately explained, below. Deletion of Personal Data As per the Regulation, the deletion of personal data is the process of rendering personal data inaccessible and irrevocable for relevant users. The data controller is liable to take all necessary technical and administrative precautions for the deleted personal data to be inacces- sible and reusable for the users concerned. Since personal data can be stored in various recording media, they must be deleted appropriately to all related recording media. For example, in the cloud environment (such as Office 365, Salesforce, Dropbox) the data must be deleted with the delete command. It is important to take into consideration that the user is not authorized to restore deleted data on the cloud system when the operation is being performed. Personal data stored in the paper environment should be erased using the blanking method. Blanking is performed by deleting personal data on relevant paper where possible, and in cases where this is not possible, it can be rendered invisible to the relevant user by using fixed ink so that it cannot be reversed and read by technological solutions. For office files located on the central server, the file must be deleted with the delete command in the operating system, or the access right of the user must be removed on the file or on the directory/index where the file is located. Personal data in flash-based storage media must be stored cryptically and deleted by using appropriate software for these media. Moreover, the corresponding rows in which personal data are stored must be deleted with database commands ( Delete, etc .). It is worth noting that the user is not a database administrator at the same time the operation is being performed.