Process for Requesting the Deletion of Personal Data within the Scope of KVKK in Antalya

In the increasingly digital world, personal data has become one of individuals’ most valuable assets. With the proliferation of internet use and the indispensable presence of social media platforms and various online services, the protection and control of personal data has gained significant importance. In Türkiye, the fundamental legal regulation in this area is Personal Data Protection Law No. 6698 (KVKK), which grants individuals significant rights over their personal data. One of these rights is the right to request the deletion of processed personal data. Proper understanding and management of this process is crucial for both individuals and companies, especially in major cities like Antalya.

In this article, we will examine in detail the process for requesting the erasure of personal data under the Personal Data Protection Law (KVKK), the rights of data subjects, the obligations of data controllers, and the legal aspects of this process. Our goal is to make this seemingly complex process understandable and applicable for anyone living or operating in Antalya.

Personal Data Protection Law (KVKK) and the Right to Erasure

The KVKK entered into force to protect fundamental rights and freedoms, particularly the right to privacy, in the processing of personal data and to regulate the obligations and principles to be followed by individuals and legal entities who process personal data. The law defines “personal data” as any information relating to an identified or identifiable natural person. This definition encompasses a wide range of information, including name, surname, Turkish ID number, address, telephone number, email address, fingerprints, and health information.

Article 7 of the Personal Data Protection Law (KVKK) regulates the conditions for the deletion, destruction, or anonymization of personal data, while Article 11 outlines the rights of data subjects. Accordingly, every data subject has the right to request the deletion or destruction of their personal data. This right arises when the reasons requiring the processing of personal data no longer exist or when the data subject withdraws their explicit consent. The data controller is obligated to fulfill this request unless otherwise stipulated in the law.

Personal Data Deletion Request Process: Step by Step

The process of requesting the erasure of personal data is a procedure that must be carried out carefully, involving certain steps and legal periods between the data owner and the data controller.

Data Owner’s Request

When requesting the erasure of personal data, the data subject must first contact the data controller. This request must be made in accordance with the Personal Data Protection Law (KVKK) and relevant secondary regulations. For the application to be considered valid, the data subject must prove their identity unequivocally and clearly state their request.

Typically, the application is made through one of the following methods:

* In writing: With a signed petition, by mail or through a notary.
* With Registered Electronic Mail (KEP) address: Using secure electronic signature or mobile signature.
* By the methods specified on the data controller’s website: Generally, via the KVKK application form or online application screens.

The application must include the data subject’s contact information, such as their name, surname, Turkish ID number (passport number for foreigners), residence or work address, telephone number, and email address. It must also clearly state the purpose for which the requested data is being processed, the data requested to be deleted, and the reason for the request. For example, clear statements such as, “I request the deletion of my personal data related to the membership I opened at Company X in 2020 due to the termination of my membership.”

Obligations of the Data Controller and Response Time

After receiving a data subject’s request for deletion, the data controller must evaluate and finalize the request and inform the data subject within 30 days at the latest. This period begins on the date the request is received by the data controller.

The data controller may make one of the following decisions when evaluating the request:

* Accept the Request: If the conditions requiring the processing of personal data no longer exist and there is no legal impediment, the data controller will delete, destroy, or anonymize the data. In this case, the data subject will be informed of the action taken. If the data to be deleted has been transferred to third parties, the data controller will also notify the third parties and ensure that they also perform the deletion, destruction, or anonymization actions.
* Refusal of Request: If a legal obligation requiring the processing of personal data persists (e.g., tax legislation, commercial law, labor law) or if the data processing conditions (e.g., performance of a contract, legal obligation, legitimate interest) still apply, the data controller may reject the request. In the event of refusal, the data subject must be informed with a reasoned explanation.

It is essential that the data controller be transparent and accountable during this process. It is also a legal obligation for the data controller to take the necessary administrative and technical measures to delete, destroy, or anonymize personal data.

Deletion, Destroying or Anonymizing

KVKK and related regulations define three different methods to be applied in case the reasons requiring the processing of personal data are eliminated:

* Deletion: It is the process of making personal data inaccessible and reusable for the relevant users in any way.
* Destruction: The process of rendering personal data inaccessible, irretrievable, and reusable by anyone. This is typically applied to data on physical media (e.g., destruction of paper documents).
* Anonymization: Personal data is rendered incapable of being linked to an identified or identifiable natural person, even when matched with other data. Anonymized data falls outside the scope of the Personal Data Protection Law, and the data controller can process it as they wish.

The data controller selects and applies the most appropriate of these methods when evaluating and implementing the request.

Rejection of Request and Appeal Methods

If the data subject’s request for erasure is rejected by the data controller or no response is given within 30 days, the data subject has the right to take legal action.

Complaint to the Personal Data Protection Authority (KVKK)

Data subjects may file a complaint with the Personal Data Protection Authority (KVKK) within 30 days of receiving the data controller’s response, and in any case, within 60 days of the application date. The complaint must be submitted in accordance with the procedures and principles established by the Authority. The KVKK may review the complaint and take the necessary administrative measures against the data controller, impose administrative fines, or instruct the data controller. The Authority’s decisions during this process are binding.

Judicial Procedure

After filing a complaint with the Personal Data Protection Law (KVKK) or if the complaint is not resolved satisfactorily, the data subject also has the right to take legal action. A lawsuit may be filed under general provisions to seek compensation for damages incurred due to the data controller’s actions. Such cases are generally heard in civil courts of first instance. Furthermore, if the unlawful processing of personal data continues or is not deleted, legal action is also available to terminate the process.

KVKK Consultancy and Legal Support in Antalya

The process of requesting the deletion of personal data can be a complex one, involving both legal and technical details for both data owners and controllers. Proper management of this process is crucial, especially for businesses and individuals operating in a dynamic city like Antalya, to avoid potential legal disputes and ensure full compliance with legal obligations.

Support from a legal expert ensures that the data owner prepares their request accurately and completely, and that the data controller responds to requests in accordance with the KVKK (Personal Data Protection Law). Legal advice is essential for effectively managing complaints and legal proceedings under the KVKK, particularly in cases where a request is rejected or not responded to promptly. Consulting with a law firm specializing in KVKK in Antalya will greatly facilitate both preventing loss of rights and managing legal processes effectively.

The protection of personal data safeguards individuals’ right to privacy and fundamental freedoms. Effectively exercising and protecting these rights is a necessity of the information age. The process of requesting the deletion of personal data is also a crucial component of this protection and, when managed correctly, strengthens individuals’ control over their digital presence. For any legal issues that may arise during this process, working with an expert legal professional is the best approach to protecting rights and fulfilling legal obligations.