KVKK principle: "It is stored for the period related to the purpose." Expired data must be destroyed.
Factors Determining Storage Periods
- Contract period + statute of limitations
- Tax legislation (10 years)
- Labor law (5 years)
- Health (20 years - generally)
- Banking (10 years) year)
- Social media/game: according to purpose
Destruction Methods
- Deletion: Removing from data, also from backups
- Destruction: Destroying physical media (paper, disk)
- Anonymization: De-identification
Destruction Policy
- Retention period for each data category
- Reasons for destruction
- Destruction methods
- Destruction personnel
- Periodic control (every 6 months)
Destruction Logs
- Which data
- When was it destroyed
- By what method
- By whom
- Logs Stored for 3 years
Violation Scenarios
- Storage of expired data
- No destruction policy
- Data not deleted from backups
- Paper document thrown away (not destroyed)
KVKK Board Decision
KVKK Board imposes heavy fines on companies that violate the "data minimization" principle imposes fines and directly supervises companies that store old customer data unnecessarily.
Practical Recommendations
- Determine retention period with data inventory
- Establish an automatic destruction system
- Train employees on the destruction policy
KVKK expert lawyer is recommended.