Personal Data Retention and Deletion Rules Under KVKK

Introduction

Personal data retention and deletion rules under KVKK are among the most important compliance obligations for companies operating in Turkey. Businesses often focus on obtaining consent, preparing privacy notices, registering with VERBIS, or managing data breaches, but they frequently overlook a critical question: How long may personal data be stored, and when must it be erased, destroyed, or anonymized?

Under Turkish Personal Data Protection Law, personal data cannot be retained indefinitely. Even if personal data was originally collected and processed lawfully, the data controller must delete, destroy, or anonymize it when the legal or operational reason for processing no longer exists. This rule is not only a technical IT requirement. It is a legal obligation affecting HR records, customer databases, e-commerce accounts, patient files, CCTV recordings, call center records, marketing lists, cookie logs, employee files, contract archives, payment records, litigation documents, and cloud systems.

Turkey’s main personal data protection legislation is Law No. 6698 on the Protection of Personal Data, commonly known as KVKK. The law defines personal data broadly as any information relating to an identified or identifiable natural person and defines processing broadly to include collection, recording, storage, preservation, alteration, disclosure, transfer, retrieval, categorization, and prevention of use. Therefore, retaining personal data is itself a form of processing under KVKK.

For this reason, every business subject to KVKK should have a clear personal data retention and deletion strategy. This strategy should identify what personal data is stored, why it is stored, how long it is stored, where it is stored, who can access it, whether it is transferred to third parties or abroad, and how it will be erased, destroyed, or anonymized when retention is no longer justified.

The Legal Basis of Retention and Deletion Under KVKK

The starting point is Article 4 of KVKK. Personal data must be processed for specified, explicit, and legitimate purposes; must be relevant, limited, and proportionate to those purposes; and must be stored only for the period laid down by relevant legislation or the period required for the purpose of processing. This storage limitation principle means that a data controller cannot keep personal data merely because it may be useful in the future.

Article 7 of KVKK directly regulates erasure, destruction, and anonymization. It provides that personal data must be erased, destroyed, or anonymized by the data controller, either ex officio or upon the request of the data subject, when the reasons requiring processing no longer exist, even if the data was processed lawfully in the first place.

This is a fundamental point. KVKK does not say that personal data must be deleted only if it was unlawfully collected. Lawfully collected data must also be disposed of when the processing purpose ends. For example, a company may lawfully process a job applicant’s CV during recruitment, but it should not keep unsuccessful candidate records indefinitely. An e-commerce company may lawfully process delivery information for order fulfillment, but it should not retain unnecessary delivery records forever after legal retention periods expire. A hospital may need to retain medical records for legal and medical reasons, but marketing copies of patient photos cannot be kept without a continuing lawful basis.

What Is Personal Data Retention?

Personal data retention means storing personal data for a certain period after it has been collected or generated. Retention may occur in many environments, including physical files, digital databases, email inboxes, cloud storage, backup systems, CRM platforms, HR software, accounting systems, call center systems, CCTV storage devices, mobile applications, log files, archives, and third-party vendor systems.

Retention is not automatically unlawful. Many businesses have legitimate reasons to retain data. Tax laws may require accounting records to be stored. Labor law may require personnel files and payroll records to be maintained. Consumer law may require complaint and transaction records. Healthcare rules may require patient records to be retained. Limitation periods may justify keeping contracts, invoices, correspondence, and evidence for possible disputes.

However, retention must always be linked to a lawful purpose. Once the purpose ends and no legal obligation or legitimate necessity remains, personal data must be erased, destroyed, or anonymized.

Erasure, Destruction, and Anonymization: Key Differences

KVKK and the By-Law on Erasure, Destruction or Anonymization of Personal Data distinguish between three disposal methods: erasure, destruction, and anonymization. These terms are not interchangeable.

Erasure means rendering personal data inaccessible and non-reusable for the relevant users by no means. In practice, this may include removing access rights, deleting records from active systems, or ensuring that authorized users can no longer access or reuse the data.

Destruction means rendering personal data inaccessible, irretrievable, and non-reusable by anyone. This is a stronger form of disposal. It may involve secure deletion of digital files, physical shredding of paper records, destruction of storage media, or irreversible deletion from systems.

Anonymization means rendering personal data impossible to link with an identified or identifiable natural person, even by matching it with other data. True anonymization is not simply removing names. If a person can still be identified through combinations of data, rare characteristics, location, timestamps, or other identifiers, the data may still be personal data.

The Turkish Personal Data Protection Authority’s guide explains methods for erasure, destruction, and anonymization according to the environment where personal data is processed and stored, and also addresses anonymization methods and de-anonymization risks.

When Must Personal Data Be Deleted?

Personal data must be deleted, destroyed, or anonymized when all processing conditions under Article 5 or Article 6 no longer exist. Article 5 includes legal bases for ordinary personal data, such as explicit consent, legal obligation, contract performance, establishment or protection of a right, and legitimate interest. Article 6 regulates special categories of personal data, including health data, biometric data, genetic data, criminal conviction data, union membership data, and similar sensitive data.

In practical terms, deletion may be required when:

The contract has ended and no legal retention period remains.

The data subject has withdrawn consent and no other legal basis exists.

The statutory retention period has expired.

The dispute or limitation period has ended.

The data is no longer necessary for the original purpose.

The company has stopped using the relevant system, service, or campaign.

The employee, customer, patient, member, or user relationship has ended and no lawful retention reason remains.

The data subject has requested deletion and the controller has no continuing legal basis to retain the data.

This requires case-by-case analysis. A data subject’s deletion request does not automatically require deletion of every record. If the company is legally required to keep invoices, payroll records, medical records, or litigation evidence, it may refuse deletion for those specific records with legal justification. However, the company should not use legal retention duties as an excuse to keep unrelated marketing data, inactive account profiles, unnecessary copies, or obsolete internal notes.

Personal Data Storage and Disposal Policy

The By-Law requires data controllers who are obliged to register with the Data Controllers’ Registry to issue a personal data storage and disposal policy in accordance with their personal data processing inventory. However, the By-Law also clarifies that issuing such a policy does not automatically mean that storage and disposal practices comply with the law; and data controllers that are not obliged to issue such a policy still remain subject to storage, erasure, destruction, and anonymization obligations.

A personal data storage and disposal policy should not be a generic document. It should be based on the controller’s actual data inventory and business processes. The By-Law states that the policy must include, among other things, the purpose of the policy, recording media, definitions, legal, technical, or other reasons requiring storage and disposal, technical and organizational measures for secure storage and lawful disposal, titles and units responsible for storage and disposal processes, a table showing storage and disposal periods, the periodic disposal interval, and any policy amendments.

For example, an employer’s policy should address candidate records, employee files, payroll data, health reports, disciplinary files, CCTV footage, access logs, and former employee data. An e-commerce company’s policy should cover customer accounts, order records, invoices, delivery information, marketing permissions, cookie consent logs, support tickets, call recordings, and abandoned cart data. A hospital’s policy should separately address patient records, appointment logs, laboratory results, imaging records, consent forms, billing records, and medical tourism files.

Relationship Between VERBIS and Retention Periods

VERBIS registration and data retention are closely connected. The By-Law on Data Controllers Registry defines a personal data processing inventory as including, among other things, data categories, recipient groups, foreign transfers, security measures, and the maximum storage period required for the processing purpose. It also states that the maximum storage period entered into and published in the Registry forms the basis for erasure, destruction, and anonymization obligations under Article 7.

This means that a company should not enter arbitrary retention periods into VERBIS. VERBIS, privacy notices, data inventory, storage and disposal policy, and actual IT practices should be consistent. If VERBIS states that customer records are retained for a certain period, but the company’s CRM stores them indefinitely, this inconsistency may create compliance risk.

A proper retention framework should begin with a data inventory. The company should identify each data category, each processing purpose, each legal basis, and each relevant retention period. Only after that should it prepare VERBIS entries, privacy notices, internal policies, vendor contracts, and deletion workflows.

Periodic Disposal Rules

The By-Law introduces the concept of periodic disposal, meaning erasure, destruction, or anonymization carried out periodically ex officio when all processing conditions no longer exist. A data controller that has issued a storage and disposal policy must erase, destroy, or anonymize personal data in the first periodic disposal process following the date when the disposal obligation arises. The periodic disposal interval must be defined in the policy and cannot exceed six months.

For data controllers not obliged to issue a storage and disposal policy, the By-Law provides that personal data must be erased, destroyed, or anonymized within three months following the date when the disposal obligation arises. The Board may shorten these periods in cases involving irreparable or impossible damage or explicit infringement of the law.

In practice, companies should create a periodic deletion calendar. For example, a company may perform disposal reviews every three or six months. During each review, responsible departments should identify records whose retention periods have expired, check whether legal holds or disputes exist, and then erase, destroy, or anonymize the data using approved methods.

Data Subject Requests for Deletion

Data subjects have the right to request erasure or destruction of their personal data under the conditions referred to in Article 7. They also have the right to request that correction or deletion operations be notified to third parties to whom the data has been transferred.

When a data subject requests erasure or destruction, the data controller must evaluate whether all processing conditions have ceased. If the conditions no longer exist, the controller must erase, destroy, or anonymize the personal data subject to the request, act on the request within thirty days at the latest, and inform the data subject. If the relevant data has been transferred to third parties, the controller must notify those third parties and ensure that necessary operations are carried out within the scope of the By-Law.

This is important for customer service, HR, healthcare, e-commerce, SaaS, and digital platform operations. A request such as “delete my account,” “remove my phone number,” “delete my CV,” “erase my old membership,” or “destroy my records” may trigger KVKK obligations. Employees handling such requests should know how to escalate them.

Data Security and Deletion

Deletion is also a data security issue. KVKK Article 12 requires data controllers to take all necessary technical and organizational measures to prevent unlawful processing, prevent unlawful access, and ensure protection of personal data. If a data processor acts on behalf of the controller, the controller is jointly responsible with the processor for these measures.

The By-Law also requires all erasure, destruction, and anonymization operations to be carried out in accordance with Article 4 principles, Article 12 security obligations, relevant legislation, Board decisions, and the storage and disposal policy. All disposal operations must be recorded, and those records must be stored for at least three years, excluding other legal obligations.

This means that deletion must be controlled and provable. A company should be able to show what data was deleted, when it was deleted, who authorized the deletion, which method was used, and whether third parties were notified. Without records, the company may struggle to prove compliance during a Board investigation or data subject complaint.

Retention Periods by Business Area

Retention periods differ by sector, data type, and purpose. There is no single universal KVKK retention period for all personal data. The correct period depends on the relevant legislation and the processing purpose.

For HR data, employers may need to retain employment contracts, payroll records, social security documents, tax records, leave records, occupational health and safety documents, and termination records for legally required periods and possible labor disputes. However, unsuccessful candidate CVs, interview notes, and recruitment test results should not be kept indefinitely.

For customer data, companies may retain order records, invoices, payment records, delivery records, complaint files, and warranty-related documents where required by law or contractual necessity. However, inactive marketing profiles, outdated lead lists, abandoned cart data, and unnecessary customer segmentation records should be deleted or anonymized when no longer justified.

For healthcare data, providers may need to retain patient records under healthcare legislation and medical liability considerations. However, patient photos used for marketing, medical tourism promotional content, or optional commercial communications require separate legal analysis and cannot be retained without a continuing lawful basis.

For CCTV recordings, retention should generally be short and purpose-based unless an incident, legal claim, or security investigation requires longer storage. Long-term retention of routine camera footage without necessity may violate proportionality.

For call center recordings, retention should depend on the purpose of recording, legal requirements, complaint periods, contractual disputes, and customer service needs. Recordings should not be kept indefinitely merely for convenience.

Backups, Archives, and Cloud Systems

Many companies fail to consider backups when designing deletion procedures. Personal data may be deleted from the active CRM system but remain in backups, archived email systems, cloud storage, analytics dashboards, test environments, or vendor platforms.

A strong retention policy should address active systems and backup systems separately. In some cases, immediate deletion from backups may not be technically feasible, but backup retention periods should be limited, access should be restricted, restoration should be controlled, and data deleted from active systems should not be reintroduced from backups unless legally necessary.

Cloud service providers and SaaS vendors should also be reviewed. If a company uses third-party processors, vendor contracts should include deletion, return, destruction, backup deletion, breach notification, confidentiality, and audit clauses. A controller cannot fully comply with deletion obligations if its vendors keep uncontrolled copies.

Anonymization as an Alternative to Deletion

Anonymization may be useful where the company no longer needs identifiable personal data but wants to retain statistical, analytical, historical, or research value. For example, an e-commerce company may anonymize old purchase data to analyze general sales trends. A hospital may use anonymized datasets for research or quality improvement. A SaaS provider may anonymize usage statistics for product development.

However, anonymization must be genuine. If the company can re-identify individuals by matching anonymized data with other datasets, the data is not truly anonymized. The By-Law requires anonymization to make personal data impossible to associate with an identified or identifiable person, even through recovery or matching with other data.

Companies should distinguish anonymization from pseudonymization. Pseudonymized data may still be personal data if re-identification is possible. Therefore, pseudonymization is a security and risk-reduction measure, but it is not always a disposal method equivalent to anonymization.

Common Mistakes in Data Retention and Deletion

One common mistake is keeping all data indefinitely. Many businesses store customer, employee, candidate, visitor, and marketing data permanently because storage is cheap and deletion requires effort. This approach conflicts with the storage limitation principle.

A second mistake is preparing a storage and disposal policy that does not match actual practice. A policy stating that records are deleted every six months is useless if IT systems, HR files, cloud backups, and CRM platforms do not follow that rule.

A third mistake is deleting data too early. Retention is not only about deletion; it is also about preserving data lawfully when required. Companies must avoid destroying invoices, employment records, contracts, medical files, or dispute evidence before legal retention periods or limitation periods expire.

A fourth mistake is failing to notify third parties after a valid deletion request. If data was transferred to vendors, processors, group companies, or business partners, those parties may also need to take action.

A fifth mistake is failing to record disposal operations. KVKK practice requires disposal operations to be documented and retained for at least three years unless other legal obligations require longer storage.

A sixth mistake is ignoring special categories of personal data. Health data, biometric data, criminal record data, and genetic data require stricter safeguards and should not be retained longer than necessary.

Practical KVKK Retention and Deletion Checklist

A business subject to KVKK should follow a structured retention and deletion program:

1. Prepare a personal data processing inventory.
2. Identify all data categories and data subject groups.
3. Determine the legal basis for each processing activity.
4. Identify statutory retention periods under relevant legislation.
5. Determine operational and legal retention needs.
6. Define maximum retention periods for each data category.
7. Prepare a personal data storage and disposal policy if required.
8. Ensure VERBIS entries match the inventory and retention policy.
9. Create a periodic disposal calendar.
10. Assign responsible departments and personnel.
11. Define erasure, destruction, and anonymization methods.
12. Implement secure deletion tools and access controls.
13. Address backups, archives, cloud systems, and test environments.
14. Include deletion obligations in vendor contracts.
15. Establish a procedure for data subject deletion requests.
16. Notify third parties where required.
17. Keep disposal operation records for at least three years.
18. Review special category data separately.
19. Train HR, IT, legal, marketing, customer service, and operations teams.
20. Audit retention and deletion practices periodically.

Sector-Specific Examples

An e-commerce company should define retention periods for customer accounts, orders, invoices, delivery records, return requests, customer support tickets, call recordings, marketing permissions, cookie consent logs, and inactive accounts. It should distinguish between legally required invoice retention and optional marketing data.

An employer should define retention periods for candidate CVs, employment contracts, payroll records, social security documents, health reports, disciplinary records, workplace accident files, CCTV footage, access logs, and former employee records.

A healthcare provider should define retention periods for patient records, appointment logs, test results, imaging records, medical consent forms, billing documents, patient complaints, and medical tourism files, while applying stricter safeguards to health data.

A SaaS provider should define retention periods for account data, customer-uploaded data, logs, support tickets, user analytics, backups, API logs, and deleted accounts. It should also specify how customer data will be returned or deleted after contract termination.

A marketing agency should define retention periods for lead databases, campaign lists, analytics reports, consent records, customer segmentation data, social media advertising audiences, and campaign performance data.

Legal Consequences of Non-Compliance

Failure to comply with retention and deletion obligations may lead to complaints before the Personal Data Protection Board, administrative sanctions, orders to remedy violations, civil compensation claims, reputational harm, contractual disputes, and data breach exposure. Retaining unnecessary data also increases the impact of a cyberattack: the more obsolete data a company stores, the more data may be exposed in a breach.

Data retention and deletion practices are also connected to other KVKK duties. Privacy notices must accurately explain processing purposes and retention logic. VERBIS entries must reflect maximum storage periods. Data security measures must protect retained data. Data subject request procedures must handle deletion requests. Vendor contracts must ensure processors delete or return data when required.

Conclusion

Personal data retention and deletion rules under KVKK are essential for lawful data governance in Turkey. A business may collect and process personal data lawfully, but that does not mean it may store the data forever. KVKK Article 4 requires personal data to be stored only for the period required by law or by the processing purpose, and Article 7 requires personal data to be erased, destroyed, or anonymized when the reasons requiring processing no longer exist.

A strong retention and deletion program should be based on a real data inventory, lawful processing purposes, statutory retention periods, VERBIS consistency, storage and disposal policies, periodic disposal, secure deletion methods, vendor controls, and documented disposal records. Companies should also be prepared to respond to data subject deletion requests within the legal time limits.

In practice, data retention is a balance. Deleting data too early may create legal, tax, employment, medical, or evidentiary problems. Keeping data too long may violate KVKK, increase breach exposure, and damage trust. The correct approach is to define clear retention periods, apply them consistently, and document every disposal process.

For companies operating in Turkey, personal data retention and deletion should not be treated as an afterthought. It is a core part of KVKK compliance, cybersecurity, corporate governance, and risk management. A business that controls its data lifecycle properly protects both individuals’ privacy rights and its own legal position.