05 Dec, 2020

Nicknames in Terms of KVKK and GDPR

The process of “pseudonymization”, which we can translate into Turkish as “pseudonymization”, and its legal nature, the Personal Data Protection Law No. 6698 (“Law”) and the European General Data Protection Regulation (“GDPR”) We would like to inform you about the place within the scope of ”).

First of all, we would like to point out that aliasing is not an anonymization process or a different view of anonymization.

Anonymization of personal data means that personal data cannot be associated with an identified or identifiable natural person under any circumstances, even if it is matched with other data. In order for personal data to be anonymized; Personal data must be rendered unrelated to an identified or identifiable natural person, even by using appropriate techniques for the recording medium and the relevant field of activity, such as returning personal data by data controller or recipient groups and/or matching the data with other data.

Pseudonym, on the other hand, is not defined under the Law, but is defined as follows under the GDPR.

  • “Planning is a form of processing of personal data in which this personal data can no longer be associated with a particular data subject without additional information. To the extent that the data in question is not associated with an identified or identifiable natural person, this additional information should be kept separate and subject to technical and administrative measures.” (Article 4: Definitions, paragraph 5)

In other words, within the scope of the pseudonymization process;

  • There must be a Supplementary Information (key or re-identifier) ​​that is kept separate subject to technical and administrative measures,
  • Personal data pseudonymized without this Additional Information should no longer be associated with any person.

In GDPR, the importance of pseudonymizing has been emphasized by stating that “application of pseudonymization to personal data can reduce the risk for the relevant data subjects and help data controllers and data processors to fulfill their obligations”, but it has been stated that it cannot be understood that pseudonymizing will only include other measures.

Indeed, from the point of view of data controllers, it is obligatory to transfer the data transferred to the data processors in accordance with the Law and the data processors to act in compliance with the Law while processing this data. If the data transferred to the data processor is kept confidential, subject to technical and administrative measures, the data controller will have less concern about the transferred data, if the key information that enables the data to be re-identified is transferred to the data controller. In terms of data processors, it will be possible to process data by taking lighter and less costly technical and administrative measures, thus protecting the confidentiality of the data and reducing the transaction cost.

It is also a fact that pseudonymization cannot be used in all kinds of data processing activities. For example, aliasing the customer contact data transferred to the call center by the data controller in order to communicate with the customers will not be possible, since it will be contrary to the purpose of the transaction. However, in cases where it is not necessary or even desired to reach the person directly, such as analysis and development, it will be a great advantage to duly label the data to be transferred.

At this point, we would like to remind you that aliasing alone will not provide protection. Pseudonymization and anonymization show a great difference in this respect as well. While duly anonymized data is no longer personal data, pseudonymized data is still personal data and can be re-identified. For example, data to be transferred abroad will not be evaluated outside the scope of the Law just because it is subject to pseudonymization, 1) obtaining the explicit consent of individuals or 2) obtaining permission from the Personal Data Protection Board (“Board”) within the scope of Article 9 of the Law, and other obligations will have to be met. In addition to our example, we would like to point out that aliasing will have a positive effect as an additional precaution while granting the Board's permission.

An important requirement is that aliasing key information is not structured in itself as a specific rule that is easy to discover. For example, using a general Caesar cipher would not be a stand-alone pseudonymization of a data set. It is essential to use a complex and insoluble key.

Again, aliasing should not be confused with encryption (encryption). While encryption limits access to data, pseudonymization limits the association of accessed data with a natural person.


To request a quotation for the following: Cyber Security, Digital Transformation, MSSP, Penetration Testing, KVKK, GDPR, ISO 27001 and ISO 27701, please click here.

About Content:
Share on Social Media:
Facebook
Twitter
LinkedIn
Telegram