Compare with different regulatory event:
On 7 October 2016, the Personal Data Protection Act, including data protection measures, was implemented. The measures outlined in the Act entered into force 6 months after its publication in the official Gazette. In particular, the Act requires entities to collect and process data based on legitimate purposes and obtain user consent for collecting personal data. Furthermore, the Act outlines restrictions in regard to the collection and processing of sensitive personal data, such as race, ethnic origin, political opinion, religion or health. Finally, the entities must delete or anonymise it after the purpose for storage expired or they receive a request from the data subject.
Original source