Guidelines on Personal Data Protection in the Banking Sector Published by the Turkish Personal Data Protection Authority
Introduction
Banks process large volumes of personal data in their daily operations. In order to deal with this sensitive information, the Turkish Personal Data Protection Authority (“Authority”), in cooperation with the Banks Association of Turkey, published Good Practice Guidelines on Personal Data Protection in the Banking Sector (“Guidelines”) on 5th August 2022. This Newsletter aims to provide a general framework for the Guidelines.
Data Controller and Data Processor
The Guidelines state that banks are data controllers in their activities within the scope of Article 4 (Fields of activity) under Banking Law No. 5411 (“Banking Law”). However, the Guidelines state that the characteristics of a particular case should be considered to determine whether a bank qualifies as a data controller or data processor for operations they conduct as an agency and intermediary organization regarding insurance, private pensions, investment instruments, international fast money transfers and payment for invoices, taxes and fees.[1] For instance, they state that a separate assessment is necessary for services that banks provide to their subsidiaries. A bank located in Turkiye will be considered as a data processor in terms of the service it provides to its subsidiary abroad for signing of a loan agreement.[2] Another example is insurance activities by banks in their capacity as agents. For instance, if a bank does not decide which personal data will be processed for which purposes and by which means, and if the responsibility for the establishment and management of the data recording system is on the insurance company, then the bank will be considered as a data processor.[3]
Moreover, the Guidelines draw attention to joint data controllers and data processing agreements. They indicate that provisions related to data processing can be included in the service agreements or in a separate arrangement. They also list the items to be included in these agreements, and recommend that they be in writing.[4]
Legal Grounds for Data Processing
The Guidelines first refer to the legal grounds for data processing under Article 5 of Law on Personal Data Protection No. 6698 (“LPDP”). They suggest that prior to processing any data, banks should first determine whether at least one of the legal grounds other than explicit consent is present. Since banking operations are extensively regulated, the Guidelines indicate that banks generally rely on a legal ground for data processing[5] and provide clarifications and examples for each one.[6]
Explicit Consent
The first of these grounds is explicit consent. Referring to Article 3 of the LPDP, the Guidelines define this concept as “freely given, specific and informed consent,” and emphasize that explicit consent is not subject to a form requirement. Since the burden of proof that explicit consent has been obtained is on the bank, the Guidelines include examples of instruments which are acceptable evidence that consent has been given. Participation in internet and mobile banking, where the identity of data subjects can be identified by password and transactions performed can be recorded, are considered to be acceptable.[7] Additionally, the attitudes and behaviors of the parties over time may also indicate the existence of explicit consent. Pursuant to Law on Persons with Disabilities No. 5378 and the Regulation on Accessibility of Banking Services, banks are obliged to record information and documents regarding disability status. In this context, it can be inferred that data subjects submitting necessary documentation to the bank and demonstrating their intention to benefit from accessibility opportunities in accordance with the legislation have explicitly consented. Lastly, the Guidelines emphasize that explicit consent should be expressed by free will and that explicit consent shall not be a prerequisite for accessing a product or service. Finally, the Guidelines explain that explicit consent can be obtained through bank branches, ATMs, mobile banking, call centers, SMS or e-mail.
Being Prescribed by Law and Fulfillment of Legal Obligations
Pursuant to Article 5 of the LPDP, banks can be exempted from obtaining explicit consent of data subjects by either primary or secondary legislation. Banks are also not required to obtain explicit consent in cases where data processing is necessary for the banks to fulfill their legal obligations. For example, in order to manage financial risks, banks conduct risk analysis for persons to whom they give loan and other persons in the same risk group, and in order to do so, they may obtain necessary information and documents. In order to conduct banking activities, personal data of persons that fall within the risk group may be processed without explicit consent, in accordance with the Banking Law and other relevant legislation.[8]
Processing of Personal Data of Contracting Parties
Banks may process data to provide service to customers or prospective customers, and explicit consent is not required to execute a contract. For example, for loan agreements, banks are not obliged to obtain explicit consent of data subjects for the data they process to notify the parties.[9]
Legitimate Interest
Examples of legitimate interests include fraud prevention/measures, customer segmentation, delivering appropriate and relevant services and products to customers, establishing customer satisfaction and developing strategies. Under certain circumstances, the economic and legal interests of banks may be considered legitimate interests and therefore, explicit consent may not be required for activities in pursuit of these interests.
Being a Necessity for the Establishment or Protection of a Right
Banks may process data in order to collect receivables or to authenticate identity in order to prevent unlawful access of third parties to customers’ personal data.[10]
Special Categories of Personal Data
The Guidelines provide examples of good practice for processing special categories of personal data. For instance, customers’ ID cards presented to banks may include special categories of personal data. Examples of good practice include using only the relevant page of an ID card without unnecessarily obtaining special categories of personal data, blacking out sections containing special categories of personal data.[11]
Data Transfer
Transfer of Personal Data
Pursuant to Article 73 (Confidentiality) of the Banking Law, customer secrets cannot be transferred within Turkiye or abroad without the request or instruction of customers, regardless of the existence of explicit consent, except for in cases exempt from the confidentiality obligation.[12] Pursuant to Article 8/3 of the LPDP, the provisions of other laws for transfers are reserved, and banks may transfer data in accordance with other laws, particularly the Banking Law. For example, pursuant to Articles 73 and 159 of the Banking Law, banks are obliged to disclose customer and bank secrets to the authorities authorized by law.[13] There is also an obligation to notify the Financial Crimes Investigation Board pursuant to the Law on Prevention of Laundering Proceeds of Crime No. 5549.[14] Furthermore, the Guidelines emphasize that transfers within the organization of a bank are not considered data transfer. However, data transfer by a bank to another data controller company in the same group of companies is considered to be a data transfer to third parties.
Cross-Border Data Transfer
In terms of cross-border data transfers, the Guidelines refer to the conditions stipulated under Article 9 of the LPDP, and repeat that the provisions of other laws are reserved for cross-border transfers. Accordingly, the Guidelines state that the provisions of the Banking Law regarding the disclosure of customer secrets are special provisions compared to the LPDP.[15] Therefore, transfer of customer secrets abroad without the request or instruction of the customer is not possible, even if explicit consent in this regard has been obtained.
Obligations of Data Controllers
Obligation to Inform
Banks must fulfill their obligation to inform in all cases where they process data. The Guidelines contain three fields of activity where banks operate: (i) gaining customers and opening accounts, (ii) loans and (iii) transactions for investment. The information that banks provide must be specific to the data processing activity conducted.[16] The Guidelines recommend the layered information method (first presenting a short and straightforward text and referring to detailed explanations with a simultaneous text).[17] The obligation to inform may be performed through branches, websites, internet branches, mobile branches and mobile applications, call centers/IVR, physical mail, SMS and ATMs; in this context, the Guideline also provides sample texts.[18]
In addition, the Guidelines address certain special circumstances regarding this obligation. For example, banks are not obliged to inform natural person representatives of legal entities, based on the assumption that those representatives have already been informed by the legal entities they represent, for data processing activities limited to purpose.[19] Another example is for data subjects who apply for a loan and are in the risk group. The Guidelines explain that instead of disclosing individuals separately for each transaction, a general disclosure which is easily accessible can be made.[20] The Guidelines also focus on agreements for salary payments, and state that it is banks’ obligation to inform customers regarding banking activities after the acquisition of personal data through the collective opening of accounts.[21]
Registration in the Data Controllers Registry and Personal Data Processing Inventory
Banks, as data controllers, are obliged to register in the Data Controllers Registry (“Registry”) and to fulfill its notification obligations. This notification must comply with the data processing inventory, and the Guidelines list data categories pertaining to banks and which should be included in the inventories.[22]
Obligation to Delete, Destroy and Anonymize Personal Data
Pursuant to the Banking Law, banks are obliged to retain documents related to their transactions for 10 years.[23] The Guidelines states that the retention and destruction policy will be determined separately in accordance with the assessments to be made by each bank.[24]
Data Security
The obligations of banks as data controllers regarding data security within the scope of the LPDP and the other legislation to which they are subject are mutually reinforcing. The Guidelines state that the legislation to which banks are subject and which regulates their supervisory obligations are in line with the supervisory obligations set out in the LPDP.[25]
Conclusion
The Guidelines explain the procedures and principles with which banks should comply within the scope of the LPDP and secondary legislation. Thus, the Guidelines aim to clarify the data processing activities of banks and to set examples of good practices. In addition, they emphasize that for investigations to be conducted ex officio in response to complaints to the Board and allegations of violations, separate assessments will be undertaken according to the characteristics of each particular case.
- Guidelines, p. 19.
- Guidelines, p. 25.
- Guidelines, p. 27.
- Guidelines, p. 21.
- Guidelines, p.30.
- Guidelines, p.31 et seq.
- Guidelines, p. 34.
- Guidelines, p.42.
- Guidelines, p.46.
- Guidelines, p. 57 et seq.
- Guidelines, p.64.
- Guidelines, p.74.
- Guidelines, p.77.
- Guidelines, p.80.
- Guidelines, p.87.
- Guidelines, p.94.
- Guidelines, p.94.
- Guidelines , p.102.
- Guidelines, p.102.
- Guidelines, p.103.
- Guidelines, p. 105.
- Guidelines, p.108.
- Guidelines, p.110.
- Guidelines, p.111.
- Guidelines, p.125.
All rights of this article are reserved. This article may not be used, reproduced, copied, published, distributed, or otherwise disseminated without quotation or Erdem & Erdem Law Firm's written consent. Any content created without citing the resource or Erdem & Erdem Law Firm’s written consent is regularly tracked, and legal action will be taken in case of violation.