The Personal Data Protection Authority (“Authority”) published Guide of Good Practices on Banking Sector Regarding Protection of Personal Data (“Guide”) at its official website on 5 August 2022. The aim of the guide is to determine the principles to be observed when processing personal data in the banking sector and to explain it with examples in practice.
II. CONTENT OF GUIDE
We can list the points in Guide that need attention as follows:
A. Data Controller-Data Processor Relationships: The definition of data controller and data processor is included in Guide and their differences are mentioned. According to Article 4 of Banking Law numbered 5411, banks are data controllers for their banking activities. However, it has been stated that the title of the banks in terms of activities such as insurance, individual pension in which banks are agents or intermediary institutions should be determined according to conditions of concrete case. It has been pointed out that the party decides why and how personal data is processed is the data controller. For example, the company that decides the purpose and method of processing the data of identity, communication and bank account information for salary payments is the data controller.
1) Data Processing Agreements: The data processing agreements to be made between the data controller and the data processor may be included in the provisions of the main contract or may be arranged in the form of an additional contract. The minimum elements that should be included in the contract are set out at the Guide. Subsequently, examples where banks are considered as data processors or data controllers are given.
2) Support Services: For example, in cases where a bank receives support services from courier or cargo company, a bank is the data controller in terms of data such as the information on credit card carried by the courier and the statement information about the card. The cargo company is also the data controller in terms of data such as name, surname, telephone, address which the cargo company obtains from the bank in order to make the delivery.
3) Subsidiaries and Allied Companies: The bank located in Turkey is a data processor if its subsidiary residing abroad provides services for obtaining the signatures of loan agreement.
4) Open Banking: In open banking services, there are 3 basic data processing activities in the form of (i) processing of the personal data of the real person customer by the bank for the purpose of providing banking services, (ii) processing of the personal data of the real person customer by the third party provider for the purpose of having real person customer benefit from the open banking products and services, and (iii) the transfer of certain categories of personal data of natural person customers to the third-party provider by the bank and simultaneously recording of these data by the third-party provider in its own data recording system. While the bank providing open banking services is data controller for all three processing activities, third party providers can be the data controller or the data processor.
5) Situations in which Banks Act as Agents: Banks are data processors in terms of insurance activities they carry out as agents.
B. Conditions of Personal Data Processing: Reference has been made to Article 5 of Personal Data Protection Law numbered 6698. Examples of each personal data processing condition are given:
1) Explicit Consent: Obtaining explicit consent is not subject to written form. It should be accepted that the real person who mentions the details of his/her disease by writing to the request and complaint section of the bank’s website has expressed his/her explicit consent for the processing of this information. However, the burden of proof lies with the bank responsible for the data in all cases. It is possible to obtain explicit consent through channels such as branches, ATMs, internet branches, call centers, mobile applications if it is convenient to be proved. Although the conditions of explicit consent do not differ in terms of banking practices, they are (i) related to a specific subject, (ii) disclosed voluntarily, and (iii) based on information. Customers who do not give their explicit consent about marketing during customer transactions and account opening procedures should also benefit from account opening services. In addition to it, in the event that personal data processing is based on the condition of explicit consent, the obligation to inform and obtain explicit consent must be performed separately.
2) Prescribed in Laws and Fulfillment of Legal Obligations: Personal data may be processed if there is a clear provision in any law regarding the processing of personal data or a clear provision has been made to the secondary legislation. There is no need to obtain explicit consent if there is a reason for compliance such as prescribed in law or fulfillment of legal obligations. For example, it is a legal obligation for banks to make risk assessments on the basis of risk group for loan applicants prior to credit transactions in accordance with Article 49 and the rest of Article 49 of Banking Law numbered 5411 and Regulation on Transactions of Bank Credits. In this context, all kinds of personal data of loan applicants entering risk assessment process may be processed without obtaining explicit consent for the stated purpose. However, keeping the shared information or document limited to requested data, and if this is not possible, sharing other personal data in the relevant document by deleting, masking, and anonymizing are shown as two examples of good practice in Guide.
3) Processing of Personal Data Belonging to the Parties of Contract: Processing personal data for processes such as receiving service requests from persons who are not yet customers within the scope of banking activities, evaluating the request and responding to the request does not require explicit consent since it is aimed at the establishment of the contractual relationship (Invitation to offer and offer) between the bank and customer.
4) Legitimate Interest: Transparent and accountable criterias such as benefit affecting a large number of people, not solely for the purpose of making profit or providing economic benefit, faciliating business processes or a functioning are taken as the basis while determining the legitimate interest. Banks must make assessment in terms of purpose, proportionality and necessity before banks. The legitimate interest must be present, specific and clear. In addition to it, it should not harm the fundamental rights, a balance test should be carried out to ensure that the interests are weighed, and personal data processing should be mandatory or necessary in order to achieve the purpose. For example;
(i) Processing the customer’s location, device information and money transfer information in order to detect unusual behaviour of customers and to perform anomaly analysis is considered within the scope of legitimate interest.
(ii) Data processing is also considered within the scope of legitimate interest if identifying customer groups that enable banks to make necessary organizational and financial evaluations and to make their predictions for future periods in order to continue their activities.
(iii) Processing personal data such as age, education level, where customers live, how much shopping is done in which sectors is considered within the framework of legitimate interest for the purpose of determining the products and services of banks that appeal to customers, limited to the framework of the relationship established with the customer, within the reasonable expectation of the customer and where it may be in the customer’s interest.
(iv) With the introduction of artificial intelligence, the customer data at the bank may be carried out for the purposes such as risk management, profitability reports, cost reduction without the aim of taking action on a customer basis. In this case, personal data processing activities are also considered within the scope of legitimate interest.
(v) Processing customer’s data such as details of product and channel usage, complaint history in order to continue systematic operation of the banks, detect, correct and take measures against the errors that may cause consequences against the customer can be considered in scope of legitimate interest.
5) Mandatory for the Establishment and Protection of a Right: In cases where banks need to contact credit borrower in order to keep their commercial interests safe and ensure their receivables are collected, using the telephone numbers obtained from official information sharing platforms such as Risk Center or the institutions licensed by Information and Communication Technologies Authority during the administrative and legal follow-up phase is shown as an example of being compulsory for the establishment and protection of a right. However, it is obligatory to operate the necessary authentication mechanisms and prevent data from being captured by third parties when communicating via numbers.
6) Processing of Private Personal Data: Examples of good practice in this regard are as follows:
(i) Images of identity document or driver’s license that banks receive from customers due to legal obligations include information such as religion, blood type, devices used and prostheses. In this case, only front side of the identity document should be used and technical and administrative measures should be taken to obscure or prevent the use of special data digits.
(ii) It is stated that health data can’t be processed on the basis of any lawful reason other than explicit consent with the exception of the cases stipulated in the laws.
(iii) It may be preferred not to collect information of criminal record, since it is not a situation expressly stipulated in the laws to request information of criminal record from employee candidates. If it is thought that it should definitely be collected, this information should be collected by obtaining explicit consent. In the criminal record required for the check ban assessment to be carried out, it is not necessary to obtain a separate consent for the reason that is clearly stipulated in the laws.
(iv) In banks with a workplace doctor, explicit consent is not required for the processing of health data for the purposes stipulated in Article 6 of Personal Data Protection Law numbered 6698. In banks that do not have a workplace doctor, explicit consent is required for the processing of health data. It is obligatory to make a set up that will prevent access to health data by persons other than workplace doctors.
(v) For the biometric data used by banks during remote customer acquisition, explicit consent must be obtained in accordance with Article 8 of the Regulation on Remote Identification Methods to be Used by Banks and the Establishment of a Contractual Relationship in the Electronic Environment. It has been stated that the general principles in Article 4 of Personal Data Protection Law numbered 6698 should be complied with even in cases where biometric data is not processed and explicit consent is obtained.
C. Transfer of Personal Data: It is handled under two headings as domestic transfer and international transfer:
1) Domestic Transfer: Domestic transfer of personal data pursuant to Article 8 of Personal Data Protection Law numbered 6698 can be carried out without the explicit consent of the concerned person (i) with one of the conditions stated in the second paragraph of Article 5, or (ii) with one of the conditions stated in the third of Article 6 provided that adequate precautions are taken. Pursuant to paragraph 3 of Article 73 of Banking Law numbered 5411, a request or instruction from the customer is required in addition to the explicit consent for the transfer of personal data which is a customer secret within the country. It is stated that data transfer between employees or units operating within the body of a bank with the title of data controller will not be considered as transferring personal data to third parties within the scope of Article 8 of Personal Data Protection Law, provided that the data transfer is linked and proportionate to the purpose for which they are processed. It is stated that data transfer between different banks within the same group of companies will be considered as transferring personal data to third parties within the scope of Article 8 of Personal Data Protection Law. The issue of domestic transfer of personal data is divided into two section as personal data transfers that can be made in accordance with the third paragraph of Article 8 of Personal Data Protection Law (Provisions in other laws) and personal data transfers to business partners. Personal data transfers that can be made in accordance with the provisions of other laws are as follows:
(i) Data Transfers to Competent Authorities which can Request Information from Banks: Banks may transfer personal data to the competent authorities without the need for explicit consent of concerned persons and within the limits of the laws based on authority of the request information arising from own founding laws and other laws of institutions and organizations which banks transfer information.
(ii) Data Transfers Performed within the Framework of Reporting Obligation of Suspicious Transaction: According to Article 4 of Law Regarding the Prevention of Laundering of Crime Revenues numbered 5549, since notifications of suspicious transactions are clearly under obligation stipulated in the law for banks, personal data may be transferred in this context.
(iii) Data Transfers to Main Partner/Subsidiaries: A bank in Turkey can meet the requests for information and documents containing personal data of main partner which meet the conditions in paragraph 4 of Article 73 of Banking Law, provided that nondisclosure agreement is made and it is limited to preparation studies of consolidated statements and internal audit practices of risk management. The main partner in question may be a financial institution or another undertaking.
(iv) Data Transfers to Prospective Buyers: Pursuant to paragraph 4 of Article 73 of Banking Law, within the framework of valuation studies to be carried out for the purpose of selling the assets of banks including credits or securities based on them, provided that nondisclosure agreement is made and the conditions specified in the agreement are limited, information and document requests by prospective buyers containing personal data can be met.
(v) Data Transfers to Banks and Financial Institutions: Pursuant to paragraph 4 of Article 73 of Banking Law, banks and financial institutions may exchange all kinds of information and documents including personal data transfer directly among themselves, provided that they make nondisclosure agreement and it is limited to the purposes specified in the agreement.
(vi) Data Transfers to Risk Center, Interbank Card Center and Credit Bureau: Pursuant to paragraph 4 of Article 73 of Banking Law, it is possible for banks to transfer personal data to the Risk Center, Interbank Card Center and Credit Bureau, provided that nondisclosure agreement is made and it is limited to the stated purposes.
(vii) Data Transfers to Subsidiaries: Pursuant to paragraph 4 of Article 73 of Banking Law, it is possible to transfer personal data within the scope of information and document sharing between banks and their subsidiaries which are financial institutions of banks.
(viii) Data Transfers to Organizations of Valuation, Rating and Support Service: Pursuant to paragraph 4 of Article 73 of Banking Law, learning the information that is a bank or customer secret is out of obligation to keep it as a secret during the meeting of information and document requests to be used in independent audit activities with the condition of making a nondisclosure agreement between banks and organizations of valuation, rating and support service and receiving services limited to stated purposes only. Therefore, it is possible to transfer personal data.
2) Transfer Abroad: It is stated that transfer of personal data abroad is possible with the explicit consent of the concerned person, as a rule, in accordance with the first paragraph of Article 9 of Personal Data Protection Law. Pursuant to the second paragraph of the same article, without seeking the explicit consent of the data subject, one of the conditions specified in the second paragraph of Article 5 of Personal Data Protection Law and the third paragraph of Article 6 of Personal Data Protection Law are fulfilled and (i) There is sufficient protection in the country where the personal data will be transferred, or (ii) It has been stated that personal data can be transferred abroad, provided that the data controllers in Turkey and in the relevant foreign country undertake adequate protection in writing and have the permission of the Board. Within the scope of transfer abroad, the following points should be considered:
(i) Explicit Consent: In case the explicit consent of the concerned person is obtained for the transfer of personal data abroad, the general principles listed in Article 4 of Personal Data Protection Law must also be complied with.
(ii) Countries with Sufficient Protection: Personal data can be transferred to the countries declared by the Board in accordance with the 3rd and 4th paragraphs of Article 9 of Personal Data Protection Law, in case of the existence of one of the conditions specified in the 2nd paragraph of Article 5 and the 3rd paragraph of Article 6 without explicit consent of the concerned person.
(iii) Commitment to Adequate Protection and Obtaining Permission from the Board: The Board has prepared 2 samples of undertakings to be used in transfers from the data controller to the data controller and from the data controller to the data processor and these samples have been published on the official website of the Authority. It has been stated that the principles in the announcement of the Authority published on 7th of May 2020 should be observed for the permission application to be made to the Board.
(iv) Binding Company Rules: These are data protection rules used in the transfer of personal data abroad for multinational group companies operating in countries where there is no adequate protection, and ensuring that an adequate protection is committed in writing. Companies falling under this scope must apply to the Authority by completing the relevant form and following the necessary instructions. In the applications to be made, the procedures and principles in the announcement text published by the Board on 10th of April 2022 are taken into consideration.
(v) Shares that can be Made in Accordance with the Provisions in Other Laws: It has been stated that if there is a special regulation regarding the transfer of personal data abroad in other laws, this regulation will constitute a special norm and will be applied with priority. The provisions of Banking Law are also applied with priority in terms of real person customer’s secrets.
D. Obligations of the Data Controller:
1) Obligation to Clarify: In all cases where personal data is processed by the data controller based on the reasons for compliance with the law stipulated in the law, it is necessary to inform concerned persons using appropriate channels and in a clear, understandable and plain language:
(i) Content in Fulfilling the Obligation to Clarify: It is stated that each bank can create its own clarification texts within the scope of personal data categories, data collection methods, processing purposes, legal justifications of processing and the parties to which personal data is transferred. The information to be given to the concerned person within the framework of obligation to clarify must be in accordance with the information disclosed in VERBIS. Banking activities included in Article 4 of Banking Law divided into 3 groups as customer acquisition/account opening, loan and investment transactions. Clarification texts should be prepared according to these groups and presented to the applicant who is the concerned person according to the purpose of incidence to the bank and in the form of dedicated to the activity.
(ii) Time in Fulfilling the Obligation to Clarify: As a rule, the obligation to clarify must be fulfilled by the data controller at the stage of obtaining personal data. However, if the personal data is not obtained from the concerned person, the obligation to clarify can also be fulfilled after the stage of obtaining personal data. In such cases, the obligation to clarify must be fulfilled; (i) within a reasonable time from obtaining the personal data, (ii) at the time of the first communication if the personal data is to be used for communication with the concerned person, (iii) at the time of the first transfer of personal data, at the latest, in case of personal data transfer.
(iii) Procedure for Fulfilling the Obligation to Clarify: Obligation to clarfiy for the banking sector can be fulfilled through (i) Branch, (ii) website, (iii) internet branch, (iv) mobile branch and mobile application, (v) call center/IVR, (vi) electronic mail, (vii) physical mail, (viii) SMS and (ix) ATM channels. Sample texts to be presented through these channels are included in Guide.
(iv) Special Circumstances in Fulfilling the Obligation to Clarify: Special cases can be listed as follows:
· Clarification of Signatories and Real Beneficiaries: The obligation to clarify belongs to the legal person who appoints the representative and there is no need for a separate clarification by the banks.
· Enlightening Risk Groups: With the Board's decision dated 26.07.2018 and numbered 2018/92, it has been stated that banks can provide clarification via the website.
· Processing of Personal Data Relating to Persons other than the Owner of the Asset and Personal Data of Persons other than the Last Clerk in Checks: It has been stated that the banks do not have any obligation to clarify these persons.
· Salary Payment Agreements: It has been stated that obligation to clarify in the transfer of personal data from relevant institution to the banks is with the institution holding the title of data controller. It has been declared that in the process after the aforementioned personal data is obtained, the obligation to clarify regarding banking activities is on the banks.
· Credit Cards and Debit Card Transactions: If the banks use the cards of their cardholder customers in different bank devices and POS, the banks that own the device or POS are not obliged to provide the second clarification.
2) VERBIS, Obligation to Register and Prepare Data Inventory: Banks that are data controllers have an obligation to register with VERBIS. In addition to it, it is mandatory to prepare an inventory. It is important that the information in VERBIS and the information in the inventory are consistent and up-to-date. The categories of data to be included in the inventory were examined and specific examples of banking were shown:
(i) Data Categories of Banking: Financial transaction records, debt/balance information, financial intelligence and tracking data, credit risk score information, financial fraud/fraud data.
(ii) Contact Groups of Banking: Applicant, beneficiary, guarantor, surety, legal successor, joint debtor, first degree relatives for persons in the risk group, shareholder.
(iii) Buyer Groups of Banking: Subsidiaries and group companies of the banks, official institutions, companies within the scope of the support service which is defined in Regulation on Banks' Procurement of Support Services, Parties that receive services outside the scope of support service, training firms, independent audit services, asset management companies, Risk assessment institutions such as Credit Bureau/Risk Center, correspondent banks, other financial institutions which financial transaction records are shared as a part of the instructed services.
(iv) Maximum Periods of Banking: The date range of data required by official institutions should be taken into account.
3) Obligation of Deletion, Destruction, Anonymization of Personal Data: It has been examined in 3 groups as storage of the information, disappearance of the purpose of processing and methods of destruction.
4) Obligation of Data Security: Banks which are data controllers are obliged to ensure data security in accordance with Article 12 of Personal Data Protection Law. Banks also have obligations under various national and international regulations, primarily Banking Law numbered 5411, Bank Cards and Credit Cards Law numbered 5464 and capital market legislation.
5) Rights of the Concerned Person and Management of Complaints: The right to demand protection of personal data within the scope of Article 20 of the Constitution is a constitutional right. According to Article 3 of Personal Data Protection Law, only natural persons can apply to the data controller. In order for the concerned person to exercise his/her rights set forth in Article 11 of Personal Data Protection Law and file a complaint to the Board, first of all, it is obligatory to exhaust the way of application to the data controller. If the application of the concerned person is rejected and the response given as a result of the application is found insufficient by the concerned person, or if the application is not answered in a timely manner, the concerned person may file a complaint to the Board. The fact that the concerned person can be identified is a condition of admissibility of the application. For this reason, the concerned person concerned must submit documents proving his/her identity to the Board with his/her application.
Guide has discussed the situations that banks may encounter during their activities of personal data processing and explained the procedures and principles that they must comply with in details. Guide gave examples in terms of concretization and explained advisory opinions. Thus, it cleared the question marks.
For more information and support, you can contact us from e-mail address of [email protected].