Turkey: Banking Industry Good Practices Guide on Protection of Personal Data
On 5 August 2022, the Personal Data Protection Authority ('KVKK') published its Guide on Good Practices in the Banking Sector regarding the Protection of Personal Data1 ('the Guide'). Melis Mert, Managing Associate – Attorney at Law at BTS & Partners, discusses the provisions of the Guide and its enforceability.
What does the Guide provide?
The Guide provides the KVKK's guidance for banks' personal data processing activities with respect to the following main topics, with the co-operation of the Banks Association of Turkey ('TBB');
- the application of the Law on Protection of Personal Data No. 6698 ('the Law') within the banking sector;
- the data controller-data processor relationship (for example, banks' data transfers and contractual relationship with third parties, the application of Turkish banking regulations, main data processing activities within the scope of open banking, and banks as insurance agencies);
- legal bases (for example, the methods of obtaining explicit consent, limits of legitimate interest, and important issues on automated decision-making mechanisms);
- informing data subjects (for example, the evaluation of the parties liable for presenting privacy notices, separate bank notices for different data processing activities, and rules of layered approach);
- the deletion, destruction, and anonymisation of personal data;
- responding to data subject applications (obligation to verify applicants' identity); and
- data security (comparison with the banking legislation).
On the other hand, the KVKK's evaluations shall be applicable to other data controllers (who are not banks/active within the banking sector) to a certain extent. For example, the KVKK presents insights on validity of explicit consent, co-controllership, scope of legitimate interest etc., which are not sector specific. Also, there are several recommendations that are directly applicable to non-bank entities, such as banks' data processors and third parties taking roles in open banking operations.
What is the enforceability of the Guide?
As to the legal status of the Guide, the KVKK's guidelines are not legally binding but present the KVKK's approach on the relevant matter, along with expectations regarding data controllers' data processing activities. However, it should be noted that in certain decisions, the KVKK references to its guidelines while assessing the data controller's compliance with the Law, although there is no sanction provided under the LPPD for non-compliance with the DPA guidelines. Therefore, banks may indeed be evaluated by the KVKK in line with the good practices presented within the Guide and other data controllers may take into consideration the takeaways deduced from KVKK's insights for banks.
What are the key takeaways?
The Guide provides evaluations on numerous topics (nearly regarding all data controller obligations to a certain extent). Therefore, the below assessments do not reflect all KVKK recommendations but present most important comments and/or novel approaches on certain privacy issues.
Data transfer agreements
Although the Law does not foresee an obligation to execute written contracts by and between data controllers and processors, such agreements have been evaluated as an administrative security measure. Within the Guide, the KVKK recommends banks to have such contracts with mandatory clauses such as the subject, purpose, and term of the processing activity, data types, processor obligations regarding data breach, and data subject application etc. Therefore, banks' data processors may face such new agreements, and non-bank data controllers may take these clauses as basis for their contractual relationship with their processors. Due reflection of the controller and the processor titles shall also be crucial since the KVKK also refers to a decision where the Personal Data Protection Board had taken parties' descriptions (under the relevant agreement) into consideration during its controllership assessment.
Co-controllership is not regulated under the Law and the KVKK's first take on this concept is relatively new. Now, the KVKK has elaborated its view on co-controllers and stated that 'in cases where more than one person jointly determine purpose and means of a data processing activity within the framework of a single data filing system', there might be more than one data controller with respect to the same data processing activity. The KVKK also underlines that not all joint data processing activities shall result with joint liability, but if so, executing a contract shall be very important and taken into consideration during liability assessments. However, data subjects may indeed use their rights towards any co-controller.
Turkish explicit consent validity criteria are mainly simple: (i) freely given; (ii) based on being informed; and (iii) specific. On the other hand, the Law does not bring procedural requirements for data controllers to comply with while obtaining explicit consent. As to the application of these rules, a stricter approach is in question with regards to the granularity, detailed information to be provided while obtaining consent, and ensuring the data subjects' free will etc. Lastly, implicit consents/soft opt-ins were (and legally, still are) not allowed since they are not a result of data subject's explicitly declared decision on its own personal data.
Having said that, the Guide's approach appears to be much more flexible; processes and acts between the parties may lead us to the existence of explicit consent, even in the absence of any consent text/written declaration. For example, a data subject's consent may be deemed as obtained if they willingly provides information on their health state within the bank's complaint form.
Although the Guide's logic is clear, it should be noted that the general application of the Law is not very assumption-friendly when it comes to evaluating the existence of explicit consent, and this part of the Guide should not be interpreted very broadly.
The Guide presents certain cases where data controllers may rely on legitimate interest as the legal basis, some of which are closely linked to marketing activities. These examples would be important for data controllers since the Law's legal bases were generally leading controllers to explicit consent, instead of legitimate interest, in cases of marketing activities, such as segmentation and analysing customer behaviour.
- Segmentation: in order to offer special discounts and products to a group of people with similar financial incomes.
- Discovering customer-specific products/services: in order to ensure customer satisfaction, and meeting customers' needs more accurately.
- Strategy works: in order to enhance products and services, without aiming to take action on a customer basis.
- Analysis of customer behaviour: in order to better manage customer complaints and relationships.
Within this scope, the KVKK has presented certain 'criteria' in order to stay within the legitimate interest basis: (i) being limited to the service relationship already built between the parties; (ii) corresponding the data subject's reasonable expectation (similar to the UK's Information Commissioner's Office ('ICO') and the French data protection authority's ('CNIL') approaches); and (iii) being only limited to the product/service which is already being used by taking into consideration that such processing may result to the data subject's benefit as well. It should be noted that evaluation of the specific case in hand shall still be crucial and that the Guide does not foresee a safe harbour for direct marketing activities (i.e. explicit consent would be necessary for profiling-based direct marketing activities).
Last but not least, the KVKK underlines the importance of conducting legitimate interest balancing test, which is very similar to the one in the EU, complying with the general principles such as proportionality, allowing data subjects to object such data processing activity, and the simultaneous application of the other laws (such as commercial e-message legislation) which also may require consent.
Liability of the data transferring parties re. privacy notices
For the first time, the Guide provides certain cases where the data controller acting as the recipient party is not always under the obligation to inform data subjects on the relevant data processing activity and may rely on the privacy notice provided by the data transferor party.
Accordingly, if: (i) the data transfer is taking place between two data controllers; (ii) the personal data is transferred by the data transferor party to the recipient and therefore, the latter does not obtain such data from another source; and (iii) the recipient party does not process this data for a purpose other than the purpose of the transfer; then the data transferring party's privacy notice presented to the data subjects including this transfer (where the recipient party is named specifically or categorically) may be sufficient and the recipient party may not be under the obligation to inform the data subject of this processing activity, which would have been the case since the recipient party also processes personal data as data controller itself.
For example, the company representative may be solely informed by its company regarding their personal data being transferred to banks in order for the latter to verify the representation authority and in such case, the bank (receiving such data and processing it only within this scope) shall not be obliged to inform the representative again.
For the avoidance of doubt, recipient party's other/further data processing activities would still require its privacy notice to be presented (i.e. recipient party's obligation to inform data subjects is not completely lifted).
Melis Mert Managing Associate – Attorney at Law
BTS & Partners, Istanbul
1. See: https://kvkk.gov.tr/SharedFolderServer/CMSFiles/12236bad-8de1-4c94-aad6-bb93f53271fb.pdf (only available in Turkish)