Turkey: Data Protection in the Financial Sector
1. Governing Texts
Turkey's first legislation addressing personal data protection was enacted on 4 April 2016. The Law on Protection of Personal Data No. 6698 ('the Data Protection Law') outlines a similar framework to the European Data Protection Directive (Directive 95/46/EC) and the secondary legislation in the form of regulations and communications is evolving in line with the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').
Article 2 of the Data Protection Law states its scope of application. Accordingly, the Data Protection Law applies to:
- natural persons whose personal data is processed; and
- natural or legal persons who process such data fully or partially through automatic or non-automatic means only for the process which is part of any data registry system set out in the Data Protection Law.
Aside from the GDPR, the Data Protection Law does not indicate its territorial scope. That being said, in line with the principle of territoriality and the application of the provisions of the Criminal Code Law No. 5237 ('the Criminal Code') referred to by Article 17 of the Data Protection Law, the Data Protection Law shall apply to all natural and legal persons who process personal data originating in Turkey, regardless of whether they are located in Turkey or abroad.
The Data Protection Law sets out many requirements for data controllers related to, inter alia, the processing and transfer of personal data, data security, data retention, data subject rights, obligation to inform, and data controllers' registry. All data controllers, including financial institutions, are required to comply with the general rules of the Data Protection law in their activities that involve the processing of personal data originating in Turkey.
Financial institutions, as well as other entities, are required to comply with the Data Protection Law and other secondary data protection legislation in their personal data processing practices. Turkish data protection legislation does not include a specific regulation for the financial sector. That being said, finance-sector specific regulations envisage further restrictions and additional requirements for financial institutions while managing data such as processing restrictions related to customer or banking data, localisation requirements for financial institutions' infrastructural systems, and heavier data security measures.
The Data Protection Law foresees strict data protection requirements for all data controllers, especially in terms of cross-border personal data transfers. The financial regulations related to data protection subject financial institutions to an even stricter regime. Considering the secrecy and confidentiality obligations in place in the financial sector due to the sensitivity of the data processed by financial institutions (e.g. customer secrets and banking secrets), cross-border transfer restrictions, requirements regarding keeping the systems in Turkey, and outsourcing restrictions, it is safe to say that data-handling activities in the financial sector are more heavily regulated than all other sectors. As such, in order to comply with these requirements, financial institutions should carefully review their data protection and privacy-related practices, adapt their systems to new mechanisms, and monitor any upcoming secondary legislation.
All financial services involving Turkey-originated personal data, must be carried out in compliance with the Data Protection Law.
Key secondary legislation includes:
- Regulation on Deletion, Destruction or Anonymisation of Personal Data No. 30224 (only available in Turkish here);
- Regulation on the Registry of Data Controllers (only available in Turkish here);
- Communiqué on Principles and Procedures for the Request to Data Controller;
- Communiqué on Principles and Procedures to be Followed in Fulfilment of the Obligation to Inform ('the Communiqué on the Obligation to Inform');
- Regulation on Payment Services, Electronic Money Issuance and Payment Service Providers ('Payment/e-Money Regulation') (only available in Turkish here); and
- Communiqué on Information Systems of Payment and Electronic Money Institutions, and Data Sharing Services of Payment Service Providers in the Field of Payment Services ('Payment/e-Money IT Communique') (only available in Turkish here).
Key decisions of the Personal Data Protection Authority ('KVKK') regarding financial institutions include:
- Decision 2021/115 on Transferring Debt Information of the Data Subject by the Lawyer of the Bank to the Relatives of the Data Subject (only available in Turkish here);
- Decision 2020/766 (only available in Turkish here) ('Decision 2020/766'); and Decision 2020/766 (only available in Turkish here) ('Decision 2020/765') on the Failure to Fulfil an Order Given;
- Decision 2020/78 on Data Controller Sending the Personal Data on the Credit Card Statement of the Data Subject to the Wrong E-Mail Account (only available in Turkish here);
- Decision 2020/120 on the Processing of Bank Account Movements, Deposit Information, Deposit and Withdrawal Transactions, by the Deputy Tax Inspector without Data Subject's Explicit Consent (only available in Turkish here);
- Decision 2020/118 on Transferring the Account and Safe Deposit Box Data of the Data Subject by a Data Controller Bank (only available in Turkish here);
- Decision 2017/62 on Data Protection at Service Counters, Box-Offices, and Desks (only available in Turkish here);
- Decision 2018/10 on the Adequate Measures to be Implemented when Processing Special Categories of Personal Data (only available in Turkish here) ('Decision 2018/10');
- Decision 2018/142 on Retention of Financial Data and Refusal of Deletion Request made by Data Subject (only available in Turkish here) ('Decision 2018/142');
- Decision 2019/122 regarding a Bank's Non-Compliance with the Rules on Data Subject Rights and Transparency (only available in Turkish here) ('Decision 2019/122');
- Decision Number 2019/277 regarding a Bank's Use of Personal Data for Illegitimate Purposes;
- Decision 2019/331 regarding an Insurance Company's Use of Publicised Data for Purposes Other than the Purposes of Publicisation (only available in Turkish here) ('Decision 2019/331');
- Decision 2019/352 regarding a Data Breach caused by Bank Personnel (only available in Turkish here);
- Decision 2020/32 on Delivery of Credit Card to Third Person without the Data Subject's Consent (only available in Turkish here);
- Decision 2020/103 on Opening of a Bank Account by a Bank for Acquisition of Potential Customers (only available in Turkish here);
- Decision 2021/32 on Credit Inquiry of a Bank Without Knowledge of the Data Subject (only available in Turkish here);
- Decision 2021/361 on a Bank Sending Promotional Messages to the Relevant Person Via Mobile Applications Without Consent (only available in Turkish here); and
- Decision 2021/79 on Transfer of the Data Subject's Data with the Relatives by the Data Controller Bank (only available in Turkish here).
The KVKK has issued the following guidance:
- Guidelines on Personal Data Security (only available to download in Turkish here) ('the Data Security Guidelines').
The following legislation govern data protection in the financial sector:
- Banking Law No. 5411 ('the Banking Law');
- Capital Market Law No. 6362 (only available in Turkish here) ('the Capital Markets Law');
- Insurance Law No. 5684 (only available in Turkish here) ('the Insurance Law');
- Law on Bank and Credit Cards No. 5464 (only available in Turkish here) ('the Bank Cards Law');
- Law on Payment and Security Settlement Systems, Payment Services and Electronic Money Institutions No. 6493 (only available in Turkish here) ('the Payment Services Law');
- Law on Financial Leasing, Factoring, Financing and Saving Financing Companies No. 6361 (only available in Turkish here);
- Law on the Prevention of Laundering of Crime Proceeds No. 5549 (only available in Turkish here) ('the AML Law');
- Regulation on Information Systems of Banks and Electronic Banking Services (only available in Turkish here) ('the Electronic Banking Regulation');
- Regulation on Internal Systems and Assessment on Internal Capital Adequacy of Banks (only available in Turkish here) ('the Regulation on Internal Systems');
- Regulation on Support Service Procurement of Banks (only available in Turkish here) ('SSP Regulation');
- Regulation on Remote Identification Methods to be Used by Banks and Establishment of Contractual Relations in Electronic Environment (only available in Turkish here);
- Regulation on Establishment and Operation Principles of Financial Leasing, Factoring and Financing Companies (only available in Turkish here);
- Regulation on Establishment and Operation Principles of Savings Finance Companies (only available in Turkish here);
- Regulation On Sharing Confidential Information (only available in Turkish here) ('Confidential Information Regulation');
- Regulation on Measures to Prevent the Laundering of Criminal Proceeds and the Financing of Terrorism ('the AML/CFT Regulation');
- Regulation on Establishment and Working Principles of Insurance Companies and Reinsurance Companies (only available in Turkish here);
- Regulation on Internal Systems of Insurance Companies and Reinsurance Companies (only available in Turkish here);
- Regulation on Operating Principles of Digital Banks and Service Model Banking (only available in Turkish here) ('Digital Banking Regulation');
- Communiqué on Management and Audit of Information Systems of Payment and Electronic Money Institutions (only available in Turkish here) ('the Communique on Information Systems');
- Communiqué on Management and Supervision of Information Systems of Financial Leasing, Factoring and Financing Companies (only available in Turkish here);
- Communiqué on Management of Information Systems (only available in Turkish here); and
- Communiqué on Independent Audit of Information Systems (only available in Turkish here).
1.2. Supervisory authorities
The KVKK is the supervisory authority under the Data Protection Law and is responsible for enforcing the Data Protection Law and the secondary legislation in Turkey.
The Banking Regulation and Supervision Agency ('BDDK') is responsible for enforcing the financial regulations related to banking, payment services, and credit institutions, as well as monitoring the compliance of financial institutions with the applicable legislation. With the amendments made to the Banking Law in February 2020, the BDDK is now authorised to determine the scope, method, principles, and procedures related to the disclosure and transfer of customer secrets, a category of personal data defined under the Banking Law, and introduce limitations related to these. More importantly, the BDDK is now authorised to prohibit the transfer of customer secrets or bank secrets to third parties abroad upon an assessment on economic security and may render a decision ordering banks to retain their information systems and their back-ups in Turkey.
The Capital Markets Board of Turkey ('CMB') is the regulatory and supervisory authority in charge of the securities markets in Turkey, empowered by the Capital Markets Law. The CMB introduces detailed regulations for organising the markets as well as developing capital market instruments and institutions. The CMB envisages sector-specific restrictions, especially for data security measures, for the institutions under its supervision.
The Central Bank of Turkish Republic ('TCMB') is now the sole competent authority for payment services and all payment services providers are subject to TCMB's supervision. TCMB has also the authority to supervise anti-money laundering ('AML') obligations of payment and e-money institutions.
The Financial Crimes Investigation Board ('MASAK') is responsible for the application of legislation regarding AML and counter-terrorist financing and supervising financial institutions in terms of detecting and preventing money laundering and terrorist financing.
Insurance General Management under the Secretariat of Treasury is responsible for the introduction of the regulations related to the insurance sector and sector players.
The Savings Deposit Insurance Fund, Banks Association of Turkey, and Insurance Association of Turkey are other supervisory authorities granted powers to monitor and supervise actors in the financial sector.
2. Personal and Financial Data Management
2.1. Legal basis for processing
As per Article 4 of the Data Protection Law, following key principles need to be followed in all personal data processing activities. Personal data must be:
- processed lawfully and fairly;
- accurate and, where necessary, kept up to date;
- processed for specified, explicit, and legitimate purposes;
- relevant, limited, and proportionate to the purposes for which they are processed; and
- retained for the period of time determined by the relevant legislation or the period deemed necessary for the purpose of the processing.
Additionally, personal data can be processed in cases where:
- the data subject has given his explicit consent;
- it is explicitly permitted by the laws;
- it is mandatory for the protection of life or to prevent the physical injury of a person, where that person is physically or legally incapable of providing his/her consent;
- processing of personal data belonging to the parties of a contract is necessary, provided that it is directly related to the execution or performance of that contract;
- it is mandatory for the data controller to fulfil its legal obligations;
- the personal data is publicised by the data subjects themselves;
- it is mandatory for the establishment, exercise, or protection of certain rights; or
- it is mandatory for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not compromised.
As per the relevant secondary legislation, including the guidelines and resolutions of the KVKK, explicit consent can only be used as a legal basis by data controllers where other legal bases are not applicable. Moreover, where other legal bases apply, the KVKK accepts obtaining explicit consent may be misleading. Therefore, it is crucial for data controllers to determine the applicable legal bases for data processing prior to seeking the consent of data subjects.
In this regard, financial institutions tend to rely on other legal bases determined under the Data Protection Law, such as fulfilment of legal obligations, permission by law, execution or performance of contracts, and legitimate interest to collect, process, and transfer personal data, depending on the processing activity at hand.
- Banks rely on 'permitted by-laws' for their data processing to issue credit cards. For example, banks are obliged and authorised by the Law on Bank Cards to collect certain personal data regarding the applicants' socio-economic status.
- Banks also rely on 'permitted by-laws' as a legal basis for certain data transfers. Accordingly, as per Turkey's Enforcement and Bankruptcy Law No. 2004 (only available in Turkish here), banks are legally obliged to transfer data related to their respective customers' bank account to execution offices upon request.
- Banks rely on 'execution of contracts' for the execution of credit agreements. Credit institutions may process personal data including payroll and title deeds, as well as debt certificates of real persons for this purpose.
- Banks rely on their legitimate interest as a legal basis to process data necessary for their credit risk evaluation practices.
- To combat fraud, financial institutions process and are encouraged to process high volumes of their customers' data (e.g. device data, communication data, location data) based on their legitimate interests through the new systems that are required to be adopted under the Electronic Banking Regulation.
Moreover, the Data Protection Law envisages specific rules for the processing of special categories of personal data, that is defined as data relating to:
- ethnic origin;
- political beliefs;
- philosophical beliefs;
- religion, denomination, or other faiths;
- clothing and attire;
- membership of an association, charity, or union;
- sexual life;
- criminal convictions and security measures; and
- biometric and genetic data.
Contrasting with the GDPR, the processing of social security or identification numbers is not subject to voluntary or mandatory additional requirements under the Data Protection Law. That being said, the transfer of customer or banking secrets are subject to sector-specific regulations (Please see section 7 below for further information).
Article 6 of the Data Protection Law states that special categories of personal data can only be processed provided that data subject has given his/her explicit consent. In terms of additional legal bases for processing, the Data Protection Law divides special categories of personal data into two different categories:
- personal data related to health or sexual life; and
- other special categories of personal data.
While other types of special categories of personal data can be processed if such processing is permitted by the laws, personal data related to health or sexual life is protected more strictly than other special categories of data, as the scope of the legal bases for processing is very limited. In addition to the requirement to obtain the explicit consent of the data subject, personal data related to health or sexual data can only be processed by persons that are under the obligation of confidentiality, or by authorised institutions and establishments for the purposes of:
- protection of public health;
- preventive medicine;
- medical diagnosis;
- provision of healthcare services and treatment; and
- planning and management of health care services and their financing.
Due to the restrictive wording of the Data Protection Law, financial institutions that are involved in health and life insurance activities are required to seek the explicit consent of the insured to process data related to health for the provision of insurance services and to determine their liabilities. This causes certain and ongoing problems in the insurance sector due to the fact that insurance companies cannot rely on other legal bases besides explicit consent to process data related to health and, as such, refusal to provide or withdrawal of consent means that insurance companies will not be able to provide their services in compliance with the Data Protection Law. Moreover, even though explicit consent is obtained from the insured, it is questionable whether such consent is 'freely given' when it is obtained as a prerequisite for the provision of services.
As per Article 10 of the Data Protection Law, regardless of the legal basis of data processing, data controllers are obliged to inform the data subjects when collecting personal data in respect of the minimum mandatory content outlined below:
- the identity of the data controller and its representative, if any;
- the purpose of personal data processing;
- the recipients to whom the personal data can be transferred, and the purpose of the transfer;
- the methods and legal reasons of collection of personal data; and
- the rights of the data subjects under the Data Protection Law.
Aside from these, according to Decision 2020/765 and Decision 2020/766, the data controllers must include the categories of data processed in the privacy notices as well as a detailed information. Also, according to the Board of the KVKK, the privacy notice must be specific to a particular processing activity rather than being a general privacy notice for the data controller's data processing activities.
Like all data controllers, financial institutions must comply with the transparency rules under the Data Protection Law in all their processing activities. In this regard, a public bank's privacy notice practices went under review by the KVKK and, in Decision 2019/122, the KVKK instructed the bank to change the privacy notice available on its official website in compliance with the Communiqué on the Obligation to Inform and ensure that the purpose of personal data processing is stated in a specific, clear, and legitimate manner, also highlighting that general and ambiguous statements, as well as statements suggesting that personal data may be processed for other future possible purposes, are to be avoided.
In addition to the general privacy notice requirements under the Data Protection Law, the Communiqué on Information Systems envisages that users, who will benefit from the services provided by the payment service providers or their establishment under the CMB's supervision, must be clearly informed by the related service providers of the terms, risks, and exceptional circumstances of the services. In its notice, payment service providers must also include instructions for service users regarding use of devices, software, or mobile applications that process users' sensitive payment data and security instructions for sensitive payment data.
Regarding the obligation to inform, the Board's decisions regarding the need to include the personal data categories processed in the privacy notice have brought a new aspect to the privacy notices.
In Article 4 of the Communiqué on the Procedures and Principles to be Followed in Fulfilling the Obligation to Inform ('Information Communiqué') (only available in Turkish here), the information required to be included in the privacy notice were determined as explained above. The data categories, however, were not among the required information as per the Information Communique.
As per Article 12 of the Data Protection Law, data controllers are obliged to:
- prevent unlawful processing of personal data;
- prevent unlawful access to personal data; and
- ensure the retention of personal data.
Data controllers must take all necessary technical and organisational measures for providing an appropriate level of security in order to fulfil those obligations. Such measures required to be obtained by data controllers, regardless of the sector they are involved in, are detailed in the Security Guidelines and Decision 2018/10.
Data security measures are also applicable for data processors under the Data Protection Law. Data controllers are jointly responsible, along with the data processors, for data security measures and, as such, data controllers need to conduct audits on data processors to ensure their compliance with data security requirements.
Apart from the above, there is no legislation in Turkey regulating general data security and risk management Rather, sector-specific laws exist in this area. This being said, the Presidential Circular on Information and Communication Security Measures (only available in Turkish here) was published on 6 July 2019, requiring public institutions and businesses providing critical infrastructure services (including financial services) to implement certain security measures in order to reduce and neutralize the security risks encountered and to ensure the security of critical types of data that may threaten national security or cause disruption of public order, when their confidentiality, integrity or accessibility is impaired.
Accordingly, the Digital Transformation Office of the Presidency of Turkey ('CBDDO') has published the Guideline on Information and Communication Security ('Guideline') (only available in Turkish here), on 27 July 2020, which includes measures at different security levels.
The audit process, which is one of the steps that finance institutions as critical infrastructure providers must fulfil for adapting to the Guideline, is regulated under the Guideline. Financial institutions are expected to carry out an audit envisaged under the Guideline at least once a year assessing their compliance to the Guideline.
Following the Guideline, on 27 October 2021, the Guideline on Information and Communication Security Audit ('Audit Guideline') (only available in Turkish here) has been prepared in order to guide the institutions and auditors in the independent planning, execution and reporting of the audit.
With regards to the Audit Guideline, for all institutions within the scope of the Guideline, it is essential that audit activities are primarily carried out by internal auditors who work in internal audit units and are assigned to audit in the field of information technologies. In enterprises providing critical infrastructure services, regulatory and supervisory authorities may also carry out audit activities in accordance with the Audit Guideline within the framework of their relevant legislation.
Further to this, in the case where the institution has an ISO/IEC 27001 compliant Information Security Management System ('ISMS') installation, operation and certification obligation in line with the legislation that it is currently obliged to comply with, and if the ISMS scope and the Audit Guideline compliance scope are the same within the framework of this obligation, ISMS internal audit studies and Audit Guideline compliance audits can be carried out under a single audit. However, the information and documents that must be submitted to the CBDDO as a result of the audit work should be created in accordance with the formats defined in this document. In circumstances where audits are to be carried out in this way, the measure matching tables published on the CBDDO website can be used.
The audit results, corrective and preventive actions will be submitted to the CBDDO, as a report, in accordance with the procedures and principles specified in the Guideline. In the finance sector, financial institutions have been obliged, even before the enactment of the Data Protection Law, to take additional data security measures envisaged under the sector-specific legislation. The management of information systems in a financial institution is deemed as a part of corporate governance. Financial institutions are obliged to allocate adequate financial and human resources for the proper management of information systems, ensure the effective control over the information system for confidentiality, integrity, and accessibility of data, and conduct supervision to manage the risk arising out of the use of information systems.
The Electronic Banking Regulation, that came into force on 1 July 2020, envisaged detailed additional administrative and technical measures to be adopted by banks regarding system and data access controls, secure transfer controls and continuity of management systems. Some of these data security and risk management measures to be adopted by banks are as follows:
- preparation of information systems policies, procedures, and information assets inventory to establish control mechanisms adequate for the security requirements of information assets, with the inclusion of information on whether the data contains personal data in the data inventory;
- establishment of information security management;
- conducting regular risk management processes;
- preparation of an asset inventory;
- limitation of outsourcing service providers' access to banking data;
- establishment of cyber-attack management, cyber-attack response processes, and an institutional cyber-attack response team; and
- adoption of standards regarding establishment of authentication mechanisms, track record mechanism for transactions related to information systems, network security control systems, security configuration management, and security vulnerability management, as well as creation of an information security awareness training program.
All financial institutions are subject to data security and risk management measures in a certain similarity under their own specific regulations to ensure an adequate level of data protection within their organisation.
It is worth mentioning that the Electronic Banking Regulation introduces a new data category for banking legislation named 'sensitive data', which does not correspond to the definition of 'special categories of personal data' under the Data Protection Law. As per the Electronic Banking Regulation, sensitive data means 'any data, authentication data in particular, that banks store for various reasons, the disclosure of which to third parties may result in damage to identity verification mechanisms in place, allowing fraud or fraudulent transactions to be made on behalf of customers'. The Electronic Banking Regulation envisages that banks must take additional technical measures for the protection and retention of sensitive data.
In addition to the above, based on the importance of the data processed by the financial institutions and to ensure the data security, a localisation requirement is envisaged for financial institutions. Accordingly, financial institutions are obliged to keep their primary and secondary systems in Turkey. Moreover, sector-specific data transfer restrictions are envisaged for the financial institutions to ensure the adequate level of data protection (Please see section 7 for further information).
As per Article 7 of the Data Protection Law, data controllers are obliged to erase, destruct, or anonymise the personal data, ex officio or upon the demand of the data subject, when the purposes for which it was processed are no longer valid. Moreover, as per the Data Protection Law and the secondary legislation, retention periods must be determined by data controllers taking into account the principles under the Data Protection Law, other requirements regulated under the applicable sector-specific laws, and the purposes of the processing.
Like all data controllers, financial institutions are obliged to determine the retention periods for the personal data they collect considering the applicable sector specific regulations and the purposes of their collection. Regarding the retention of banking data, pursuant to Articles 42 of the Banking Law and 17/1 of the Regulation on Banks' Accounting Practices and Retention of Documents (only available in Turkish here), banks are obliged to retain any data related to their banking activities including customer data for ten years and provide access to these records upon the request of authorised public institutions.
Furthermore, under the Payment Services Law, payment service providers are obliged to retain all documents and records regarding the payment services for ten years in their systems that are kept in Turkey and where data security measures stated under the Communiqué on Information Systems are taken.
In the event that customers request for the deletion of their personal data, financial institutions must check the applicability of legal basis and erase, delete, or anonymise the requested data if it is determined that there is no applicable legal basis for processing. In line with this principle, the KVKK, in Decision 2018/142, decided that the financial institution in question was not obliged to comply with the data subject's request related to the erasure, destruction, and anonymisation of their personal data, due to the fact that statutory retention period had not yet expired.
In addition to the statutory data retention periods, financial institutions are obliged to have an adequate track keeping mechanism for their information systems, depending on the complexity and volume of their activities and information systems. The specifications of the mechanism are envisaged for all financial institutions under their specific regulation.
As per the requirements under the AML Law and the AML/CFT Regulation, financial institutions, as obliged by law, are required to conduct due diligence on customers with whom they are in a business relationship, and report all transactions to MASAK which exceed the threshold determined by the Ministry of Treasury and Finance, or those they have encountered relating to money laundering and terrorist financing, and store the relevant information and documents and submit them as requested by the competent authorities.
To fulfil their legal obligations regarding customer due diligence regulated under Article 5 of the AML/CFT Regulation, financial institutions process customer personal data for identification purposes prior to the provision of services. Customer data required to be collected by the obliged financial institution is stated in the AML/CFT Regulation and data related to customer due diligence is retained for eight years and submitted to competent authorities upon their requests according to the Article 46 of the AML/CFT Regulation. Additionally, financial institutions are required to monitor complex, extraordinary, and suspicious transactions of their customers throughout their customer relationships and take all necessary measures for customer due diligence by adopting risk-based approaches, where necessary, and pay adequate attention and care for prevention of terrorist financing as well as money laundering.
If any information or suspicion is detected by financial institutions on the fact that assets, subject to the transactions carried out by or through them, are acquired illegally or are used for illegal purposes then financial institutions, as reporting entities, are obliged to report such transactions to MASAK. Though the information collected from suspicious activities must be transferred to MASAK, such reporting is under strict confidentially and financial institutions are not allowed to share such data to anyone including the relevant customers, except with the relevant competent authorities.
Through the amendments on Article 4 of the AML/CFT Regulation, effective as of 1 May 2021, thus named the Regulation Amending the Regulation on Measures Regarding the Prevention of Laundering Proceeds of Crime and Financing of Terrorism, as published in Official Gazette numbered 31471 (only available in Turkish here), the following are included in the scope of 'obliged parties' to the AML measures:
- crypto asset service providers; and
- savings financing companies.
Accordingly, as of 1 May 2021, crypto-asset service providers, savings financing companies, their branches, agents, representatives, commercial agents, and affiliates are required to comply with the AML/CFT Regulation and other AML requirements.
Articles 73 of the Banking Law and 10 of the Electronic Banking Regulation regulate banking secrecy and confidentiality. The Banking Law introduces the term 'customer secret,' which is defined as information collected relating to a real or legal person's banking activities after the bank-customer relationship is established. Separate from the personal data defined under the Data Protection Law, customer secrets include all of the information related to the banking activities belonging to real person customers, as well as legal person customers.
According to aforementioned regulations, customer secrets may not be disclosed or transferred to any third party located in Turkey or abroad without a request or instruction from the customer, even if the explicit consent of the customer is collected in line with the Data Protection Law. Furthermore, the Electronic Banking Regulation provides that such requests from customers must be in writing form or be obtained through a permanent data register. Moreover, customer consent regarding the disclosure of such information cannot be imposed as a prerequisite for the services provided.
The exemptions to the need to obtain a customer's request or instruction for transfer, are the mandatory legal provisions in Banking Law, as well other laws and information that must be disclosed to certain authorities listed in Article 73 of the Banking Law (public authorities associated with the Ministry of Family, Labour and Social Services and the Ministry of Treasury and Finance). Aside from the mandatory disclosure obligations, exemptions for the confidentiality obligations regulated under Article 73 of the Banking Law can be summarised as follows:
- providing information to the KVKK based on an official request raised by an equivalent foreign supervisory authority;
- providing that a confidential agreement is executed and that the disclosure is limited to the purpose of transfer and disclosure of information and documents among banks or financial institutions either directly or indirectly;
- or if disclosure is conducted through a risk centre or firms to be established by at least five banks or financial institutions;
- information and document requests for use in the valuation process carried out by potential buyers for the sale of shares over ten percent or more of the capital through direct or indirect shareholdings;
- for the preparation of consolidated financial statements and accounts of parent companies, including credit institutions and financial institutions, established in Turkey or abroad, that holds ten percent or more of capital; and
- provision of outsourcing services or in independent audit services, or in purchases of services by taking the required precautions.
Please note that even in exemption circumstances, financial institutions should comply with the data transfer rules under Articles 8 and 9 of the Data Protection Law.
Irrespective of whether a bank bases its transfer on the aforementioned exemptions provided in Article 73 of the Data Protection Law or not, disclosures and transfers of customer and banking secrets must be made to the extent they are limited with the specified purposes and are proportionate.
Furthermore, the Confidential Information Regulation, which was issued on 4 June 2021, regulates the procedures and principles regarding the confidentiality obligation stipulated specifically for the banking sector in Articles 73 and 93 of the Banking Law.
Within the scope of the Confidential Information Regulation, it is regulated that those who learn the secrets of banks or their customers due to their titles and duties cannot disclose these secrets to anyone other than the authorities expressly authorised by law. In addition, the obligation to keep secrets;
- will continue even after leaving the job; and
- will be valid if the information that is classified as a customer's secret is obtained and learned through non-automatic methods, or methods that are not part of any data recording system.
Specific to banking activities, it is regulated that data belonging to real and legal persons formed after establishing a customer relationship with banks will become customer secrets and will be included in the scope of confidentiality obligation. Moreover, the Confidential Information Regulation notes that:
- all kinds of information showing that a real or legal person customer is a bank customer and information obtained through another bank that will be considered a customer secret, even if a direct customer relationship is not established, is also within the scope of confidentiality obligation; and
- it will become a customer secret data relating to real and legal persons, including personal data, that existed before the establishment of a customer relationship with banks and that do not constitute a customer secret of another bank when it is processed alone or together with the data formed after the establishment of the customer relationship, showing that the person concerned is a bank customer.
Within the scope of the Confidential Information Regulation, it is regulated that some situations will be excluded from the scope of confidentiality obligation. These situations can be summarised as follows:
- sharing confidential information with an authority expressly authorized in this regard by law;
- provided that a confidentiality agreement is made in this regard and confidential information is shared only for the following stated purposes:
- banks and financial institutions share information among themselves or through the Risk Center established pursuant to the Law or companies established by five banks or financial institutions;
- providing information to the main partners of banks within the scope of financial statement preparation studies, risk management and internal audit practices;
- providing information to prospective buyers to be used in valuation studies for the purpose of selling shares representing ten percent or more of the bank's capital, or providing information and documents to be used in valuation studies for the sale of assets or securities based on these assets; or
- sharing information with service providers to be used in valuation, rating, support services and independent audit activities or in transactions for service procurement, provided that the necessary technical and administrative measures are taken.
- sharing information that is not a customer secret, but only a bank secret, with third parties, pursuant to the decision of the bank's board of directors;
- providing information on whether the data shared with the companies established by the Risk Center or five banks are correct, provided that there is a customer request or instruction in this regard;
- if the sharing of confidential information is necessary for the proof of claims and defences specific to the disputes to which banks are parties, sharing the information with national or international judicial authorities and any unit authorised for alternative dispute resolution; and
- pursuant to Article 5 of the AML Law, the bank, which is affiliated with a financial group, recognises the confidential information of the customer and shares it with other affiliates regarding accounts and transactions.
As per the Confidential Information Regulation, confidential information can be shared only on the condition that it is limited to the purposes specified at the time of sharing and contains as much data as these purposes require in accordance with the principle of proportionality. In addition, it has been stated that the shares within the scope of the exemption must also comply with these conditions and that an information will be deemed to be shared by reaching the other party even if this information is not known by the other party.
The minimum conditions required, which must all be fulfilled, in order for sharing of such information to be considered proportional, are as follows,:
- the data shared should be as required by the specified purpose;
- it must be demonstrable that the data being shared is necessary for the fulfilment of the purpose;
- in case the data being shared is aggregated, de-identified or anonymised, if the said purpose can be fulfilled, the data should be shared in this way; and
- sharing parties and methods should be designed to provide as few copies as possible.
In addition, it has been stated that the principles of the Data Protection Law must be complied with when data is shared within the scope of the Confidential Information Regulation, and it is further stated that personal data regarding health and sexual life should not be shared, even within the framework of one of the exceptions.
Except with cases constituting the exception to the confidentiality obligation, it has been regulated that the information in the nature of customer secret cannot be shared with third parties without the request or instruction of the customer, even if the customer's explicit consent is obtained in this regard, and such consent cannot be made a prerequisite for taking action.
In addition, the Banking Regulation and Supervision Agency may restrict the transfer of confidential information abroad within the scope of economic security assessments.
With regards to the Confidential Information Regulation, including the sharing of such information to banks within the scope of the exceptions, an obligation to establish an Information Sharing Committee has been introduced by Article 7. The Information Sharing Committee is responsible for:
- coordinating the sharing of confidential information;
- evaluating the appropriateness of such incoming sharing requests; and
- recording these assessments.
Please note that the effective date of the Confidential Information Regulation has been postponed by BBDK, from 1 January 2022 to 1 July 2022.
The general data protection rules apply to the data processing activities carried out in the insurance industry. Within the scope of the insurance legislation, there are no specific regulations regarding data protection.
That being said, a confidentiality obligation is envisaged for the insurance companies under the Insurance Law. Accordingly, insurance companies are under a confidentiality obligation and are obliged not to disclose any information they have learned during the provision of services to third parties other than competent authorities, without the consent of the concerned parties. However, the regulations allow insurance companies and reinsurance companies to share information, including the personal data of the insured, with each other directly or through the insurance information and monitoring centre, provided that non-disclosure agreements are concluded between companies and transferred data is only used for the purposes of risk evaluation.
Moreover, insurance companies are obliged to give information and documents, regardless of specific restrictive provisions, to the Secretariat of Treasury upon its request, even they are confidential, save for state security, defence right, and privacy of family life.
Additionally, insurance companies are deemed as obliged parties within the scope of the AML Law and are obliged to comply with the requirements explained under section 3.
Payment services are regulated under the Payment Services Law, which was previously amended to be aligned with EU Payment Services Directive 2015/2366/EU ('PSD2'). With the new amendments made to the legislation, it is aimed at strengthening the legal infrastructure of open banking and boosting the number of fintech companies and consumer-oriented service models in the banking and financial markets.
Similar to PSD2, the previous amendments extend the list of payment services to include 'payment initiation services' and 'account information services.' In line with the amendments, payment service providers may provide payment initiation services to their users, if users explicitly request so. Similarly, account information services may be provided by the service providers only if users give their consent to the sharing of their data. However, unlike the PSD2, banks are not yet legally obliged to offer third-party providers access to their customers' accounts via open application programming interfaces, at least until secondary legislation on data sharing is entered into force.
Additionally, payment service providers have confidentiality obligations under the Payment Services Law, which is similar to the banking secrecy regulated under the Banking Law and which obliges payment service providers not to disclose any information regarding their customers to any third party other than the competent authorities.
In addition to the general data security rules regulated under the Data Protection Law, payment service providers are required to take necessary measures under the Communiqué on Information Systems for purposes such as preventing third parties from accessing the data of payment service users, ensuring secure transfer of personal data to users, and auditing their outsourcing service providers' personal data processing activities.
The Communiqué on Information Systems introduces a special category of personal data called 'sensitive payment data,' which is defined as personal data regarding the security of payment instruments such as password, security question, certificate, encryption key and PIN, card number, expiration date, and CVV2 that is used for the issuance of payment orders or user ID verification and may allow fraud or fraudulent actions against users in the event it is captured or changed. The Communiqué on Information Systems envisages additional security measures to be taken for storage and transfer of sensitive payment data.
According to the Communiqué on Information Systems, sensitive payment data must not be transferred to third parties other than external service providers and authorities expressly authorised by law. Other user information not within the scope of sensitive payment data may only be transferred to third parties other than those authorised by law, provided that the purposes of processing are clearly stated and prior consent of the user is obtained. User consent may be obtained through a contract or other secure methods. Consent obtained through an electronic contract is only valid provided that it is obtained when users first log in to the relevant system and the user is clearly informed beforehand.
Payment service providers are also within the scope of the AML Law and are obliged to comply with the requirements explained under section 3.
As a result of the amendments made in Article 76 of the Banking Law by the Law on Making Amendments to Certain Laws and Decrees No. 7247 (only available in Turkish here), and with entry into force the Regulation on the Establishment of a Contractual Relationship in the Electronic Environment and the Remote Identity Detection Methods to be Used by Banks prepared pursuant to these amendments; establishing contractual relations between banks and their customers in electronic environment, including contracts subject to written form requirement became possible. With these developments, BDDK has aimed to construct the foundations of the digital banking model, which operates only in the digital environment without a physical branch.
On 29 December 2021, the BDDK published the Digital Banking Regulation with the aim of promoting financial innovations in the banking sector, increasing financial inclusion and facilitating access to banking services.
The Digital Banking Regulation aims to determine the operating principles of branchless banks that serve exclusively through digital channels and the conditions for the provision of banking as a service (also referred to as 'BaaS') model to businesses and innovative enterprises, i.e. start-ups.
As per the Digital Banking Regulation, interface providers, which are businesses which enable their customers to perform their banking transactions via their mobile application or internet browser-based interface, are under the obligation to keep system and data backups in Turkey, in which confidential data are processed by the interface provider, or the parties that the interface provider receives a service from. Additionally, for the bank to provide services to an interface provider, the agreement between the parties must include the provision that the confidential data transferred to the interface provider, at the request of the customer, cannot be processed by the interface provider, or by parties other than the service bank from which the interface provider receives service. This data can only be processed to the extent and time required by these situations. The Digital Banking Regulation also contains certain provisions regarding the protection of data. Furthermore, it should be noted that the confidential financial information does not only contain personal data, but also data financial data of legal persons, as well other certain data that cannot be qualified as personal data.
The Data Protection Law stipulates same legal bases for processing personal data and transferring personal data inside Turkey. In this regard, in order to transfer personal data inside Turkey to a data controller or a to a data processor, one of the aforementioned legal bases must be met.
Under Article 9 of the Data Protection Law, a cross-border transfer may take place under one of the following circumstances:
- where the data subject has given their explicit consent;
- if the cross-border transaction base on one of the legal bases (please see section 2.1 for further information) apart from the explicit consent, including:
- where the receiving country must be accepted as a 'Safe Country'; or
- if the country is not accepted by the KVKK as a 'Safe Country,' then the data transferor in Turkey and data receiver abroad (data controller or processor) must execute a written undertaking, and seek the approval of the KVKK for the data transfer.
The list of safe countries has not yet been published by the KVKK. In this regard, at this stage, in order to transfer personal data abroad:
- explicit consent of the data subject must be acquired; or
- a written undertaking must be executed between the data transferor and data receiver (regardless of whether the data receiver is the data controller or data processor), and the approval of the KVKK must be obtained for the data transfer.
Also, the KVKK has previously announced its Binding Corporate Rules ('BCRs') that are designed to allow multinational companies to transfer personal data from Turkey, to their affiliates located in a country having inadequate level of data security, as an alternative cross-border transfer method. Similar to the concept of BCRs under the GDPR, these must be approved by the KVKK to be valid.
In addition to the general rules of the Data Protection Law, financial institutions are subject to specific storage and transfer rules for both personal data and non-personal data as well as outsourcing restrictions.
Primarily, a localisation requirement has been envisaged for banks, payment and electronic money institutions and financial institutions. In this regard, banks, payment and electronic money institutions and financial institutions are obliged to keep their primary and secondary systems in Turkey. Furthermore, as per the amendment made in Article 73 of the Banking Law in February 2020, it is determined that customer secrets cannot be transferred to any third parties located in Turkey or abroad, even if the customer gives his/her explicit consent in line with the Data Protection Law, unless:
- a request is placed, or an instruction is given by the customer to this end;
- otherwise reserved under mandatory provisions of any other laws; or
- an exemption for the confidentiality obligation is determined under Article 73 of the Banking Law.
Moreover, Article 73 of the Banking Law also authorises the BDDK to prohibit the transfer of customer secrets or bank secrets to third parties abroad upon its assessment on economic security and render a decision ordering banks to retain their information systems and their back-ups in Turkey.
In terms of outsourcing in the financial sector, different sector-specific restrictions are envisaged for banks, payment institutions, and financial institutions.
As per Article 35 of the Banking Law, Turkish banks can procure supporting services from third parties in any matter, except for the operations which are solely required to be performed by the bank's board of directors or organisational units in its internal units, the activities relating to accounting of transactions, and issuance of financial reports. Provision of supporting services are subject to specific regulations that are determined under the SSP Regulation.
Pre-conditions for banks to procure services from third parties can be summarised as follows:
- create a risk management system in line with the said regulation and submit such plan to the board of directors at least once a year;
- prepare a written risk analysis by conducting examinations to confirm that the supporting service provider has the required technical equipment and infrastructure, financial capability, and experience. Such report would be submitted to the BDDK, upon request;
- upon the analysis, to issue a technical adequacy report, which would be submitted to the BDDK, upon request; and
- as a result of the risk analysis and technical adequacy reports, as well as the assessment of the banks' audit committee, execute a support service agreement with the supporting service provider, of which the minimum content is determined by the said regulation.
In addition to the above, the SSP Regulation also envisages certain structural and operational conditions for supporting service providers, such that they can render services to banks.
Like banks, payment institutions can also procure external services from third parties, provided that a written agreement is executed between the institution and service provider. Pre-conditions for the provision of supporting services by the payment institutions are quite similar with the pre-condition envisaged for the banks to that end, which are explained above.
For the other financial institutions, there are no specific rules envisaged for the outsourcing. That being said, as outsourcing IT services is crucial for data sharing for all kind of financial institutions (including banks and payment institutions), outsourcing IT services is subject to specific restrictions on both control over the systems and relation between the parties.
In brief, financial institutions are allowed to outsource IT services including cloud computing systems and assign outsourcing service providers as data processors to process data on behalf of them in line with their related legislation. In such a case, outsourced information systems and their back-ups are also considered within the scope of primary and secondary systems and should therefore be kept within Turkey
In line with the data protection legislation imposing data controllers obligations to monitor and audit the activities of their data processors, the financial regulations impose similar obligations on financial institutions to take necessary measures to ensure the security of confidential information stored in outsourced systems, control access rights of service providers, restrict access to certain data, and to ensure that enough measures are taken by the external service providers to protect confidential information.
As per Article 12 of the Data Protection Law, if the processed personal data is obtained unlawfully by third parties, data controllers are obliged to notify the data subjects and the KVKK within due course. The time period for the notification to the DKVKK is determined as 72 hours as of becoming aware of the breach. Where necessary, the KVKK may announce the notified breach on its official website or through other methods it deems appropriate.
Apart from the general data breach notification obligations for all data controllers, financial institutions and especially banks are subject to additional notification requirements under the financial regulations. According to the Electronic Banking Regulation, banks are now required to provide the current contact details of their institutional cyber-attack response team, which they are obliged to form, to the BDDK and are also required to inform the BDDK of any cyber incidents which occur.
In accordance with the Electronic Banking Regulation, if a cyber-attack results in breach of sensitive data or personal data, banks must notify their customers of the breach after they perform an internal assessment. Moreover, if a cyber incident turns into a crisis, a leakage, or a disclosure of sensitive data or personal data, banks must notify the sectoral cyber-attack response team immediately and announce the situation on their websites.
Furthermore, the Electronic Banking Regulation requires banks to back-up the data that is subject to breach and give access to the original when access to such data is requested by the BDDK and other competent authorities.
For Service Model Banking, it has been stated that the service bank can only provide services to domestic interface providers and only within the framework of its own operating permits.
It has been stated that banks cannot be interface providers and they do not need to apply to the BDDK for an expansion of their activities, in order to offer the services they can provide within the framework of their current operating permits to interface providers.
Furthermore, it is stated that the service bank can decide whether or not to provide banking services to the customer through service model banking, over the interface of the interface provider, including the loan allocation decision, and the banking services to be provided to the customer will be carried out through the balance sheet of the service bank.
Within the scope of data sharing between the service bank and the interface provider, the obligation to ensure data confidentiality, and the elements that should be included in the service contract for the service provided by the service bank to the interface provider, have been determined in detail.
Resultantly, the new digital banks that will join the financial system in Turkey will provide fast and easy access to banking services, without the need to go to any physical location/branch, which will provide a great advantage to customers in today's conditions.
In addition, it is anticipated that the competitive products and services offered by digital banks, which are expected to have lower operating costs than traditional banks, will make digital banks a centre of attraction.
Serious consequences are envisaged for the non-compliance with the Data Protection Law. Violation of the Data Protection Law may lead to administrative fines (Article 18 of the Data Protection Law) as well as the criminal sanctions (Article 135-140 of the Criminal Code), depending on the type and level of violation.
When the non-compliance of a legal entity results in an administrative sanction, the subject of the administrative penalty will be the legal entity itself, as the data controller. For criminal sanctions, unlike some other jurisdictions, legal entities in Turkey cannot be held criminally liable. In this regard, criminal liability would arise over the executive members of the data controllers. On the other hand, safety measures may be imposed on legal entities.
Non-compliance with certain obligations under the Data Protection Law would trigger the administrative sanctions (Article 18 of the Data Protection Law). Accordingly:
- administrative fines ranging from TRY 13,390 (approx. €850) to TRY 267,880 (approx. €17,000) shall be imposed on data controllers who violate the obligation to inform;
- administrative fines ranging from TRY 40,180 (approx. €2,500) to TRY 2.7 million (approx. €171,700) shall be imposed on data controllers who violate the obligations regarding data security;
- Administrative fines ranging from TRY 66,695 (approx. €4,275) to TRY 2.7 million (approx. €171,700) shall be imposed on data controllers who do not comply with the KVKK's decisions; and
- Administrative fines ranging from TRY 53,570 (approx. €3,440) to TRY 2.7 million (approx. €171,720) shall be imposed on data controllers who violate the registration obligation to VERBİS.
Under the Criminal Code:
- unlawful recording of the personal data will lead to imprisonment from one year up to three years. If the personal data unlawfully recorded is related to race, ethnic origin, political and philosophical views, sexual life, health, or membership of a trade union, then such sanction can be increased to four to five years;
- illegal obtaining, transfer, and dissemination will lead to imprisonment from two years up to four years; and
- failing to destroy personal data after the statutory time periods will lead to imprisonment from one year up to two years. In addition to the above, financial regulations envisage administrative and criminal sanctions in cases of non-compliance with the aforementioned sector-specific requirements.
Sanctions under financial sector laws
Non-compliance with the banking secrecy provisions of the Banking Law may lead to imprisonment from one year up to three years, together with a judicial fine of 1000 to 2000 days' imprisonment. If customer secrets are disclosed for the benefit of someone including the offender, the sanction may be increased by one sixth, and taking into account the importance of the offence, responsible natural persons may be banned from working in the sector for minimum two years.
As per the AML Law, MASAK may impose administrative fines if obliged parties fail comply with requirements regarding reporting and ID verifications. Additionally, non-compliance with the confidentiality obligations may result in imprisonment of responsible real persons from one year to three years, together with a judicial fine while the responsible obliged legal entity may also be subject to safety measures.
According to the Capital Market Law, in case of violation of capital markets legislation, the CMB is entitled to directly restrict the scope of the activities of the institutions under the CMB's supervision, to suspend activities temporarily, to cancel licences fully or, as in regards to certain capital market activities, take all kinds of other measures as deemed necessary. Moreover, the CMB is also entitled to impose an administrative sanction to violating parties from TRY 69,780 (approx. €4,450) to TRY 872,280 (approx. €55,800).
According to the Payment Services Law, executives or employees of payment service providers may be subject to imprisonment up to three years, in addition to judicial fines in cases of non-compliance with obligations regarding the retention of information, data protection, allowing the audit and monitoring of the TCMB, and disclosure of customer secrets. Moreover, the TCMB is authorised to cancel the licence of the payment service providers if they fail to inform the TCMB of situations compromising the validity of information and documents requested by the TCMB.
The executives, employees, and agents of insurance companies, who violate the confidentiality obligation envisaged under the Insurance Law, may be subject to imprisonment from one year to three years, together with a judicial fine. If confidential information is disclosed for benefit of someone including the offender, the imprisonment may be increased to five years and taking into account the importance of the offence, responsible persons may be banned permanently from working in the industry.
11. Additional Areas of Interest
There is no financial service specific regulation for the processing of personal data for marketing purposes. However, the general provisions of the Data Protection Law would also apply to the marketing and promoting activities of financial institutions.
Moreover, in terms of electronic communications sent by financial institutions for their loyalty and marketing purposes, the Law on Electronic Commerce No. 6563 (only available in Turkish here) applies. Financial institutions are required to obtain specific explicit consent of the recipient customers to send electronic communications of a marketing nature. In Decision 2019/331, the KVKK sanctioned an insurance company for electronically communicating with a data subject without his/her consent, even though data subject's contact data was publicised online for his/her professional reasons. The KVKK stated in its decision that the purpose of the processing carried out by the insurance company was not in accordance with the purpose of publication by the data subject and, therefore, deemed such processing as unlawful.
To ensure the balance between the customer and financial institutions as well as ensuring the adequate protection to customers, the Law on Consumer Protection No. 6502 (only available in Turkish here) introduces information obligations on financial institutions. This information regarding the conditions of the credits should be provided to the customers before the establishment of the credit agreement. Information obligation will also be applicable for the distance contracts related to financial services. Financial institutions need to inform the consumers before the establishment of the contract, via proper communication tools.
Burcu Tuzcu Ersin Partner
Moroğlu Arseven, Istanbul