The Banking Law No. 5411 (“Banking Law”) was amended, altering banks’ data privacy practice (“Amendments“). The Amendments were published in the Official Gazette on February 25, 2020 and entered into force on the same date.
- Article 73 of the Banking Law introduces “customer secret”. A customer secret is defined as information collected related to a real or legal person’s banking activities after the bank-customer relationship is built. In that regard, “customer secret” has a different definition than “personal data,” which is defined in the Personal Data Protection Law No. 6698 (“Data Protection Law”). While personal data only belongs to a real person and data only qualifies personal if it identifies a real person on its own or when matched with other data, customer secret includes all of the information related to the banking activities belonging to a real person or legal person customer.
- Per Article 73, customer secrets may not be disclosed or transferred to any third party located in Turkey or abroad without a request or instruction from the customer, even if the explicit consent of the customer is collected in line with the Data Protection Law. The only exemptions to this rule are the mandatory legal provisions in other laws and information that must be disclosed to certain ministries listed in Article 73.
- Further, the Board of the Banking Regulatory and Supervisory Authority (“Board”) is authorized to prohibit the transfer of customer secrets or bank secrets to third parties abroad after it assesses the customer secret’s economic security, and may render a decision ordering banks to retain their information systems and their back-ups in Turkey.
- Disclosures and transfers of customer and banking secrets, including disclosures and transfers made based on the exemptions provided in the Article, must be made to the extent they are limited with the specified purposes and are proportionate.
- The Board is authorized to determine the scope, method, principles and procedures related to the disclosures and transfers of customer secrets and introduce limitations related to these.
The amendments subject banks to a different data protection regime, one that is stricter from the regime foreseen in the Data Protection Law. Considering that (i) customer secret definition has a wide scope, (ii) banks process vast amount of information and (iii) most of the banks are working with local and foreign third party service providers, additional requirements on transfer of customer secrets to local or foreign service providers might require banks to undertake additional amount of work. How the banks will implement these changes is ambiguous at this stage. Banks and their service providers should carefully re-review their data protection and privacy related practices and adopt their systems to the new consent mechanism and monitor any upcoming secondary legislation.