Turkish DPA’s Guidelines on Data Protection in the Banking Sector

Recent Developments 

On 5 August 2022, the Turkish Personal Data Protection Authority (DPA) published the Guidelines on Protection of Personal Data in the Banking Sector (“Guidelines“). The Guidelines provide detailed explanations on data processing activities and give examples of good practices in the banking sector. The Guidelines are available online here (in Turkish).

What do the Guidelines say?

The Guidelines mainly cover the following areas:

• Data controller/data processor: The Guidelines initially evaluate the status of the banks as data controllers and data processors. In general, banks are considered data controllers in terms of their activities pursuant to Article 4 of the Banking Law. However, the status of banks must be evaluated on a case-by-case basis when determining whether they qualify as a data controller or data processor in terms of their agency; investment products; insurance, private pension, etc.; and operations. The Guidelines also indicate that banks can be joint controllers.
• Data processing agreements: The Guidelines provide guidance on the items that should be included in the data processing agreements to be executed between data controllers and data processors. The Guidelines cover the data processing agreements of banks with support service providers and affiliates, open banking operations and activities where banks operate as agents.
• Legal grounds for data processing: The Guidelines explain the legal grounds for processing data within the scope of banking activities by giving different examples on the matter. For example, data processing activities such as disclosure of information by banks in audits as part of the identification requirement, making inquiries into the criminal record of the data subjects during a checkbook request (to the extent these activities are based on a legal obligation), conducting risk analysis in loan applications, and sharing personal data with authorized institutions and organizations are not subject to explicit consent. However, in terms of data processing activities that are subject to explicit consent, the Guidelines provide examples of good practices applicable to each channel (branch, ATM, mobile banking, etc.) for obtaining explicit consent.

• Relationship between confidentiality obligation and Law No. 6698 on Protection of Personal Data (LPPD): Disclosure of data, as an exception to the confidentiality obligation, can be carried out without the explicit consent of the data subject. The Guidelines state that the Banking Law is a special norm compared to the LPPD in banking operations. Thus, the provisions of the LPPD will not be applicable during the disclosure of data as per Article 73 of the Banking Law due to the general norm-special norm relationship.
• Evaluation of legitimate interest as a legal ground: The Guidelines indicate that the balance test should be applied for each case in order to rely on the legal ground of legitimate interest. On the other hand, the Guidelines give examples of cases in which banks can rely on legitimate interest as a legal ground: processing location; device and money transfer information for the detection of unusual behavior within the scope of fraud measures; the processing of data for information security; customer segmentation; the identification of products and services that appeal to customers and to carry out strategy activities and ensure customer satisfaction. For example, the Guidelines set forth that the legitimate interest legal ground can be used to present special offers to public sector employees by using data regarding the profession of an individual. The Guidelines further indicate that artificial intelligence and automatic decision-making mechanisms can be used within the scope of strategy operations and methods such as anonymization should be used to minimize interference with individuals’ fundamental rights and freedoms.

• Processing of sensitive personal data: The Guidelines state that banks must verify identity within the scope of their legal obligations, and banks may also process sensitive personal data during identification when obtaining a copy of an identity document.

• Receipt of identity documents: When a copy of the identity document is obtained; (i) the relevant parts should be blacked out to avoid processing sensitive data; (ii) only the front of the ID should be used; or in any case, (iii) if sensitive data is processed, the explicit consent of the data subject must be obtained.
• Processing of health data: As an example of good practice in the processing of health data by banks, the Guidelines indicate that the health data should be processed based on explicit consent and should not be processed in the absence of explicit consent.
• Inquiry into criminal record records: The Guidelines provide that explicit consent is not required in cases of an inquiry into criminal records in order to determine if there is a ban on checks, since such processing is based on a legal obligation. However, in cases where such data is used for another purpose, the conditions in Article 6 of the LPPD must be met.
• Processing of biometric data: The Guidelines indicate that banks can also perform biometric data processing activities in remote identification processes and these activities are subject to explicit consent pursuant to Article 6 of the Regulation on Remote Identification Methods to be Used by Banks and the Establishment of a Contract Relationship in the Electronic Environment.

• Transfer of personal data: The Guidelines set forth that competent authorities may request information and documents from banks in cases stipulated by the law and in such cases, the information that must be disclosed is limited to the request of the competent authority as per Article 73 of the Banking Law. Therefore, banks can transfer data to the competent authorities provided that it is limited to the answers to information requests. Furthermore, the Guidelines indicate that it is possible to transfer data in accordance with Article 73 of the Banking Law and the exceptions thereunder.
• Cross-border transfer of personal data abroad: In terms of data transfers in accordance with Article 73 of the Banking Law, the provisions of the Banking Law are applicable and the cross-border transfer of data without the request or instruction of the client will not be possible. Accordingly, the explicit consent of the customers would not be sufficient to transfer a client’s personal data abroad. Nevertheless, such transfers must still comply with the other provisions of the LPPD, such as the notice requirement or general principles of processing.
• Obligations of data controllers:

• Notice requirement: As data controllers, banks must fulfill their notice requirement. Accordingly, the Guidelines divide the notice requirement into three parts: (i) client gain/account opening, (ii) loan and (iii) investment transactions. Separate privacy policies should be presented for each processing activity. In addition, personal data should be presented on a categorical basis by matching it with its processing purposes and legal grounds. The Guidelines further include sample privacy policies for each channel
• Preparation of a data processing inventory and data retention and destruction policy: Banks are responsible for preparing a data processing inventory and keeping it up to date. Within the scope of these obligations, the Guideline includes guidance for banks by referring to the items of legislation concerning the retention periods of data. In addition, the Guidelines provide a chart regarding destruction methods.
• Obligations to ensure data security: Banks must comply with both the data security obligations listed in the banking legislation and the data security obligations under the LPPD. The Guidelines explain in detail the data security obligations of banks by referring to each item of legislation.

Conclusion

In the Guidelines, the DPA discusses data processing activities within the scope of banking operations in detail and provides important guidance for implementing the obligations. The Guidelines clarified the relationship between Article 73 of the Banking Law and LPPD. Accordingly, for the transfer of client information under Article 73, the provisions of Banking Law will take priority. Banks should review the Guidelines and take action in accordance with the guidance.