Legal AlertThe Guideline Regarding Good Practices on Protection of Personal Data in the Banking Sector Has Been Published by the Personal Data Protection Authority.

23 August 2022
The Guideline Regarding Good Practices on Protection of Personal Data in the Banking Sector (“Guideline”) has been published on 05.08.2022 by the Personal Data Protection Authority (“Authority”).
The purpose of the Guideline is to guide the data controller banks to carry out their personal data processing activities in accordance with the Personal Data Protection Law numbered 6698 (“Law”) and the secondary legislation issued by the Personal Data Protection Board, and to set good practice examples within this framework. The Guideline includes general explanations regarding the procedures and principles which banks must comply with for the personal data protection, and obligation of banks to comply with the Law and the relevant secondary legislation continues.

In the Guideline:

  • The following issues have been evaluated within the scope of data controller-data processor relations: (i) data processing agreement to be made between data controller and data processor, (ii) support services, (iii) affiliates and subsidiaries, (iv) open banking, (v) situations in which the banks act as agents.
  • The conditions for the processing of personal data as: explicit consent, being stipulated in the laws and fulfilment of a legal obligation, processing the personal data of parties of a contract, legitimate interests, being compulsory for the establishment, usage, or protection of a right evaluated within the scope of banking activities and examples of good practices specific to banking activities are included.
  • The processing of special categories of personal data in the banking sector has also been evaluated and measures to be taken have been included in this regard.
  • The transfer of personal data domestically and abroad within the scope of banking activities are evaluated.
  • The obligations of the data controller as: the obligation of the data controller to inform, to register with the data controllers’ registry and to prepare a data inventory has been reviewed. In addition, deletion, destruction, anonymization of personal data, data security, the rights of the data subject and the management of complaints has been evaluated.
In the Guideline, the Authority evaluated the protection of personal data within the scope of banking activities and included good practice examples for data controller banks. The Guideline constitutes an important resource for personal data processing activities of banks.

You may reach the full Turkish text of the Guideline via the link below.

https://kvkk.gov.tr/SharedFolderServer/CMSFiles/12236bad-8de1-4c94-aad6-bb93f53271fb.pdf