Personal Data Protection and Destruction Policy | DenizBank

1. Purpose of Data Protection, Retention and Destruction Policy

As part of its legal and social responsibility, DenizBank (“the Bank”) undertakes to comply with the national personal data protection, processing and destruction regulations within the scope of Personal Data Protection Law. This Personal Data Protection and Destruction Policy (“the Policy”), within the frame of the effective legislation and regulations, applies to the Bank and all the subsidiaries under its control and is based on the main principles which are recognized nationwide concerning personal data protection, processing and destruction. It ensures the protection of Personal data and carrying out the required data destruction efforts within the scope of Personal Data Protection Law and the related legislation lays the groundwork for establishing reliable business relationships and building reputation before the public and contains the framework conditions between the Bank and third parties, which are required for domestic and international personal data transfer which are included in the Annex-1.

2. Scope and Amendment of Data Protection, Retention and Destruction Policy

2.1 This Policy applies to the Bank and all of the subsidiaries under its control and is executed for the purpose of processing personal data.

2.2 This Policy applies to the real person customers of the Bank and the subsidiaries under its control and other real persons who do not have a particular framework agreement with the Bank and the subsidiaries under its control. “The Bank” terms in this Policy are inclusive of the Bank and the subsidiaries under its control.

2.3 Data such as anonymized data derived for statistical assessments or studies which cannot be defined and data on legal entities are not accepted as personal data and not subject to this Policy.

2.4 This Policy can be updated from time to time. Therefore, to access the most current version of the Policy, we kindly ask you visit www.denizbank.com on a regular basis.

3. Definitions



Law/KVKK

Personal Data Protection Law no. 6698

Regulation

Regulation on Deleting, Destroying or Anonymizing Personal Data

Board/Institution

Personal Data Protection Board/Personal Data Protection Institution

Bank

Denizbank A.Ş

Personal Data

Any kind of information on a real person who is or can be identified.

Relevant Person

Real person whose personal data is processed

Relevant User

Real or legal person processing the data within the data responsibility organization or in line with the authorizations and instructions given by the data officer, except for the persons or units responsible for technical storage, protection and back-up of data.

Express Consent

Consent disclosed on a particular subject, based on being informed and with free will.

Anonymization

Transforming personal data into something that cannot be associated with any identified or identifiable real person under any circumstances by matching with other data included.

Deleting Personal Data

Making personal data inaccessible and non-reusable again under any circumstances for the Relevant Users

Destroying Personal Data

Act of making personal data inaccessible, non-restorable and non-reusable by anyone in any way

Processing Personal Data

Any kind of act that takes place on personal data data such as obtaining, recording, storing, maintaining, changing, rearranging, disclosing, transferring, transferring, making it obtainable, classifying or preventing from being used through fully or partially automatic  or non-automatic manners as long as it is a part of an data recording system.

Data Masking

Processes such as deleting, crossing out, scoring out or replacing with asterisks certain parts of data so that they cannot be associated with a real person whose identity is know or can be determined.

Blacking Out

Processes such as crossing out, scoring out or replacing with asterisks certain parts of data so that they cannot be associated with a real person whose identity is known or can be determined.

Data Processor

Real person or legal entity processing personal data on behalf of the data officer based on the authority granted by the data officer.

Information Security and Information Technologies Risk Management Group SVP

The person who creates data protection strategies in the name of Denizbank A.Ş., conducts audit operations required for fulfillment of the obligations under laws and regulations, and acts as the contact person of the Bank before the Personal Data Protection Institution.

Data Officer

Real person or legal entity determining the purposes and means of processing personal data, that is responsible for setting up and managing data recording system.

Private Personal Data

Data of persons concerning their race, ethnicity, political belief, philosophical belief, religion, sect or other beliefs, costume, foundation, association or union affiliation, health status, sexual life, conviction and security measures as well as biometric and genetic data.

Disclosure Obligation

During obtaining personal data, data officer or a person authorized by data officer is obliged to inform the relevant persons about the following;

  • identity of the data officer or if any, representative,
  • for which purpose personal data shall be processed,
  • to whom and for what purpose the processed personal data can be transferred,
  • method and legal cause of collecting personal data,
  • other rights listed in the article 11 of the Law.

Data Officers Registration Information System (VERBİS)

Information system that will be used by data officers while applying to Registration and for other actions regarding Registration, that is accessible online, created and managed by the Office

https://verbis.kvkk.gov.tr/

Data Recording System

Recording system in which personal data is restructured and processed based on certain criteria.

Personal Data Processing Inventory

Inventory in which data officers explain and detail the personal data processing activities which they realize based on their business processes; by associating with the purposes of personal data processing, data category, the recipient group of transfer and the group of person subject to data and the maximum period required for purposes of processing personal data, personal data proposed for transfer to foreign countries and measures taken concerning data security.

Policy

Personal Data Retention and Destruction Policy

Pusula

Customer Information Platform where customer data is kept

DMS

Document Management System (Customer Document Platform where customer documents reside)

Destruction

Deleting, destroying or anonymizing personal data

Recording medium

Any kind of medium where personal data resides processed through fully or partially automatic or non-automatic manners as long as it is a part any data record system.

4. Application of National Laws

This Policy covers both national laws and internationally-recognized personal data processing and data confidentiality principles. The national data processing and data confidentiality laws prevail whereas in case this Policy and internationally-recognized personal data processing and data confidentiality laws conflict, the related national law shall prevail.

5. Recording Media

Personal data is retained safely in line with the laws on media listed below by the Bank.



Electronic Media

Servers (domain, backup, email, database, web, file sharing, etc.), Software (office software, portal), Information security devices (firewall, intrusion detection and prevention, daily record file, antivirus, etc.)  Video Record and Audio Record, Personal computers (desktop, laptop)

Mobile devices (telephone tablet etc) Optic discs (CD, DVD etc) Removable memories (USB, Memory card etc), Printer, scanner, photocopier

Non-electronic Media

Paper, Manual data recording systems (survey forms, visitor entry log), Printed, visual media

6. Principles Concerning Processing Personal Data

6.1 Compliance with Law and rules of honesty: While processing personal data, the individual rights of data owners shall be protected. Personal data shall be collected and processed in a legal and fair manner.

6.2 Getting processed for certain, clear and legitimate purposes and being limited to and measurable and connected with the purpose of processing Personal data can only be processed to serve a purpose determined before collecting data.

6.3 Transparency: The relevant person shall be informed about how his/her data are being used. While obtaining Personal Data, the data owner shall be aware of or informed about the following:

  • identity of the data officer or if any, representative,                                                                                            
  • Purpose of processing personal data;                                                                                                                                     
  • to whom and for what purposes the Personal Data can be transferred;                                                                                  
  • method and legal cause of collecting personal data,                                                            
  • Rights of the relevant person

6.4 Retention for a period of time stipulated in the related legislation or required for the purpose of processing As long as deemed necessary for the purpose and interests of processing personal data, obligated by the regulators and/or related laws and regulations, the Bank and subsidiaries under its control shall continue to keep processing and maintaining personal data in line with the purposes set out by this Policy (including communicating data to third parties as stated in the Annex no.1 of this Policy or taking out data from them).

6.5 Accuracy of Information; Up-to-date Nature of Data: The processed personal data shall be accurate, complete and kept current if necessary. Appropriate steps shall be taken to delete, correct, complete or update inaccurate or missing data.

6.6 Confidentiality and data security: Personal data is subject to data confidentiality. Data shall be treated as confidential on a personal level and technical and administrative measures shall be taken to prevent accidental loss, change or destruction as well as illegal processing or distribution and ensure level of security for the purpose of ensuring the retention of Personal Data.

7. Scope of Data Processing

7.1 Throughout the period Bank’s services are used and after the contractual relationship is terminated, the Bank shall have the right to process the information of the relevant person including personal data on the condition of complying with the purposes set forth in the article 8 of this Policy.

7.2 Personal data processing by the Bank covers any kind of action undertaken for data using automatic, semiautomatic or non-automatic manners without any restraint. In other words, personal data processing refers to obtaining, collecting data from the data owner mentioned in the Annex no .1 of this Policy or a third party, recording, taking a photo of, obtaining an audio record, video record, organizing, storing, changing, restoring, taking back or disclosing, acquiring through fully or partially automatic or non-automatic manners given that it is a part of any recording system, recording, storying, maintaining, changing, rearranging, disclosing, transferring, transferring abroad, taking over, making it obtainable, classifying or preventing from being used (on the condition of respecting the purposes set forth in this Policy, including those who will process the data later on, transferring and/or explaining to third parties stated in the annex no 1. of this Policy)  for the purpose of transferring, disseminating or presenting through different manners, grouping or merging, blocking, deleting or destroying.

7.3 The Bank and/or third parties set forth in the annex no 1 of this Policy process the data of third parties determined by the Relevant Person or third parties determined by the Relevant person. Data processing also includes but not is limited to data processing by third parties upon the instructions of the Bank and/or when the Bank is the data processor in favor of a third party (data officer) acting upon his/her instructions.

In line with the purposes set out by this Policy, processing and/or transferring or explaining any kind of information to third parties stated in the annex no 1 of this Policy on a real person who is or can be identified including but not limited to personal data below

a) Full name of the related person;

b) Personal ID number and/or unique feature in his/her electronic ID card;   

c) Registered address and/or address of residence

d) Telephone/mobile phone number;

e) Email address;

f)  Credit history (loans and payment details along with the negative, positive, current debts and/or repaid debts included) and solvency status (solvency score, criteria and/or methodology of the relevant person);

g) Movables and immovables in the property of the relevant person and their features.

h) Data on the employer as well as information on the employment conditions (workplace, fee, work hours etc.)           

i) Balances of the related accounts for a certain point and period of time and transactions made on these accounts for a certain period including but not limited to the bank account (accounts) of the relevant person in the Bank and in other banks operating in Turkey..                                                          

j) Balances of the related accounts for a certain point and period of time and transactions made on these accounts for a certain period including but not limited to the cards issued by the bank and/or other banks operating in Turkey and the relevant card owners, also the access codes of the related cards;

k) Data on data owner account/subscription recorded by various payment providers. What is included but not limited to these information are the account/subscription number, address, balances and/or accrued debt of the subscription accounts at a certain time and place, transactions made through subscription account and/or top-up account and(or debt payment etc.

l) Using various electronic channels and/or internet (including but not limited to web coolies) and the above-mentioned channels, , the activities of the Relevant person and/or third parties determined by the relevant person (including but not limited to verifying these channels, acts conducted or transaction history)

m) Data on family members, relatives and other persons residing in the address of residence of the relevant person;

n) any other data on the Customer making sure that the data owner is detected and/or characterized and/or grouped by physical, physiological, psychological, economic, cultural and social aspects or using the activities regarding the above-mentioned or listed action.

In the event that the above-mentioned personal data is anonymized, it shall not be included into the scope of personal data.

7.4 If the Relevant person provides information (additional card holder, surety, family members, employer etc.) to the Bank about third parties to benefit from the banking services (including but not limited to personal data, solvency, asset status etc)  and the Bank processes these data including personal data for the purposes of banking,the Relevant person  shall be personally responsible for obtaining a consent from the relevant third parties about the processing of the related personal data by the Bank. If the Relevant person provides the said information to the Bank (or its authorized personnel), the Relevant person is assumed to have obtained the required consent and the obligation of the Bank to obtain this consent itself is thus eliminated. In case the Relevant Person fails to comply with the obligation of obtaining the consent of third parties or fully fulfill this obligation, s/he will be personally liable for any kind of loss the Bank may suffer. The Relevant person consents and agrees to compensate and protect the Bank against any kind of loss the Bank may suffer (including but not limited to losses arising out of consequential damages, complaint, expenses (including but not limited to expenses the Bank shall suffer due to exercising its legal rights), all the legal processes and other obligations due to the consequences of such a violation that the Relevant person may commit.

7.5 The processing of the information of the relevant Person by the Bank using various electronic channels (including but not limited to web browser, the Bank’s website, online banking, mobile banking, the Bank’s mobile applications, payment devices, ATMs and/or other technical methods and channels used to transfer and receive data) also covers recording and processing the activities of the Relevant Person(e.g.: determining the location of the data owner using electronic channels, defining and analysing input data, product selection frequency and/or other statistical data)

8. Basics of Data Processing

8.1 The relevant person hereby agrees that throughout the utilization of Bank’s services and even if the contractual relationship comes to an end, it is necessary for the Bank to process the information about the Relevant Person and third parties determined by the Relevant Person:

a) providing and/or exercising a service for the relevant person,

b) data processing being obligatory for the purposes of protecting the legal interests of the Bank and/or third parties and/or exercising or protecting the legitimate interests of data officer;

c) fulfilling the Bank’s obligations under legislation;

d) on the condition that it is directly related with establishing or executing an agreement between the relevant person and the Bank, personal data processing on the relevant person being necessary,

e) data processing being obligatory to establish, exercise or protect a right,

f) other issues consented by the relevant person,

g) other issues explicitly set forth in the legislation.

8.2 the Letter of Consent provided by, the Relevant person shall mean that the Relevant person agrees to the Policy and its provisions.

9. Purpose of Data Processing

9.1 The Bank and/or third parties set forth in the annex no 1 of this Policy may process the personal data of the Relevant person or the third parties set forth by the Relevant Person for various purposes:

  • Carrying out banking services duly and properly;
  • Use of FastPay electronic wallet which represents a joint service of the Bank and FastPay FastPay electronic wallet allows customers of the Bank or Fastpay to have an electronic wallet, pay with this wallet, get paid and/or make various transactions permissible under the law and/or terms and conditions of products. These transactions include, but are not limited to, use of FastPay wallet account (and/or phone number and/or e-mail address or password) for identification purposes on websites and merchants allowed for FastPay authorization.
  • Issues where the information is processed for information retention, reporting, informing and providing information set forth by the audit companies, the related proxy, regulatory and auditing authorities such as BRSA, MASAK, TBB, GİB, Treasury Undersecretariat as decreed by the legislation;
  • Carrying out statistics, information researches, surveys and credibility assessments, providing statistics, archiving, custody services, customer satisfaction studies,
  • Optimizing and developing banking services while the Bank analyzes the data regarding the credit history, statistical data of the Relevant person;;
  • Preparing and delivering various reports, researches and/pr presentations;
  • When it is necessary to control the credit and/or transaction history and/or behavior models of the relevant person, when proposing a new and/or additional loan or non-loan product or changing the current conditions;
  • Along with providing security; detecting and/or preventing abuse, money laundering or other criminal activities;
  • Covering the complaints, questions and requests of the relevant person;
  • Verifying the identity information of the relevant person;
  • Providing property and security,
  • Providing banking, insurance, investment and finance products-related services and carrying out, executing and improving transactions related to such services including those that can be rendered in the capacity of an agency.
  • Carrying out promotion, marketing and campaign activities for the said services and products,
  • Fulfilling the requirements of the agreements entered into with the customer,
  • Providing better and more reliable service for the customer, developing more suited services and products and ensuring their continuity without any interruption,
  • Fulfilling other purposes set forth in the related legislation.

10. Processing the Data of Application Holders or Their Employees

10.1 Processing personal data for the purpose of entering into, executing, maintaining and terminating a service agreement: For the purposes of undertaking human resources and training processes such as fulfilling personal rights arising out of the service agreement and maintaining them without interruption, fulfilling any kind of insurance service including health insurance, individual accident insurance, international health insurance, life insurance, individual pension services, occupation health and security service, work permit processes, assessing personal job applications, maintaining intelligence, research and other recruitment processes, performance assessments and follow-up, providing training activities, health services, improving work conditions, carrying out personal development processes, the Bank has the right to process personal information disclosed due to starting employment and/or internship of the relevant person.

10.2 If it is needed to collect information about the owner of application from the third parties during the application process, Personal Data Protection Law no. 6698 shall be observed.

10.3 A legal authorization shall be made to process personal data that is related with the business relationship, however, not an immediate part of the employment agreement. Among them are the following: a) legal obligations, b) consent of the owner of the application  (through electronic and non-electronic means) or c) legitimate interest of the Bank or a third party d) purposes laid out in the clause no 6 and 7

11. Processing Private Personal Data

Private Personal data refers to data regarding race and ethnicity, political beliefs, religious or philosophical beliefs, sect and other beliefs, foundation or association affiliation, health and sexual life, conviction and security measures and biometric and genetic data. Private Personal Data can be processed upon express consent of the applicant (Relevant Person) or in limited situations listed in the law. 

12. Obligation of the Data Officer and Processor

12.1 As per the provisions of this Policy; the Bank may act on behalf of data officer including third parties set out in the annex no.1 of this Policy as data officer while processing some personal data or relevant third parties may be data processors for some personal data types for which s/he is the data officer. Accordingly, any one of the parties to such a relationship (data officer and its subcontractor as well as data processor) has to fully comply with data protection legislation in place and strictly abide by the provisions listed below.

a) Personal data shall be processed in line with the principles laid out in the legislation. The relevant person shall obtain the consent and provide necessary information.

b) Processing data communicated to one of the parties from the other shall take place without any restriction to fulfill the purposes stated in the clauses 7 and/or 8 of this Policy.

c) Depending on the specificity of the process, if one of the parties represent the data processor and the other -- data officer, the data processor is obliged to do the following:

  • processing data communicated/disclosed by one of the parties by complying with the scope and extent defined by the provisions of this Policy and allowed by the legislation; or upon the request of a regulator,
  • applying every necessary action and informing the data officer about every measure that is taken within this scope in order to prevent unauthorized process, loss, destruction, damage, unauthorized change or disclosure of data communicated/disclosed by Data officer,
  • The Bank may audit measures and practices applied by the data processor for the purpose of data security through its authorized personnel.
  • In case the below-mentioned takes place, data officer notifying the data owner as soon as possible and within thirty days the latest:
    • The relevant person making a request about his/her own personal data;
    • Data officer communicating a complaint or declaration regarding compliance with the obligation imposed by the legislation;
  • Data Processor cooperating with the Bank and supporting the Bank about assessing a complaint or declaration communicated/disclosed by the Bank including the below:
  • Providing the detailed information on the complaint and declaration communicated/disclosed by the Bank to the data processor including data on the Relevant Person within 5 business days including the request date to the Bank;
  • Within the above-mentioned period of time, providing the data available to the data processor to the access of the Bank (including electronic data);
  • Providing related information to the Bank within the above-mentioned period of time;
  • Data Processor preventing data processing (transfer) to a country and/or international institution which is not a part of European Economic Area and not in the list of countries at a sufficient level for personal data protection or not allowed by the Relevant Person or Personal Data Protection Institution.
  • Without the prior written consent of the Bank; not transferring/disclosing data to third parties. Even in cases which the Bank has prior written consent; the data processor is obliged to transfer/disclose the data as per a written agreement. The third party and its subcontractors under the said written agreement are obliged to take any kind of technical and organizational measures to prevent unauthorized processing, loss, damage, unauthorized change or disclosure of data.
  • Compensating any kind of loss that the Bank may suffer as the Data processor fails to take the necessary actions or fulfill them fully (as per the Policy and legislation). The Data processor hereby consents and agrees to compensate and  protect the Bank against any kind of loss the Bank may suffer (including but not limited to losses arising out of consequential damages, complaint, expenses (including but not limited to expenses the Bank shall suffer due to exercising its legal rights), all the legal processes and other obligations due to the consequences of such a violation that the Data processor may commit.
  • Unless otherwise stated in the agreement between the Bank and data processor, the data processor is obliged to do the following after the contractual relationship between the Bank and data processor comes to an end:

Before the agreement comes to an end, returning any kind of data transferred/disclosed by the Bank (including personal data). Returning the relevant data in the same form when they are obtained from the bank and stopping the data processing immediately, and/or taking any kind of security measures to prevent the unauthorized access of third parties to data, destroying personal data transferred/disclosed by the Bank and notifying the Bank to confirm that this action has been taken;

13. Information Transfer/Share with/from Third Party(Parties)

Within the scope of data processing as per the purposes of Bank providing a service to the relevant person as required and data processing in line with the clauses no. 7 and 8, the relevant data data shall be transferred to/shared with the Relevant person and/or third parties pointed by the Relevant person with/from third parties set forth in the annex no:1 of this Policy. In line with these purposes; the relevant person grants the Bank the rights to  acquire, record, store, maintain, change, rearrange, disclose, transfer, transfer abroad, take over, make obtainable, classify, or prevent from being used his/her personal data through both the Head Office units and branches, ATMs, kiosks, online branches, call centers, public institutions and organizations and parties from which the Bank receive services as complementary to or an extension of its activities, public institutions, contracted institutions and support service institutions using fully or partially automatic or non-automatic as long as it is a part of any recording system.

14. Remote Marketing

14.1 The relevant person hereby grants the right to the Bank to send him/her a commercial electronic message including SMS, voice and/or any other marketing messages (direct marketing) through his/her phone number, email address and other contact information in the records of the Bank within the scope of the Law on Regulation of Electronic Commerce no. 6563 until the Relevant Person exercises his/her right to reject. The Bank may continue to exercise this right as long as no objection comes from the Relevant person in a written and/or electronic format laid out by a contract between the parties and/or in a legislation.

14.2 The Relevant Person hereby grants the Bank the right to share his/her own data or confidential information with the Bank’s affiliates and main shareholders to make various marketing offers. The relevant person has the right to demand an end to direct marketing from the affiliates or main shareholder of the Bank.

14.3 To be specific to this paragraph, the commercial/information messages in the service points of the Bank (e.g: commercial brochure, promoting images, verbal offers etc) or the contents displayed during the use of electronic channels of the Bank (or an affiliate of the Bank) such as ATM, online banking, mobile banking shall not be qualified as direct marketing whereas the data owner shall not have the right to demand an end to the display/delivery of these contents.

15. Video Record and Audio Record

15.1 For the purpose of security and protection of property and confidentiality and control of the service quality, staying in line with the provisions of the Personal Data Protection Law no. 6698, video and audio record are made around and at the entries of the building and workplaces. Besides, video records are taken during use of ATMs and other electronic devices and voice records are taken during phone contacts with the Bank.

15.2 The relevant person shall be informed that video and audio surveillance are made using the suitable tools at the related points of service of the Bank and while contacting the Bank. The relevant person agrees to the importance of the video and audio record and gives his/her consent to the Bank to process his/her data in this sense.

16. Copyright

16.1 The relevant person agrees that the data related with himself/herself and published on the Bank’s website, online banking, mobile banking applications and other electronic media (printed, visual and/or auditory) are counted as the property of the Bank and the Bank shall have the copyright over these type of data which are not classified as his/her personal data as of the moment the said data are published.

17. Personal Data Destruction Process

Personal data processed by DenizBank are destroyed at the end of the period stipulated in the relevant regulations or at the end of the retention period required for the processing purpose on an ex officio basis or upon application of the relevant person in line with periodical data destruction periods and through specified data destruction methods (deleting and/or destroying and/or anonymizing). Unless otherwise decided by the Institution, the Bank chooses the suitable method out of deleting, destroying or anonymizing the personal method.

Anonymizing Personal Data

Anonymizing personal data means transforming them into something that cannot be associated with any identified or identifiable real person under any circumstances even if matched with other data included.

In order for personal data to be anonymized, they must be rendered unrelated to an identified or identifiable natural person, even by using appropriate techniques for the recording environment and related field of activity, such as the return of data by the data controller or third parties and/or matching the data with other data.

Deleting Personal Data

The personal data whose required storage time on the servers is completed are deleted by the system administrator by canceling access privileges of users.

The personal data whose required storage time in electronic media is completed are made inaccessible and unusable for other employees (related users) except for the database administrator.

The personal data whose required storage time in physical media is completed are made inaccessible and unusable for other employees except for the department manager responsible for the document archiving. In addition, blackout process is applied by crossing out/ scoring out/ deleting in an unreadable manner.

The personal data whose required storage time in flash-based storage media is completed are stored in secure environments with encryption keys by encrypting them by the system administrator and granting access only to the system administrator.

Destroying Personal Data

The personal data whose required storage time in paper media is completed are irreversibly destroyed in paper shredders.

The personal data whose required storage time in optical or magnetic media is completed are subjected to physical destruction such as melting, burning or powdering. In addition, the magnetic media is passed through a special device and exposed to a high value magnetic area, making the data on it unreadable.

Legal and Technical Reasons for Destruction

  • Requirement due to amendment or modification of the relevant legislative provisions, which constitute the basis for the processing or storage of personal data,
  • Disappearance of the purpose that requires processing or storage of personal data,
  • Disappearance of conditions that require processing of personal data in Articles 5 and 6 of the Law,
  • Relevant person's withdrawal of consent in cases where the processing of personal data occurs only on the basis of explicit consent,
  • Data officer’s acceptance of the relevant person’s application for deletion, destruction or anonymization of their personal data within the framework of their rights in the Article 11 of the Law,
  • In cases where the data officer rejects the application made by the relevant person for deletion, destruction or anonymization of their personal data, their response is deemed insufficient or they do not respond within the period stipulated in the Law; making complaint to the Board and approval of this request by the Board,
  • Absence of any condition to justify storing personal data for a longer period of time although the maximum time for which personal data is stored is up.

Destruction Times

The destruction of personal data stored in accordance with the retention periods stipulated in the Personal Data Protection Law and other legislation is carried out by Denizbank through deletion, destruction or anonymization processes.

- Retention periods based on personal data regarding all personal data within the scope of activities carried out are available in Denizbank Personal Data Processing Inventory;

- Retention periods based on data categories are included in the registration to VERBİS.

16.6 Upon detecting the retention and destruction periods of personal data, an action is taken by using the below-mentioned criteria.

Identifying in which scope data retention can be considered based on the exception(s) stipulated in the articles 5 and 6 of the law which set the processing conditions for Personal Data and Private Personal Data. Identifying the reasonable periods during which data shall be retained within the framework of the identified exceptions. If a period of time is stipulated in the legislation regarding the retention of the said personal data, such period is observed.

Concerning the retention of the said personal data, if the period stipulated in the legislation is completed or no such period is stipulated in the legislation regarding the retention of data, data are deleted, destroyed or anonymized by the data officer at 6-month intervals.

The Bank is using its services and after this period the Bank shall continue to process the information stated herein in line with the purpose and interests of the Bank, upon the demands of the auditors/regulators and/or throughout a period of time that is consistent with the legislation.

• Processing of data transferred from the relevant person to the Bank during the use of electronic channels (web browser, website of the Bank, online banking, mobile banking, mobile applications and/or other electronic data transfer tools) may also continue after the data of the relevant person is deleted from the relevant electronic channels. These type of data shall continue to be retained as per the purposes and interests of the Bank, upon the demands of the auditors/regulators and/or throughout a period of time that is consistent with the legislation.

• While deleting, destroying and anonymizing personal data, principles listed in the article 4 titled “General Principles” of the Law and measures that shall be taken within the scope of the article 12 titled “obligations concerning the data security”, the related legislation provisions, the Bank’s decisions and this Policy are taken into consideration.

• All actions related with deleting, destroying, anonymizing the personal data are taken under record by the Bank and the said records are retained for a minimum period of 3 years except for the other legal obligations.

• The Bank determined the regular destruction period as six months as per the article 11 of the Regulation. Accordingly, the Bank conducts periodic destructions every year.

18. Rights of the relevant person

The related person has the following rights.

a) find out if the personal data has been processed or not,

b) if yes, request information in this respect,

c) find out about the purpose of the personal data being processed or whether they are used in a way that fits the purpose,

ç) know the third parties to which the personal data is transferred in or outside of the country,

d) if the personal data is processed inaccurately or incompletely, ask for its correction,

e)  ask for the erasure or destruction of the personal data in the frame of the conditions set in the article 7 of the Law,

f) ask for notifying the third parties to which your personal data is transferred as per the above-mentioned paragraphs (d) and (e) of the transactions made,

g) in case the analysis of the personal data through automatic systems exclusively produces a result against you, object to this result,

ğ) in case you incur a loss because your personal data has been processed illegally, ask for the compensation of your loss.

19. Confidentiality of Data Processing

19.1 Personal data is subject to data security. Any one employee of the affiliates of the Bank is prohibited to access, process or use these data in an unauthorized manner. Any one employee not authorized within the legitimate duty of the affiliates of the Bank means unauthorized action. Employees of subsidiaries and/or affiliates of the Bank may only access the personal information within the framework of the type and scope of the said duties. Detailing, sorting out and implementing these roles and responsibilities is a requisite for this.

19.2 Employees of the Bank, its subsidiaries and/or affiliates are prohibited from using the personal data for special or commercial purposes, sharing these data with unauthorized persons or making these data accessible through  another method. Executives shall inform their employees about the obligation of protecting the data confidentiality at the initial stage of employment relationship. The said obligation shall also extend beyond the end of employment.

20. Security of Data Processing

20.1 Personal data shall be protected against unauthorized access, illegal data processing or disclosure and accidental loss, alteration or destruction of data. This provision shall apply whether or not data is processed in an electronic media or on paper. Until new data processing methods and new IT systems in particular emerge, technical and organizational measures to protect personal data shall be defined and implemented. The said measures shall be designed by taking into account the most advanced technology, data processing risks and the requirement of protecting data.

21. Data Protection Control

  • The accesses to the retention areas where the personal data reside shall be recorded by the Bank so that inappropriate accesses or access attempts are kept under control.
  • The Bank takes necessary measures to make the deleted personal data inaccessible and non-reusable for the relevant users.
  • In case the personal data is acquired by others illegally, a system and infrastructure has been created by the Bank to report this to the relevant person and Board..
  • The matter of whether or not this Data Protection policy and the related data protection laws are observed is regularly controlled by the authorized persons working in the relevant units of the Bank. The data protection authority in charge may directly supervise the status of compliance of the Bank, its subsidiaries and its affiliates with the provisions of this Policy in a way allowed by the national laws.

22.Contact

The Relevant Person submits his/her requests concerning the implementation of this Policy and Personal Data Protection Law to the Data Officer in writing. The Data Officer finalizes the request as soon as possible depending on the quality of the request in the application and within 30 days the latest free of charge. However, in case the action requires a separate cost, the fees in the tariff determined by the Personal Data Protection Board are charged.

Contact address: 0850 222 0 800

Annex 1 - Information Transfer/Share with/from Third Party(Parties)

The Bank takes any kind of measure to protect the confidentiality of the Customer information including the confidentiality of the personal data. However, a) in case it is necessary to fulfill the service properly, b) it is allowed by the legislation and/or c) it serves the commercial purpose of the Bank, we, as the Bank, have the right to transfer and share the personal data of our Customer from/with the below-listed third party(parties). The parties with which the data can be shared:

  • The Bank’s subsidiaries and their sub-institutions; companies and persons in the group of companies of which the Bank is a part of, the Bank’s shareholders and their sub-insitutions; the Bank’s main shareholder and its subsidiaries, employees, company employees, legal, financial and tax advisors, auditors
  • The parties which provide services to the Bank as complementary to or an extension of its activities and support service institutions including KKB and FINDEKS and other contracted institutions, international or domestically founded card payment system institutions including Europay INT.SA, Moneygram, Mastercard INT.INC, Visa INT, JCB INT, Maestro, Electron, and contracted institutions and authorities such as BRSA, CMB, CBRT, MASAK, TBB, KOSGEB, GİB, Treasury Undersecretariat, Social Security Institute, Credit Bureau, Supreme Election Board, Turkish Labor Institution, authorized public institutions and agencies such as ministries, judicial authorities and persons, institutions and agencies allowed by legislation provisions including the article 73/4 of the Banking Law, in case necessary, correspondent banking and domestic/international financial institutions and domestic/international merchants, insurance companies, reinsurers. Also  non-resident or resident banks and third parties and institutions including financial institutions and agencies any kind of service provided by the Bank, any kind of money transfers to be made to domestic and international accounts for the purpose of electronic transfer messages, foreign trade transactions, transactions to be realized through banks and/or using the swift system and associated transactions
  • In case of being a US and/or EU real person or legal entity or trading in US and/or EU markets or being subject to the tax laws of US and/or EU or due to various legal requirements,Data on account numbers, ID information, address, scope of activity and all accounts, transactions with U.S Internal Revenue Service (IRS), European Capital Market Authority (ESMA) and/or all other US and/or EU institutions in scope of laws and regulations of United States of America (USA) Dodd Frank (Dodd Frank Wall Street Reform and Consumer Protection Act) and FATCA (Foreign Account Tax Compliance Act), ISDA (International Swaps and Derivatives Association) and European Union (EU) EMIR (European Market Infrastructure Regulation) and CRS (Common Reporting Standard)
  • Credit bureaus and/or debt collection institutions including but not limited to the following:
    • Credit Bureau and/or institutions with similar activities;
    • Other NPL management and debt collection institutions which facilitate the payment and/or purchase (assignment) of NPL.

We are using cookies on our website to offer you a better, faster and more secure visit.
To disable cookies, you may follow “Settings / Privacy / Content Settings / Disable Cookies”. You may find further information in our Cookie Policy.

Kapat

Döviz Çevirici

Kapat

İzin Pazarlama Button
Kapat

Kapat

DenizBank, İnovasyonda Dünyanın 1 Numarası Seçildi.

DenizBank, İnovasyonda Dünyanın 1 Numarası Seçildi.
Kapat
Yükleniyor...