I. Purpose of Data Protection Storage and Destruction Policy
As part of its legal and social responsibility, Denizbank (“Bank”) commits to comply with the national personal data protection, processing and destruction regulations. This Personal Data Protection, Storage and Destruction Policy (“Policy”) is applied to the Bank and all of the subsidiaries under its control within the framework of legislation in effect and is based on core principles recognized nation-wide regarding personal data protection, processing and destruction. Ensuring Personal Data protection and carrying out required destruction studies within the scope of the Law on Protection of Personal Data and related legislation lays the foundation for establishing reliable business relations and Bank having reputation before public and contains the framework conditions required for national and international personal data transfer between the Bank and the third parties stated in the Annex-1.
II. Scope and Amendment of Data Protection Storage and Destruction Policy
- 2.1 This Policy is applied to the entire Bank and all subsidiaries under its control and exercised to process personal data.
- 2.2 This Policy is applied to the real person customers of the Bank and its subsidiaries and other real persons who do not have a given framework agreement with the Bank and its subsidiaries. The Bank terms included in this Policy shall cover the Bank and the subsidiaries under its control.
- 2.3 data that has been anonymized and cannot be identified such as those obtained for statistical assessments or studies and data for legal persons are not recognized as personal data and not held subject to this Policy.
- 2.4 this Policy can be updated from time to time. Therefore, in order to reach the most current version of this Policy, please visit www.denizbank.com regularly.
||Law on Protection of Personal Data
||Board of Protection of Personal Data/Institution of Protection of Personal Data
||Any information regarding a real person whose identity is determined or may be determined.
OUR PERSONAL DATA FIELDS
|TR ID no/Tax ID No/Foreigner ID No
|ID Card Serial/Item No
|Spouse TR ID No
|Date of birth
|In Identity Information;
|Code of Province Registered
|Family item no
||Consent regarding a certain subject, based on being informed and disclosed at free will.
||turning personal data into something that cannot be associated with any real person in any way whose identity is determined or can be determined by matching it with other data.
|Deleting Personal Data
||Deleting personal data; making it inaccessible and unusable in any way for other users.
|Destroying Personal Data
||Making personal data inaccessible, unrecoverable and unusable by anybody in any way.
|Processing Personal Data
||Any transaction realized on data including obtaining via no-automatic ways provided that it is a part of a fully or partially automatic or any data registration system, registering, storing, keeping, changing, rearranging, disclosing, transferring, taking over, making it acquirable, classifying or hindering the use of personal data.
||Real or legal person processing personal data on behalf of the data officer based on the authority granted by him.
||Real or legal person in charge of determining the purposes and means of processing personal data, establishing and managing data registration system.
Personal data of private nature
|Personal data regarding race, ethnical origin, political beliefs, philosophical belief, religion, sect or other beliefs, attires, association, foundation or union affiliation, health status, sexual life, prison convictions and security measures as well as biometrics and genetic data.
||Notification by the data officer or persons authorized by him, of relevant persons while obtaining personal data about the following:
- ID of the Data officer and if any, of the representative,
- For which purpose the personal data will be processed,
- To whom the personal data processed may be transferred to for which purpose;
- Method and legal cause of collecting personal data,
- Other rights listed in the article 11 of the law.
||Customer Information Platform which includes customer data
||Document Management system (Customer Document Platform where customer documents are available)
||Deleting, destroying or anonymizing personal data.
||Any kind of media where personal data is located, which is processed via non-automatic manners provided that it is a part of fully or partially automatic or any data registration system.
IV. Application of National Laws
This Policy covers the national laws and principles of internationally-recognized personal data processing and data confidentiality. The national data processing and data confidentiality laws lays the foundation for this Policy whereas in case of contradiction between this policy and internationally-recognized personal data processing and data confidentiality laws, the national law shall have the priority.
V. Principles on processing personal data
- 5.1 Compliance with the law and rules of honesty: During processing personal data, the individual rights of the data owners shall be protected. Personal data shall be collected and processed in a legal and fair manner.
- 5.2 Processing for certain, clear and legitimate purposes and being limited to the purposes of their processing and being moderate Personal data can only be processed to serve a purpose that is specified before collecting data.
- 5.2 Processing for certain, clear and legitimate purposes and being limited to the purposes of their processing and being moderate Personal data can only be processed to serve a purpose that is specified before collecting data.
- 5.3 Transparency: Data owner shall be informed as to how his data is used. During the acquisition of Personal data, the data owner shall be aware of or informed about the following:
- a ID of the Data Officer and the representative, if any,
- b Purpose of processing Personal data;
- c to whom and for which purposes the Personal Data can be transferred;
- d Method and legal reason of collecting personal data;
- e Rights of the data owner (Article XV).
- 5.4 Storing for a period of time laid out in the related legislation or that is required for the purpose of their process. The Bank and its subsidiaries shall continue to process and store personal data during a period of time that is deemed necessary for the purposes and interests of processing personal data, made obligatory by regulatory authorities and/or related laws and regulations in line with the purposes brought forward by this Policy (including transferring data to or receiving data from third parties mentioned in the Annex no 1 to this Policy)
- 5.5 Accuracy of the Information; Currentness of Data: The personal data processed shall be accurate, full and current if necessary. Due action shall be taken in order to delete, correct, complete or update data that is not accurate or missing.
- 5.6 Confidentiality and data security: Personal data is subject to data security. It shall be evaluated confidentially on a personal level and required technical and administrative measures shall be taken to ensure its level of proper security to achieve the storage of Personal Data and prevent unauthorized access, illegal processing or distribution as well any accidental loss, modification or damage.
VI. Scope of data processing
- 6.1 During the time the services of the Bank are used and following the termination of the contractual relation, the Bank shall have the right to process the information of a data owner including its personal data on the condition of complying with the purposes stipulated in the article VII of this Policy.
- 6.2 Personal data processed by the bank covers any kind of action that is performed for the data using automatic, semi-automatic or non-automatic methods without any restriction. To be more precise, processing personal data processing refers to receiving, collecting, recording, taking photographs of, receiving sound records of, receiving video records of, organizing, storing, modifying, restoring, taking back or disclosing, obtaining all or some of the data using automatic or non-automatic manners on the condition of being a part of any recording system, storing, keeping, modifying, rearing, disclosing, transferring, transferring abroad, taking over, making it acquirable, classifying or preventing it from being used (including transferring information and/or disclosing it to third parties stated in the annex no 1 of this Policy, who will later on process data by complying with the purposes stipulated in this Policy) for the purposes of transferring, spreading or presenting through different methods, grouping or merging, blocking, deleting or destroying it.
- 6.3 Bank and/or the third parties stipulated in the annex no 1 of this Policy processes the data of the data owner or third parties determined by the data owner. Data processing also includes but is not limited to data processing by third parties upon the instruction of the Bank and/or when the Bank is the data processor and acts in favor of a third party (data Officer) and upon his instructions.
In line with the purposes determined by this Policy, processing and/or transferring or disclosing any kind information regarding a real person whose identity is determined or can be determined to third parties stipulated in the annex no 1 to this Policy by including but not limited to the personal data below:
- a) Full name of the data owner;
- b) personal identity number and/or unique feature found in the electronic identity card;
- c) address of registration and/or residence;
- d) Telephone/mobile phone number;
- e) E-mail address;
- f) Credit history (along with the negative, also positive information on loans and payment details including current debts and/or repaid debts) and solvency status (solvency score of the data owner, criteria and/or methodology):
- g) immovable and movables that are in the possession of the data owner and their qualities.
- h) data on the employer as well as information on the employment conditions (place of work, pay, working hours etc.)
- i) including but not limited to bank account(s) of the data owner in the Bank and other banks operating in Turkey, the balances of these accounts during a certain period of time and data on transactions made in these accounts during a certain period of time.
- j) including but not limited to cards issued by the Bank and/or other banks operating in Turkey and the related card accounts, balance of the related card during a certain period of time and related data on transactions made in these card accounts during a certain period of time and the access code of these cards;
- k) data on the data owner account/subscription recorded by various payment providers. These data include but are not limited to account/subscriber number, address, balances of subscription accounts on a given time and date and/or debt accrued, transactions made through the subscription account and/or debiting account and/or debt payment;
- l) the activities of data owner and/or third parties determined by the data owner while using various electronic channels and/or internet (including but not limited to web cookies etc) and the above-mentioned channels (including but not limited to verifying these channels, actions performed or the transaction history)
- m) data on family members, relatives and other persons residing in the place of residence of the data owner;
- n) any kind of data related with the Customer, that ensures identifying and/or characterizing and/or grouping the data owner according to physical, physiological, psychological, economic, cultural or social qualities or by using activities related with the transaction mentioned or listed above.
When the aforementioned personal data is anonymized, it will not be part of the personal data scope.
- 6.4 If the data owner provides the Bank with information (supplementary card owner, surety, family members, employer etc) on third parties for the purpose of benefiting from the bank services (including but not limited to personal data, solvency, asset status etc.) and the Bank processes these data including personal data for the purpose of bank services and/or marketing, the data owner shall be personally responsible for receiving a consent from the third parties to have the related processed by the Bank. If the data owner provides the said information with the Bank (or its authorized personnel), the data owner is assumed to have received the required consent and thus the obligation of the Bank to receive this consent is eliminated. In case the data owner fails to comply with the obligation to receive the consent of third parties or fails to fulfill this obligation in the full sense of the word, he shall be personally responsible for any kind of loss the Bank will suffer from. Data owner consents and agrees to compensate and protect the Bank against any kind of loss (including but not limited to consequential losses), complaint, expenses (including but not limited to the expenses the Bank will incur due to exercising its legal right), legal processes and other obligations.
- 6.5 Processing of the information of the data owner by the Bank using various electronic channels (including but not limited to other technical methods and channels used for web browser, website of the Bank, online banking, mobile banking, mobile applications of the bank, payment machines, ATMs and/or data transfer and purchase) also covers the recording and processing the activities of the data owner (i.e. determining the location of the data owner using an electronic channel, identifying and analyzing data inputs, product selection frequency and/or other statistics)
VII. Foundations of Data Processing
- 6.1 Data owner hereby agrees that it is required for the Bank to process the information on the data owner or third parties determined by the data owner for the purposes below even if the period of using the services of the Bank and the contractual period ends:
- a) providing and/or implementing a service for data owner,
- b) data processing being obligatory for the purposes of protecting the legal interests of the Bank and/or third parties and/or using or protecting the legitimate interests of the data Officer;
- c) the Bank fulfilling its obligations under the legislation;
- d) processing of personal data on the data owner being necessary on the condition that it is directly related with creating or enforcing an agreement between the data owner and the Bank,
- e) data processing being obligatory to establish, enjoy or protect a right,
- f) other issues that are provided with a consent by the data owner,
- g) other issues clearly stated in the legislation.
- 7.2 Consent given by the Data Owner shall mean that the data owner agrees to the Policy and its provisions.
VIII. Purposes of Data Processing
- 8.1 The Bank or third parties stipulated in the annex no 1 to this Policy may process the personal data of the data owner or the third parties determined by the data owner for the purposes including but not limited to those below:
- a) Realizing banking services duly and properly;
- b) Using FastPay electronic wallet which represents a joint service of the Bank and FastPay. FastPay electronic wallet enables the Bank or Fastpay customers to have an electronic wallet, make/receive a payment through this wallet and/or realize various transactions allowed by the law and/or terms and conditions of a product. These transactions include but are not limited to the use of FastPay wallet account (and/or telephone number and/or email address or password) for the verification on websites and merchants which are allowed for FastPay authorization.
- c) Issues that have been translated into legislation provisions for the purposes of storing, reporting, informing and providing information for the audit companies, related attorney as stipulated by regulatory and auditing authorities such as BRSA, CBRT, MASAK, Turkish Banking Association, Revenue Administration, Treasury Undersecretariat;
- a) conducting intelligence, information researches, surveys and credibility valuations, providing planning, statistics, archiving, custody services, customer satisfaction studies,
- d) the Bank optimizing and developing its services while the Bank analyzes its related data of the data owner such as the credit history, statistics information;
- e) preparing and presenting various reports, researches and/or presentations;
- f) proposing a new and/or additional credit or non-credit product or changing current conditions where the credit and/or transactions history and/or behavior models of the data owner shall be controlled;
- g) along with ensuring security; identifying and/or preventing cases of abuse, money laundering or other activities that represent a criminal activity;
- h) responding to the complaint, questions nd requests of the Data Owner;
- i) verifying the ID information of the Data Owner;
- j) ensuring Possession and security;
- k) performing, enforcing and developing transactions including providing services related with banking, insurance, investment and finance products and those that could be provided in an agency capacity,
- l) carrying out promotion, marketing and campaign activities for the mentioned services and products,
- m) executing the agreements made with a customer,
- n) providing better and more reliable services for the customer, developing more appropriate services and products and sustaining them without any interruption,
- p) achieving other purposes laid out in the related legislation.
IX. Processing Data of the Application Owners or the Employees
- 9.1 Processing personal data for the purposes of exercising, sustaining and terminating a service agreement: The Bank has the right to process personal information disclosed by the related person due to starting a job and/or an internship for the purposes of ensuring human resources and training processes such as exercising the personnel rights arising out of the service agreement and sustaining them without any interruption, any kind of insurance service including health insurance, accident insurance, international health insurance, life insurance, individual pension services, occupational health and safety service, handling work permit procedures, evaluating personal job applications, conducting intelligence, research and other hiring processes, performance assessment and followup, training activities, healthcare activities, improving work conditions, conducting personal development processes.
- 9.2 If information on the application owner has to be collected from the third parties throughout the application process, the provisions in the Law on the Protection of the Personal Data numbered 6698 shall be observed.
- 9.3 There shall be a legal authorization to process personal data that is related with the business relation but not an immediate part of executing the job agreement. These include a) legal obligations, b) consent of the application owner (through electronic and non-electronic methods) or c) legitimate interest of the Bank or a third party and d) purposes stipulated in the clauses VI and VII of this Policy.
X. Processing Personal Data of a Private Nature
Private Data refers to data related with race and ethnic origin, political ideas, religious or philosophic beliefs, associate or syndicate membership, health and sexual life, criminal conviction and security measures as well biometric and genetic data. Private Data can only be processed through the open consent of the application owner (data owner).
XI. Responsibility of the data Officer and processor
- 11.1 As per the provisions of this Policy; while the Bank becomes the data processor as it processes some types of personal data, it can act on behalf of the data Officer including third parties stipulated in the Annex no 1 to this Policy or the related third parties can become the data processor for some personal data types for which it is the data Officer. Thus, each of the parties to such relation (along with the data processor, data Officer and its subcontractor) shall fully comply with the current data protection legislation and follow the provisions listed below:
- a) Personal data shall be processed in accordance with the principles included in the legislation. The consent of the data owner shall be received and necessary briefing shall be given.
- b) Processing of data transferred from one party to another shall be realized without any restriction to achieve the purposes laid out in the clauses VI and/or VII of this Policy.
- c) Depending on the specificity of the process, if one of the parties represents the data processor and the other-data Officer while processing data, data processor shall have the following obligations:
- i. by observing the limit and scope defined by this Policy provisions and legislation or upon the demand of a regulatory authority, processing data communicated/disclosed by other party;
- ii. Applying any technical and organizational measurement and taking any action and informing the data Officer of any measure taken within this scope in order to prevent unauthorized processing, loss, damage, unauthorized modification or disclosure of the data communicated/disclosed by the data Officer
- iii. The Bank can audit measures and applications implemented by the data processor for the purposes of data security through its authorized personnel.
- iv. In case the situations below take place, the data Officer notifies the data owner as soon as possible and within thirty days the latest:
- data owner making a request on the information related with his own personal data;
- submitting a complaint or a statement of regarding the compliance of the data Officer with the obligations imposed by the legislation;
- v. Data processor cooperating with the Bank and supporting the Bank regarding an evaluation of a complaint or a statement by the Bank:
- providing the Bank with detailed information on the complaint and statement status including the data on data owner that is submitted/disclosed by the Bank to the data processor within 5 business days following the date of request for detailed information;
- Bank accessing to data that is in the possession of the data processor within the aforementioned period of time (including electronic data);
- Providing the bank with the related information within the aforementioned period of time (including electronic data);
- vi. Preventing data processing(transfer) activity by the data Processor to a country and/or an international institution which is not a part of the European Union Economic Area and those that are not in listed in countries with a sufficient level for protection of personal data or those that are not allowed by the data owner or the Personal Data Protection Board.
- vii. Not transferring/disclosing data to third parties without any written consent of the Bank in advance. Even in cases the bank has a written consent in advance; the data processor is obliged to transfer/disclose the data as per a written agreement. The third party and his subcontractors are obliged to take any technical and organization measure to prevent the unauthorized processing, loss, destruction, damage, unauthorized modification or disclosure of the data.
- viii. Compensating any loss that the Bank will suffer from due to the failure of the Data processor to take the required actions (as per the policy and legislation) or to fulfill them fully. As a result of the violation by the data processor, the data processor hereby agrees and consents to compensate and protect the Bank against legal processes and other obligations for any loss that the Bank may suffer from (including but not limited to the consequential losses), complaints, expenses (including but not limited to the expenses the Bank may incur due to exercising its legal rights).
- ix. Unless otherwise stipulated in the agreement between the Bank and the data processor, the data processor has the following obligations following the termination of the contractual relation between the bank and the data processor:
- before this agreement is terminated, returning any kind of data transferred/disclosed by the Bank (including personal data). The related data shall be returned in the form (manner) it was taken from the Bank and the processing of data shall immediately be stopped; and or
- Taking any kind of security measure to prevent the unauthorized access of third parties to data, notifying the Bank that the personal data transferred/disclosed has been destroyed and this action was taken;
XII. Information transfer /exchange with/from third party(parties)
Within the scope of the Bank serving to the data owner as required and data processing as per the purposes laid out in the clauses VI ve VII, the data regarding the data owner and/or the third parties pointed by the data owner shall be transferred /exchanged with/from thirty party(parties) stated in the annex no 1 to this Policy. For these purposes; the data owner grants the right to the Bank to acquire, record, store, keep, modify, rearrange, disclose, transfer, transfer abroad, take over, make the personal data acquirable, classify it or prevent it from being used via fully or partially automatic manners or non-automatic manners on the condition of being a part of any record system through the Head Office units, branches, ATMs, kiosks, online branches, call centers, public institutions as well as the parties receiving services that are complementary to or extension of the Bank’s activities, public institutions, contracted institutions and support service institutions.
XIII. Remote marketing
- 13.1 Data owner hereby grants the right to the Bank to send the owner a commercial electronic message, voice and/or other marketing messages, SMSs (direct marketing) within the scope of the Law on Regulating the E-Commerce numbered 6563, as the data owner provides his own phone number, email and other communication information recorded in the Bank until the data owner exercises his right of rejection. The bank will be able to continue exercising its right as long as no objection is made by the data owner in writing and/or via an electronic media as stipulated in the agreement between the parties and/or legislation.
- 13.2 Data owner hereby grants the right to the Bank to share his own data or confidential information with the affiliates and main shareholders of the Bank to receive various marketing offers. The data owner has the right to directly ask the Bank’s affiliates or main shareholders to stop marketing.
- 13.3 To apply to this paragraph, the content shown in the advertisement/information messages (i.e, advertisement brochure, promotional images, verbal offers etc.) in the Bank’s service areas or during the use of electronic channels such as ATM, online banking, mobile banking of the Bank (or the Bank’s affiliates) cannot be directly qualified as marketing, thus the data owner does not have the right to request the termination of transmission/display of these kind of content.
XIV. Video record and sound record
- 14.1 For the purposes of safety and protection of property and confidentiality as well as controlling the service quality by observing the Law on the Protection of Personal Data numbered 6698, video and sound are recorded in the surrounding and entrance areas of the building and the workplaces. In addition, during the use of ATM and other electronic devices, video record is filed and when communicated with the Bank via phone, sound is recorded.
- 14.2 The data owner shall be informed that video record and monitoring are taking place using appropriate devices while communication at the related service points of the Bank and with the Bank. The data owner accepts the importance of the video and sound record and hereby gives consent to the Bank to process his data in this sense.
- 15.1 Data owner accepts that the data that is about himself and published on the Bank’s website, online banking, mobile banking sites, mobile applications and other electronic media (printed, visual and/or audial) is considered a part of Bank’s property and the Bank has a copy on these type of data not classified as the personal data of the data owner from the moment they are published.
XVI. Data updating, Processing and Storage period and Data Destruction
- 16.1 During and following the period of using the bank’s services, the Bank shall continue to process the information mentioned in this paragraph for purposes again stipulated in this policy during a period of time that is consistent with the purposes and interests of the Bank, requests of the regulatory/auditing authorities and/or legislation.
- 16.2 Processing data transferred from the data owner to the Bank during the use of electronic channels (web browser, Bank’s website, online banking, mobile banking, mobile applications and/or other electronic data transfer tools) will also be able to continue after the data of the data owner is deleted via the related electronic channels. These type of data shall continue to be stored during a period of time that is consistent with the purposes and interests of the Bank, requests of the regulatory/auditing authorities and/or legislation.
- 16.3 Upon the request of the data owner, the Bank will provide the Customer with the personal data on the Customer stored in the Bank within the scope of legislation. The bank has the right to charge a service fee so as to provide the Customer with these information except for situations in which Customer cannot be charged for being provided with information as stipulated in the law.
- 16.4 In case the data owner believes that his data stored in the Bank is missing or wrong, the data owner is obliged to notify the Bank immediately in writing.
- 16.5 Personal data is stored for a period of time established in the legislation or for a period required for the purpose of their process. In case of elimination of reasons which require the processing of data although the data was processed as per the legislation, the personal data is deleted, destroyed or anonymized by the data Officer ex-officio or upon the request of the data owner.
- 16.6 The following criteria are used to identify the period of storing and destroying the personal data:
- a) It is identified under which exception(s) envisioned in the articles 5 and 6 of the Law data storage will be evaluated. The reasonable periods during which data shall be stored are identified within the framework of the identified exceptions. If a period is envisioned in the legislation concerning the storage of personal data, this period is abided by.
- b) Regarding the storage of the said personal data, if no period is envisaged regarding storage of the said data in the related legislation of the termination of the period envisaged in the legislation, data is deleted, destroyed or anonymized in a semiannual period.
- 16.7 In case of deleting, destroying and anonymizing personal data, the principles listed in the article 4 titled “General principles” of the law as well as measures required to be taken within the scope of the article 11 titled “Obligations regarding data security”, related legislation provisions, Institution decisions and this Policy.
- 16.8 All transactions regarding deleting, destroying, anonymizing personal data are registered by the Bank and the said records are kept for at least 3 years excluding the other legal obligations.
- 16.9 Unless the institution decides otherwise, the proper one out of the methods for deleting, destroying or anonymizing personal data is selected by the Bank.
XVII. Rights of the data owner
Every data owner has the following rights.
) to find out if his personal data has been processed or not, b) request information if the personal data has been processed, c) find out the purpose of the processing of personal data and whether or not it was used in line with its purpose, ç) know the third persons the personal data has been transferred to at home or abroad, d) ask for correction if the personal data was processed incompletely or inaccurately e) ask for the removal or destruction of personal data f) ask for notification of the transactions made as per the aforementioned clauses (d) and ( e ) listed above in which personal data is transferred to third parties, g) objecting to a result that takes place against him due to the analysis personal data via exclusively automatic systems and ğ) ask for elimination of the loss in case of suffering a loss due to illegal processing of personal data
XVIII. Confidentiality of data processing
- 18.1 Personal data is subject to data security. Any employee of the bank, subsidiaries and/or affiliates are banned from accessing this data in an unauthorized manner, processing this data or using it. When this data is processed by any employee of the Bank, its subsidiaries and/or affiliate partners who are not authorized within the framework of their legitimate duties, it refers to an unauthorized transaction. The employees of the Bank, its subsidiaries and/or affiliate partners can only access personal data within the framework of the type and scope of their said duties. To this end, their roles and responsibilities shall be elaborated, differentiated and implemented.
- 18.2 The employees of the bank, its subsidiaries and/or affiliates are banned from using the personal data for private or commercial purposes, sharing this data with unauthorized persons and making this data accessible via a different method. The managers shall inform their employees regarding the obligation to protect the data confidentiality at the stage of their employment. The said obligation shall continue as well after the employment is terminated.
XIX. Data processing security
- 19.1 Personal data shall be protected against unauthorized access, illegal data processing or disclosure and accidental loss, modification or destruction of the data. This provision shall apply whether data is processed electronically or on paper. The identification and implementation of technical and organizational measures to protect personal data is necessary until the new data processing methods, and especially new IT systems emerge. The said measures shall be designed by taking into account the cutting edge technology, data processing risks and requirement to protect data.
XX. Data Protection Control
Whether or not the related data protection laws and this Data Protection Policy are observed or not is regularly controlled by authorized persons in the relevant departments of the Bank. The authorized data protection body can directly audit the compliance status of this Policy for the Bank, its subsidiaries and affiliates to the extent allowed by the national laws.
Data Owner conveys his requests regarding the application of this Policy and the Law on Protection of Personal Data to the Data Officer in writing. The Data Officer finalizes the request as soon as possible and within 30 days the latest based on the nature of the request in the application, free of charge. However, in case the transaction requires an additional cost, the tariff fees set out by the Board of Protection of Personal Data shall be charged.
Contact address: 444 0 800
Annex 1 Information exchange with/from third party/third parties
Bank takes any measure to protect the confidentiality of Customer information including the confidentiality of personal data. However in case a) it is necessary to properly provide services, b) the legislation allows and/or c) it serves the commercial purpose of the Bank, we have the right to exchange personal data of our customer with/from third party/third parties listed below. The parties with which the data can be exchanged are provided below:
- Subsidiaries of the Bank and their subinstitutions; companies and persons that take part in the groups of companies which include the Bank, Bank shareholders and their subinstitutions; Bank’s main shareholder Russia and their subsidiaries, employees, company officers, legal, financial and tax advisors, auditors
- Parties which provide services to banks to be complementary to or extension of Bank’s activities and support service institutions and contracted institutions including Credit Bureau and FINDEKS, card payment systems institutions founded in the country or abroad including Europay INT.SA, Moneygram, Mastercard INT.INC, Visa INT, JCB INT, Maestro, Electron, authorities such as BRSA, CMB, CBRT, MASAK, TBB, KOSGEB, GİB, Treasury Undersecretariat, Social Security Institute, Credit Bureau, Supreme Election Board, Turkish Employment Agency, public agencies such as ministries, prosecution authorities as well as other persons, institutions allowed by other legislation provisions including 73/4 of the Banking Law, correspondent bank and domestic/international financial institutions when necessary and domestic/international merchants, insurance companies, reassurance companies
- Additionally, third parties and institutions including domestic or international banks and financial institutions in order to realize transactions and connected transactions provided that electronic transfer messages regarding any Money transfer to domestic and international accounts, any Banking service received from the Bank, foreign trade transactions, transactions through bank and/or swift system
- In case of being a real or legal person of US and/or EU origin and/or trading in the US and/or EU markets or being subject to the US and/or EU laws or due to other legal requirements, exchange of any account, transaction and data including account number, ID information, address, scope of activity within the scope of USA Dodd Frank (Dodd Frank Wall Street Reform and Consumer Protection Act) and FATCA (Foreign Account Tax Compliance Act), ISDA (International Swaps and Derivatives Association) and EU EMIR (European Market Infrastructure Regulation) and CRS (Common Reporting Standard) laws and all the other legal regulations, U.S Internal Revenue Service (IRS), ESMA and/or all the other related US and/or EU institutions.
- Credit bureaus and/or debt collection institutions including but not limited to below:
- Credit Bureau and/or other institutions of similar nature;
- Other distressed asset management and debt collection organization facilitating the payment and/or acquisition (assignment) of distressed assets.