Personal Data Protection, Retention and Destruction Policy

This Policy covers both national laws and internationally-recognized personal data processing and data confidentiality principles. The national data processing and data confidentiality laws prevail whereas in case this Policy and internationally-recognized personal data processing and data confidentiality laws conflict, the related national law shall prevail. 

 Personal data is retained safely in line with the laws on media listed below by the Bank. 

6.1 Compliance with Law and good faith rule: While processing personal data, the individual rights of data owners shall be protected. Personal data shall be collected and processed in a legal and fair manner.

6.2 Getting processed for certain, clear and legitimate purposes and being limited to and measurable and connected with the purpose of processing Personal data can only be processed to serve a purpose determined before collecting data. 

6.3 Transparency: The data subject shall be informed about how his/her data are being used. While obtaining Personal Data, the data owner shall be aware of or informed about the following:

a)identity of the data controller or if any, representative,

b)Purpose of processing personal data;

c)to whom and for what purposes the Personal Data can be transferred;

d)method and legal cause of collecting personal data,

e) Rights of the data subject

6.4 Retention for a period of time stipulated in the related legislation or required for the purpose of processing As long as deemed necessary for the purpose and interests of processing personal data, obligated by the regulators and/or related laws and regulations, the Bank and subsidiaries under its control shall continue to keep processing and maintaining personal data in line with the purposes set out by this Policy (including communicating data to third parties as stated in the Annex no.1 of this Policy or taking out data from them).

6.5 Accuracy of Information; Up-to-date Nature of Data: The processed personal data shall be accurate, complete and kept current if necessary. Appropriate steps shall be taken to delete, correct, complete or update inaccurate or missing data.

6.6 Confidentiality and data security: Personal data is subject to data confidentiality. Data shall be treated as confidential on a personal level and technical and administrative measures shall be taken to prevent accidental loss, change or destruction as well as illegal processing or distribution and ensure level of security for the purpose of ensuring the retention of Personal Data. 

7.1 Throughout the period Bank’s services are used and after the contractual relationship is terminated, the Bank shall have the right to process the information of the data subject including personal data on the condition of complying with the purposes set forth in the article 8 of this Policy.

7.2 Personal data processing by the Bank covers any kind of action undertaken for data using automatic, semiautomatic or non-automatic manners without any restraint. In other words, personal data processing refers to obtaining, collecting data from the data owner mentioned in the Annex no .1 of this Policy or a third party, recording, taking a photo of, obtaining an audio record, video record, organizing, storing, changing, restoring, taking back or disclosing, acquiring through fully or partially automatic or nonautomatic manners given that it is a part of any recording system, recording, storying, maintaining, changing, rearranging, disclosing, transferring, transferring abroad, taking over, making it obtainable, classifying or preventing from being used (on the condition of respecting the purposes set forth in this Policy, including those who will process the data later on, transferring and/or explaining to third parties stated in the annex no 1. of this Policy)& for the purpose of transferring, disseminating or presenting through different manners, grouping or merging, blocking, deleting or destroying.

7.3 The Bank and/or third parties set forth in the annex no 1 of this Policy process the data of third parties determined by the Data subject or third parties determined by the Data subject. Data processing also includes but not is limited to data processing by third parties upon the instructions of the Bank and/or when the Bank is the data processor in favor of a third party (data controller) acting upon his/her instructions.

In line with the purposes set out by this Policy, processing and/or transferring or explaining any kind of information to third parties stated in the annex no 1 of this Policy on a real person who is or can be identified including but not limited to personal data below

a) Full name of the related person;

b) Personal ID number and/or unique feature in his/her electronic ID card;

c) Registered address and/or address of residence

d) Telephone/mobile phone number;

e) Email address;

f) Credit history (loans and payment details along with the negative, positive, current debts and/or repaid debts included) and solvency status (solvency score, criteria and/or methodology of the data subject);

g) Movables and immovables in the property of the data subject and their features.

h) Data on the employer as well as information on the employment conditions (workplace, fee, work hours etc.)

i) Balances of the related accounts for a certain point and period of time and transactions made on these accounts for a certain period including but not limited to the bank account (accounts) of the data subject in the Bank and in other banks operating in Turkey..

i) Balances of the related accounts for a certain point and period of time and transactions made on these accounts for a certain period including but not limited to the cards issued by the bank and/or other banks operating in Turkey and the relevant card owners, also the access codes of the related cards;

k) Data on data owner account/subscription recorded by various payment providers. What is included but not limited to these information are the account/subscription number, address, balances and/or accrued debt of the subscription accounts at a certain time and place, transactions made through subscription account and/or top-up account and(or debt payment etc.

l) Using various electronic channels and/or internet (including but not limited to web coolies) and the above-mentioned channels, , the activities of the Data subject and/or third parties determined by the data subject (including but not limited to verifying these channels, acts conducted or transaction history)

m) Data on family members, relatives and other persons residing in the address of residence of the data subject;

n) Any other data on the Customer making sure that the data owner is detected and/or characterized and/or grouped by physical, physiological, psychological, economic, cultural and social aspects or using the activities regarding the above-mentioned or listed action. In the event that the above-mentioned personal data is anonymized, it shall not be included into the scope of personal data. 

7.4 If the Data subject provides information (additional card holder, surety, family members, employer etc.) to the Bank about third parties to benefit from the banking services (including but not limited to personal data, solvency, asset status etc)  and the Bank processes these data including personal data for the purposes of banking, the Data subject  shall be personally responsible for obtaining a consent from the relevant third parties about the processing of the related personal data by the Bank. If the Data subject provides the said information to the Bank (or its authorized personnel), the Data subject is assumed to have obtained the required consent and the obligation of the Bank to obtain this consent itself is thus eliminated. In case the Data subject fails to comply with the obligation of obtaining the consent of third parties or fully fulfill this obligation, s/he will be personally liable for any kind of loss the Bank may suffer. The Data subject consents and agrees to compensate and protect the Bank against any kind of loss the Bank may suffer (including but not limited to losses arising out of consequential damages, complaint, expenses (including but not limited to expenses the Bank shall suffer due to exercising its legal rights), all the legal processes and other obligations due to the consequences of such a violation that the Data subject may commit. 

7.5 The processing of the information of the data subject by the Bank using various electronic channels (including but not limited to web browser, the Bank’s website, online banking, mobile banking, the Bank’s mobile applications, payment devices, ATMs and/or other technical methods and channels used to transfer and receive data) also covers recording and processing the activities of the Data subject(e.g.: determining the location of the data owner using electronic channels, defining and analysing input data, product selection frequency and/or other statistical data)

8.1 The data subject hereby agrees that throughout the utilization of Bank’s services and even if the contractual relationship comes to an end, it is necessary for the Bank to process the information about the Data subject and third parties determined by the Data subject: 

a) providing and/or exercising a service for the data subject,

b) data processing being obligatory for the purposes of protecting the legal interests of the Bank and/or third parties and/or exercising or protecting the legitimate interests of data controller;

c) fulfilling the Bank’s obligations under legislation;

d) on the condition that it is directly related with establishing or executing an agreement between the data subject and the Bank, personal data processing on the data subject being necessary,

e) data processing being obligatory to establish, exercise or protect a right,

f) other issues consented by the data subject,

g) other issues explicitly set forth in the legislation.

8.2 the Letter of Consent provided by, the Data subject shall mean that the Data subject agrees to the Policy and its provisions.

9.1 The Bank and/or third parties set forth in the annex no 1 of this Policy may process the personal data of the Data subject or the third parties set forth by the Data subject for various purposes: 

• Carrying out banking services duly and properly;
• Use of FastPay electronic wallet which represents a joint service of the Bank and FastPay FastPay electronic wallet allows customers of the Bank or Fastpay to have an electronic wallet, pay with this wallet, get paid and/or make various transactions permissible under the law and/or terms and conditions of products. These transactions include, but are not limited to, use of FastPay wallet account (and/or phone number and/or e-mail address or password) for identification purposes on websites and merchants allowed for FastPay authorization.
• Issues where the information is processed for information retention, reporting, informing and providing information set forth by the audit companies, the related proxy, regulatory and auditing authorities such as BRSA, MASAK, TBB, GİB, Treasury Undersecretariat as decreed by the legislation;
• Carrying out statistics, information researches, surveys and credibility assessments, providing statistics, archiving, custody services, customer satisfaction studies,
• Optimizing and developing banking services while the Bank analyzes the data regarding the credit history, statistical data of the Data subject;;
• Preparing and delivering various reports, researches and/pr presentations;
• When it is necessary to control the credit and/or transaction history and/or behavior models of the data subject, when proposing a new and/or additional loan or non-loan product or changing the current conditions;
• Along with providing security; detecting and/or preventing abuse, money laundering or other criminal activities; 
• Covering the complaints, questions and requests of the data subject;
• Verifying the identity information of the data subject;
• Providing property and security,
• Providing banking, insurance, investment and finance products-related services and carrying out, executing and improving transactions related to such services including those that can be rendered in the capacity of an agency. 
• Carrying out promotion, marketing and campaign activities for the said services and products,
• Fulfilling the requirements of the agreements entered into with the customer,
• Providing better and more reliable service for the customer, developing more suited services and products and ensuring their continuity without any interruption,
• Fulfilling other purposes set forth in the related legislation.

10.1 Processing personal data for the purpose of entering into, executing, maintaining and terminating a service agreement: For the purposes of undertaking human resources and training processes such as fulfilling personal rights arising out of the service agreement and maintaining them without interruption, fulfilling any kind of insurance service including health insurance, individual accident insurance, international health insurance, life insurance, individual pension services, occupation health and security service, work permit processes, assessing personal job applications, maintaining intelligence, research and other recruitment processes, performance assessments and follow-up, providing training activities, health services, improving work conditions, carrying out personal development processes, the Bank has the right to process personal information disclosed due to starting employment and/or internship of the data subject.

10.2 If it is needed to collect information about the owner of application from the third parties during the application process, Personal Data Protection Law no. 6698 shall be observed.

10.3 A legal authorization shall be made to process personal data that is related with the business relationship, however, not an immediate part of the employment agreement. Among them are the following: a) legal obligations, b) consent of the owner of the application (through electronic and nonelectronic means) or c) legitimate interest of the Bank or a third party d) purposes laid out in the clause no 6 and 7 

Special categories of personal data refers to data regarding race and ethnicity, political beliefs, religious or philosophical beliefs, sect and other beliefs, foundation or association affiliation, health and sexual life, conviction and security measures and biometric and genetic data. Special categories of personal data can be processed upon express consent of the applicant (Data subject) or in limited situations listed in the law.  

12.1 As per the provisions of this Policy; the Bank may act on behalf of data controller including third parties set out in the annex no.1 of this Policy as data controller while processing some personal data or relevant third parties may be data processors for some personal data types for which s/he is the data controller. Accordingly, any one of the parties to such a relationship (data controller and its subcontractor as well as data processor) has to fully comply with data protection legislation in place and strictly abide by the provisions listed below. 

a) Personal data shall be processed in line with the principles laid out in the legislation. The data subject

b) Processing data communicated to one of the parties from the other shall take place without any restriction to fulfill the purposes stated in the clauses 7 and/or 8 of this Policy.

c) Depending on the specificity of the process, if one of the parties represent the data processor and the other -- data controller, the data processor is obliged to do the following:

i. processing data communicated/disclosed by one of the parties by complying with the scope and extent defined by the provisions of this Policy and allowed by the legislation; or upon the request of a regulator,  p>ii. applying every necessary action and informing the data controller about every measure that is taken within this scope in order to prevent unauthorized process, loss, destruction, damage, unauthorized change or disclosure of data communicated/disclosed by Data controller,

iii. The Bank may audit measures and practices applied by the data processor for the purpose of data security through its authorized personnel. 

iv. In case the below-mentioned takes place, data controller notifying the data owner as soon as possible and within thirty days the latest:

- The data subject making a request about his/her own personal data;

- Data controller communicating a complaint or declaration regarding compliance with the obligation imposed by the legislation;

v. Data Processor cooperating with the Bank and supporting the Bank about assessing a complaint or declaration communicated/disclosed by the Bank including the below:

vi. Providing the detailed information on the complaint and declaration communicated/disclosed by the Bank to the data processor including data on the Data subject within 5 business days including the request date to the Bank; 

vii. Within the above-mentioned period of time, providing the data available to the data processor to the access of the Bank (including electronic data);

viii. Providing related information to the Bank within the above-mentioned period of time; 

ix. Data Processor preventing data processing (transfer) to a country and/or international Authority which is not a part of European Economic Area and not in the list of countries at a sufficient level for personal data protection or not allowed by the Data subject or Personal Data Protection Authority.

x. Without the prior written consent of the Bank; not transferring/disclosing data to third parties. Even in cases which the Bank has prior written consent; the data processor is obliged to transfer/disclose the data as per a written agreement. The third party and its subcontractors under the said written agreement are obliged to take any kind of technical and organizational measures to prevent unauthorized processing, loss, damage, unauthorized change or disclosure of data. 

xi. Compensating any kind of loss that the Bank may suffer as the Data processor fails to take the necessary actions or fulfill them fully (as per the Policy and legislation). The Data processor hereby consents and agrees to compensate and  protect the Bank against any kind of loss the Bank may suffer (including but not limited to losses arising out of consequential damages, complaint, expenses (including but not limited to expenses the Bank shall suffer due to exercising its legal rights), all the legal processes and other obligations due to the consequences of such a violation that the Data processor may commit.

xii. Unless otherwise stated in the agreement between the Bank and data processor, the data processor is obliged to do the following after the contractual relationship between the Bank and data processor comes to an end: 
Before the agreement comes to an end, returning any kind of data transferred/disclosed by the Bank (including personal data). Returning the relevant data in the same form when they are obtained from the bank and stopping the data processing immediately, and/or taking any kind of security measures to prevent the unauthorized access of third parties to data, destroying personal data transferred/disclosed by the Bank and notifying the Bank to confirm that this action has been taken; 

Within the scope of data processing as per the purposes of Bank providing a service to the data subject as required and data processing in line with the clauses no. 7 and 8, the relevant data shall be transferred to/shared with the Data subject and/or third parties pointed by the Data subject with/from third parties set forth in the annex no:1 of this Policy. In line with these purposes; the data subject grants the Bank the rights to  acquire, record, store, maintain, change, rearrange, disclose, transfer, transfer abroad, take over, make obtainable, classify, or prevent from being used his/her personal data through both the Head Office units and branches, ATMs, kiosks, online branches, call centers, public institutions and organizations and parties from which the Bank receive services as complementary to or an extension of its activities, public institutions, contracted institutions and support service institutions using fully or partially automatic or non-automatic as long as it is a part of any recording system.

14.1 The data subject hereby grants the right to the Bank to send him/her a commercial electronic message including SMS, voice and/or any other marketing messages (direct marketing) through his/her phone number, email address and other contact information in the records of the Bank within the scope of the Law on Regulation of Electronic Commerce no. 6563 until the Data subject exercises his/her right to reject. The Bank may continue to exercise this right as long as no objection comes from the Data subject in a written and/or electronic format laid out by a contract between the parties and/or in a legislation.

14.2 The Data subject hereby grants the Bank the right to share his/her own data or confidential information with the Bank’s affiliates and main shareholders to make various marketing offers. The data subject has the right to demand an end to direct marketing from the affiliates or main shareholder of the Bank.

14.3 To be specific to this paragraph, the commercial/information messages in the service points of the Bank (e.g: commercial brochure, promoting images, verbal offers etc) or the contents displayed during the use of electronic channels of the Bank (or an affiliate of the Bank) such as ATM, online banking, mobile banking shall not be qualified as direct marketing whereas the data owner shall not have the right to demand an end to the display/delivery of these contents.

15.1 For the purpose of security and protection of property and confidentiality and control of the service quality, staying in line with the provisions of the Personal Data Protection Law no. 6698, video and audio record are made around and at the entries of the building and workplaces. Besides, video records are taken during use of ATMs and other electronic devices and voice records are taken during phone contacts with the Bank.

15.2 The data subject shall be informed that video and audio surveillance are made using the suitable tools at the related points of service of the Bank and while contacting the Bank. The data subject agrees to the importance of the video and audio record and gives his/her consent to the Bank to process his/her data in this sense. 

16.1 The data subject agrees that the data related with himself/herself and published on the Bank’s website, online banking, mobile banking applications and other electronic media (printed, visual and/or auditory) are counted as the property of the Bank and the Bank shall have the copyright over these type of data which are not classified as his/her personal data as of the moment the said data are published.

Personal data processed by DenizBank are destroyed at the end of the period stipulated in the relevant regulations or at the end of the retention period required for the processing purpose on an ex officio basis or upon application of the data subject in line with periodical data destruction periods and through specified data destruction methods (deleting and/or destroying and/or anonymizing). Unless otherwise decided by the Authority, the Bank chooses the suitable method out of deleting, destroying or anonymizing the personal method.

a. Anonymizing Personal Data

Anonymizing personal data means transforming them into something that cannot be associated with any identified or identifiable real person under any circumstances even if matched with other data included.

In order for personal data to be anonymized, they must be rendered unrelated to an identified or identifiable natural person, even by using appropriate techniques for the recording environment and related field of activity, such as the return of data by the data controller or third parties and/or matching the data with other data.

b. Deleting Personal Data

The personal data whose required storage time on the servers is completed are deleted by the system administrator by canceling access privileges of users.

The personal data whose required storage time in electronic media is completed are made inaccessible and unusable for other employees (related users) except for the database administrator.

The personal data whose required storage time in physical media is completed are made inaccessible and unusable for other employees except for the department manager responsible for the document archiving. In addition, blackout process is applied by crossing out/ scoring out/ deleting in an unreadable manner.

The personal data whose required storage time in flash-based storage media is completed are stored in secure environments with encryption keys by encrypting them by the system administrator and granting access only to the system administrator.

c. Destroying Personal Data

The personal data whose required storage time in paper media is completed are irreversibly destroyed in paper shredders. The personal data whose required storage time in optical or magnetic media is completed are subjected to physical destruction such as melting, burning or powdering. In addition, the magnetic media is passed through a special device and exposed to a high value magnetic area, making the data on it unreadable.

-   Legal and Technical Reasons for Destruction

• Requirement due to amendment or modification of the relevant legislative provisions, which constitute the basis for the processing or storage of personal data,
• Disappearance of the purpose that requires processing or storage of personal data,
• Disappearance of conditions that require processing of personal data in Articles 5 and 6 of the Law,
• Data subject's withdrawal of consent in cases where the processing of personal data occurs only on the basis of explicit consent,
• Data controller’s acceptance of the data subject’s application for deletion, destruction or anonymization of their personal data within the framework of their rights in the Article 11 of the Law,
• In cases where the data controller rejects the application made by the data subject for deletion, destruction or anonymization of their personal data, their response is deemed insufficient or they do not respond within the period stipulated in the Law; making complaint to the Board and approval of this request by the Board,
• Absence of any condition to justify storing personal data for a longer period of time although the maximum time for which personal data is stored is up.

-  Destruction Periods

The destruction of personal data stored in accordance with the retention periods stipulated in the Personal Data Protection Law and other legislation is carried out by Denizbank through deletion, destruction or anonymization processes.

- Retention periods based on personal data regarding all personal data within the scope of activities carried out are available in Denizbank Personal Data Processing Inventory;

- Retention periods based on data categories are included in the registration to VERBİS.

Upon detecting the retention and destruction periods of personal data, an action is taken by using the below-mentioned criteria:

Identifying in which scope data retention can be considered based on the exception(s) stipulated in the articles 5 and 6 of the law which set the processing conditions for Personal Data and Special categories of personal data. Identifying the reasonable periods during which data shall be retained within the framework of the identified exceptions. If a period of time is stipulated in the legislation regarding the retention of the said personal data, such period is observed.

Concerning the retention of the said personal data, if the period stipulated in the legislation is completed or no such period is stipulated in the legislation regarding the retention of data, data are deleted, destroyed or anonymized by the data controller at 6-month intervals.

The Bank is using its services and after this period the Bank shall continue to process the information stated herein in line with the purpose and interests of the Bank, upon the demands of the auditors/regulators and/or throughout a period of time that is consistent with the legislation.

• Processing of data transferred from the data subject to the Bank during the use of electronic channels (web browser, website of the Bank, online banking, mobile banking, mobile applications and/or other electronic data transfer tools) may also continue after the data of the data subject is deleted from the relevant electronic channels. These type of data shall continue to be retained as per the purposes and interests of the Bank, upon the demands of the auditors/regulators and/or throughout a period of time that is consistent with the legislation.
• While deleting, destroying and anonymizing personal data, principles listed in the article 4 titled “General Principles” of the Law and measures that shall be taken within the scope of the article 12 titled “obligations concerning the data security”, the related legislation provisions, the Bank’s decisions and this Policy are taken into consideration.
• All actions related with deleting, destroying, anonymizing the personal data are taken under record by the Bank and the said records are retained for a minimum period of 3 years except for the other legal obligations.
• The Bank determined the regular destruction period as six months as per the article 11 of the Regulation. Accordingly, the Bank conducts periodic destructions every year.

The related person has the following rights. 

a) find out if the personal data has been processed or not,

b) if yes, request information in this respect,

c) find out about the purpose of the personal data being processed or whether they are used in a way that fits the purpose,

ç) know the third parties to which the personal data is transferred in or outside of the country,

d) if the personal data is processed inaccurately or incompletely, ask for its correction,

e) ask for the erasure or destruction of the personal data in the frame of the conditions set in the article 7 of the Law,

f) ask for notifying the third parties to which your personal data is transferred as per the above-mentioned paragraphs (d) and (e) of the transactions made, 

g) in case the analysis of the personal data through automatic systems exclusively produces a result against you, object to this result,

ğ) in case you incur a loss because your personal data has been processed illegally, ask for the compensation of your loss.

19.1 Personal data is subject to data security. Any one employee of the affiliates of the Bank is prohibited to access, process or use these data in an unauthorized manner. Any one employee not authorized within the legitimate duty of the affiliates of the Bank means unauthorized action. Employees of subsidiaries and/or affiliates of the Bank may only access the personal information within the framework of the type and scope of the said duties. Detailing, sorting out and implementing these roles and responsibilities is a requisite for this.

19.2 Employees of the Bank, its subsidiaries and/or affiliates are prohibited from using the personal data for special or commercial purposes, sharing these data with unauthorized persons or making these data accessible through  another method. Executives shall inform their employees about the obligation of protecting the data confidentiality at the initial stage of employment relationship. The said obligation shall also extend beyond the end of employment.

20.1 Personal data shall be protected against unauthorized access, illegal data processing or disclosure and accidental loss, alteration or destruction of data. This provision shall apply whether or not data is processed in an electronic media or on paper. Until new data processing methods and new IT systems in particular emerge, technical and organizational measures to protect personal data shall be defined and implemented. The said measures shall be designed by taking into account the most advanced technology, data processing risks and the requirement of protecting data.

- The accesses to the retention areas where the personal data reside shall be recorded by the Bank so that inappropriate accesses or access attempts are kept under control.

- The Bank takes necessary measures to make the deleted personal data inaccessible and nonreusable for the relevant users. 

- In case the personal data is acquired by others illegally, a system and infrastructure has been created by the Bank to report this to the data subject and Board. 

- The matter of whether or not this Data Protection policy and the related data protection laws are observed is regularly controlled by the authorized persons working in the relevant units of the Bank. The data protection authority in charge may directly supervise the status of compliance of the Bank, its subsidiaries and its affiliates with the provisions of this Policy in a way allowed by the national laws.

The Data subject submits his/her requests concerning the implementation of this Policy and Personal Data Protection Law to the Data controller in writing. The Data controller finalizes the request as soon as possible depending on the quality of the request in the application and within 30 days the latest free of charge. However, in case the action requires a separate cost, the fees in the tariff determined by the Personal Data Protection Board are charged. 

Contact address: 0850 222 0 800

Annex 1 - Information Transfer/Share with/from Third Party(Parties)

The Bank takes any kind of measure to protect the confidentiality of the Customer information including the confidentiality of the personal data. However, a) in case it is necessary to fulfill the service properly, b) it is allowed by the legislation and/or c) it serves the commercial purpose of the Bank, we, as the Bank, have the right to transfer and share the personal data of our Customer from/with the below-listed third party(parties). The parties with which the data can be shared:

• The Bank’s subsidiaries and their sub-institutions; companies and persons in the group of companies of which the Bank is a part of, the Bank’s shareholders and their sub- institutions; the Bank’s main shareholder and its subsidiaries, employees, company employees, legal, financial and tax advisors, auditors 
• The parties which provide services to the Bank as complementary to or an extension of its activities and support service institutions including KKB and FINDEKS and other contracted institutions, international or domestically founded card payment system institutions including Europay INT.SA, Moneygram, Mastercard INT.INC, Visa INT, JCB INT, Maestro, Electron, and contracted institutions and authorities such as BRSA, CMB, CBRT, MASAK, TBB, KOSGEB, GİB, Treasury Undersecretariat, Social Security Institute, Credit Bureau, Supreme Election Board, Turkish Labor Authority, authorized public institutions and agencies such as ministries, judicial authorities and persons, institutions and agencies allowed by legislation provisions including the article 73/4 of the Banking Law, in case necessary, correspondent banking and domestic/international financial institutions and domestic/international merchants, insurance companies, reinsurers. Also  non-resident or resident banks and third parties and institutions including financial institutions and agencies any kind of service provided by the Bank, any kind of money transfers to be made to domestic and international accounts for the purpose of electronic transfer messages, foreign trade transactions, transactions to be realized through banks and/or using the swift system and associated transactions 
• In case of being a US and/or EU real person or legal entity or trading in US and/or EU markets or being subject to the tax laws of US and/or EU or due to various legal requirements, Data on account numbers, ID information, address, scope of activity and all accounts, transactions with U.S Internal Revenue Service (IRS), European Capital Market Authority (ESMA) and/or all other US and/or EU institutions in scope of laws and regulations of United States of America (USA) Dodd Frank (Dodd Frank Wall Street Reform and Consumer Protection Act) and FATCA (Foreign Account Tax Compliance Act), ISDA (International Swaps and Derivatives Association) and European Union (EU) EMIR (European Market Infrastructure Regulation) and CRS (Common Reporting Standard)
• Credit bureaus and/or debt collection institutions including but not limited to the following: 
• Credit Bureau and/or institutions with similar activities;
• Other NPL management and debt collection institutions which facilitate the payment and/or purchase (assignment) of NPL.