The Personal Data Protection Authority (“Authority”) published The Guidelines on the Banking Sector Best Practices on the Protection of Personal Data (“Guideline”) on the Authority’s website on 08.01.2025.
The Guideline has been updated by taking into account the changes in the Law No. 6698 on the Protection of Personal Data (“Law”) regarding the Transfer of Personal Data Abroad within the scope of compliance with the Law No. 7499 on Amendments to the Code of Criminal Procedure and Certain Laws published in the Official Gazette No. 32487 dated 12.03.2024 and the European Union General Data Protection Regulation (“GDPR”).
The Guideline, which was updated regarding the Transfer of Personal Data Abroad, first addresses the Methods of Transferring Personal Data Abroad, and then provides explanations on the transfer of personal data abroad with examples of banking practices.
Article 9 of the Law regulating the procedures and principles regarding the transfer of personal data abroad;
a) In the first paragraph, with Article 9 of the Law, personal data may be transferred abroad only if one of the conditions specified in Articles 5 and 6 of the Law exists and there is an adequacy decision about the country, sectors within the country or international organizations to which the transfer will be made,
b) In the fourth paragraph, in the absence of an adequacy decision, one of the appropriate safeguards specified in the aforementioned paragraph shall be provided by the parties, provided that one of the conditions specified in Articles 5 and 6 of the Law exists, the person concerned has the opportunity to exercise his rights and to apply for effective remedies in the country where the transfer will be made,
c) In the sixth paragraph, in the absence of an adequacy decision and failure to provide any of the appropriate safeguards provided for in the fourth paragraph, only the existence of one of the exceptional circumstances specified in the sixth paragraph, provided that it is incidental
In this case, it is stipulated that personal data may be transferred abroad.
In addition, if there is a special regulation regarding the transfer of personal data abroad in the laws and duly put into effect international agreements, the transfer of personal data abroad will need to be carried out in accordance with these provisions.
Within this framework, Article 73 of the Banking Law No. 5411 titled “Keeping Secrets” should be evaluated within the scope of the tenth paragraph of Article 9 of the Law and should be taken into consideration in terms of data transfers abroad. The Regulation on Sharing of Secret Information published in the Official Gazette dated 04.06.2021 and numbered 31501 has determined the scope, form, procedure and principles regarding the sharing and transfer of customer secret information. Therefore, both the “Personal data may only be processed in accordance with the procedures and principles stipulated in this Law and other laws” stipulated in the first paragraph of Article 4 of Law No. 6698 and the “Provisions in other laws regarding the transfer of personal data abroad are reserved” stipulated in the tenth paragraph of Article 9. In accordance with its provisions, the aforementioned regulation stipulated in Law No. 5411 and the provisions of the said Regulation must be taken into consideration in terms of the transfer of personal data that are considered customer secrets abroad.
Regarding personal data transfers abroad based on the Adequacy Decision;
The adequacy decision can be made not only for a country in general, but also for a specific sector of that country or for international organizations. In this context, if the necessary conditions are met, an adequacy decision can be taken for the banking sector.
In respect of transfers of personal data abroad based on appropriate safeguards;
a) An agreement between Public Institutions and Organizations: The existence of an agreement that is not in the nature of an international agreement between public institutions and organizations abroad or international organizations and public institutions and organizations in Türkiye and the Board’s authorization of the transfer,
b) Approved Binding Corporate Rules: If there are binding corporate rules that are approved by the Board in advance and that include the protection of personal data between companies within the same undertaking group, and if one of the data processing conditions in Articles 5 and 6 of the Law is also present, data transfer between these companies can be carried out without obtaining an additional permission from the Board. Thus, data transfer can be carried out from a company in Turkey of an undertaking group that has binding corporate rules approved by the Board to a company of the same group in a foreign country without obtaining another permission from the Board.
c) Standard Contractual Clauses: Existence of standard contracts declared by the Board, containing matters such as data categories, purposes of data transfer, recipient and recipient groups, technical and administrative measures to be taken by the data recipient, additional measures taken for special personal data, and notification to the Board.
d) Written Commitment: The existence of a written commitment containing provisions to ensure adequate protections, and approval for the transfer by the Board.
In the absence of an adequacy decision and if any of the appropriate safeguards cannot be provided, it may transfer personal data abroad, provided that it is incidental. However, incidental transfer is only possible in the presence of one of the situations listed in the sixth paragraph of Article 9 of the Law and the second paragraph of Article 16 of the Regulation. These circumstances are;
- The data subject gives explicit consent to the transfer, provided that he/she is informed about the possible risks.
- The transfer is mandatory for the performance of a contract between the data subject and the data controller or for the implementation of pre-contractual measures taken upon the request of the data subject.
- The transfer is mandatory for the establishment or performance of a contract between the data controller and another natural or legal person for the benefit of the data subject.
- The transfer is mandatory for asubstantial public interest.
- The transfer of personal data is necessary for the establishment, exercise, or protection of any right
- Transfer of personal data is necessary for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid
- The transfer is made from a registry that is open to public or accessible to persons with legitimate interest, provided that the conditions for accessing the registry under relevant legislation are fulfilled, and that the person with a legitimate interest has requested the transfer.
As an example of possible incidental situations for banks in the Guideline:
Examples of possible incidental situations for banks: Bank “A” established in Türkiye may send the personal data of the relevant customer to Bank “B” established in Ethiopia in order to meet the request to send money, provided that the relevant person is informed about the risks that may arise due to the absence of an adequacy decision and appropriate safeguards, and that the explicit consent of the relevant person is sought, provided that the transfer is not regular, does not show continuity and occurs rarely and is not among the Bank’s customary transactions. Transfer of personal data abroad by a Bank for the purpose of carrying out a lawsuit may be carried out on the condition that the transfer of personal data is necessary for the establishment, exercise or protection of a right, and that the transfer is not regular, does not show continuity and occurs rarely.
Customer Secret;
Any information indicating that a real or legal person customer is a customer of the bank is considered a customer secret. However, the third paragraph of Article 4 of the Regulation stipulates that even if a customer relationship has not been established, in the event that customer secret information held by another bank is obtained and learned by another bank, such data shall also be considered as a customer secret for the other bank. In this sense, personal data belonging to natural persons that existed before the establishment of a customer relationship with banks and that do not qualify as a customer secret of another bank are not considered as customer secrets on their own. However, personal data of this nature will become a customer secret when processed alone or together with the data generated after the establishment of the customer relationship in a way to show that the relevant natural person is a customer of the bank.
Within the framework of the procedures and principles explained above; personal data that is considered a customer secret may be transferred abroad in accordance with Article 73 of the Banking Law No. 5411, the Regulation on Sharing of Secret Information prepared based on Articles 73 and 93 of the Banking Law No. 5411, and other relevant legislation regulating the sharing of customer secrets.
You may access the full text of The Guidelines from the link below.
For detailed information and professional support during the compliance process, feel free to contact us.
This Legal Alert has been prepared for general information purposes only on current legal issues, and the evaluations contained in this Legal Alert do not constitute legal advice or a legal opinion. It is not possible to impose any liability on SRP-Legal Law Office due to the content of this Legal Alert. It is recommended to obtain the opinion of a legal advisor regarding your questions and enquires within the scope of this Legal Alert.
