Since the enactment of Turkish Personal Data Protection Law no. 6698 ("DP Law"), banking sector has become a field which is subject to close examination of the Turkish Data Protection Authority ("DPA"). It is no surprise that banks have been investigated by the DPA several times and will be under scrutiny for many more times due to the fact that their daily operations include significant amounts of personal data. As such, banks need to realize their responsibilities arising under the DP Law as soon as possible and take the necessary step without delay. Here, the actions taken by the DPA regarding banking sector, and banks in particular, will be explained.
As provided in Article 12(5) of the DP Law, a data breach occurs when "personal data are acquired by others through unlawful means". In case of a data breach, data controllers are obliged to notify the data subject(s) and the DPA of such situation as soon as possible, in 72 hours to be specific. According to DP Law, if necessary, the DPA may announce such situation on its website or by other means which it deems appropriate.
In Turkey, up to this day, banking sector has been the business field that had encountered data breaches by far the most. So far, the DPA published five public announcements regarding data breaches notified by banks, namely; Garanti BBVA1, İşbank2, Denizbank3, TEB4 and ING5. When these five DPA announcements are evaluated, it can be seen that there are some similarities between these incidents. First of all, all of these data breaches occurred as a consequence of the actions of bank staff. While some of these happened due personnel's negligence merely, some of them occurred as a result of their misconduct. This shows the importance of training the employees and effective administrative measures in a company. In addition, another similarity between these data breaches is that all of them was revealed as a result of either internal audits or the examinations carried out by the Banks Association of Turkey under the "Risk Center", an institution which gathers risk information on customers of crediting institutions and other financial institutions. This also shows the significance and role of periodic internal and external audits carried out by banks concerning data privacy.
The Resolution & Decision
Under Article 16(6), the DPA is entitled to adopt and publish resolutions whenever it determines that the violation is prevalent. In its resolution6, dated 21.12.2017 and numbered 2017/62, the DPA adopted a resolution on the protection of personal data in service areas such as reception desk, box office or front desk. The DPA decided that; public and private institutions/organizations which provide services in adjacent order together with more than one employee, are under obligation to take necessary technical and administrative measures (i) to prevent unauthorized persons from taking part in places such as reception desk, box office or front desk and (ii) to prevent service recipients from hearing, seeing, learning or obtaining personal data belonging to each other when they receive services at the same time and near each other. This resolution especially binds the banks since the banking and health sectors are especially highlighted by the DPA in the concerned resolution. It is important to note here that the DPA can apply Article 18, which enables it to impose administrative fines on the private banks or to notify the public banks for disciplinary actions to be taken with regards to the officers and other public officials who serve under the relevant public institution/organization, in case of any action in conflict with this resolution.
Although the DPA has to publish resolutions, it does not always have to publish its decisions. However, a published decision7, dated 18.09.2019 and numbered 2019/277, is directly linked to banking sector as the DPA imposed an administrative fine of TRY 100,000 on a bank (whose name was not disclosed) due to its failure to take all necessary technical and organizational measures for providing an appropriate level of security in order to prevent unlawful processing of personal data. Articles 4(c) and 4(ç) provide personal data to be processed for specified, explicit, and legitimate purposes and the data to be relevant, limited and proportionate to the purposes for which data is processed. In this case, the data provided to the bank by the customer is processed for another purpose, given to him/her in order to reach his/her spouse, which was out of scope of the initial processing activity. Thus, such processing was found to be in violation of Articles 4(c) and 4(ç). In addition, the concerned customer also applied to the bank in order to obtain information about how and why the contact information provided by him/her used by the bank for other purposes. Here, the DPA also instructed the bank to act in accordance with the Communiqué On The Procedures And Principles Of Application To The Data Controller since it found that informing customers that they can learn the details regarding processing activities concerning their data by calling the bank's Service Line is insufficient.
As it can be inferred from above, the DPA has taken a considerable amount of actions regarding banking sector due to their tendency to deal with loads of personal data in almost all of their operations. Inevitably, banks have more responsibility and liability as the applications of the DP Law evolves. As a final note, the right move for banks would be to take the necessary and adequate steps as soon as possible and train their staff on data privacy.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.