The Guideline Regarding Good Practices on Protection of
Personal Data in the Banking Sector
("Guideline") has been published on
05.08.2022 by the Personal Data Protection Authority
("Authority").
The purpose of the Guideline is to guide the data controller
banks to carry out their personal data processing activities in
accordance with the Personal Data Protection Law numbered 6698
("Law") and the secondary legislation
issued by the Personal Data Protection Board, and to set good
practice examples within this framework. The Guideline includes
general explanations regarding the procedures and principles which
banks must comply with for the personal data protection, and
obligation of banks to comply with the Law and the relevant
secondary legislation continues.
In the Guideline:
- The following issues have been evaluated within the scope of data controller-data processor relations: (i) data processing agreement to be made between data controller and data processor, (ii) support services, (iii) affiliates and subsidiaries, (iv) open banking, (v) situations in which the banks act as agents.
- The conditions for the processing of personal data as: explicit consent, being stipulated in the laws and fulfilment of a legal obligation, processing the personal data of parties of a contract, legitimate interests, being compulsory for the establishment, usage, or protection of a right evaluated within the scope of banking activities and examples of good practices specific to banking activities are included.
- The processing of special categories of personal data in the banking sector has also been evaluated and measures to be taken have been included in this regard.
- The transfer of personal data domestically and abroad within the scope of banking activities are evaluated.
- The obligations of the data controller as: the obligation of the data controller to inform, to register with the data controllers' registry and to prepare a data inventory has been reviewed. In addition, deletion, destruction, anonymization of personal data, data security, the rights of the data subject and the management of complaints has been evaluated.
In the Guideline, the Authority evaluated the protection of
personal data within the scope of banking activities and included
good practice examples for data controller banks. The Guideline
constitutes an important resource for personal data processing
activities of banks.
You may reach the full Turkish text of the Guideline via the link below.
https://kvkk.gov.tr/SharedFolderServer/CMSFiles/12236bad-8de1-4c94-aad6-bb93f53271fb.pdf
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.