ARTICLE
17 July 2025

Best Practice Guide On The Protection Of Personal Data In The Payment And Electronic Money Sector

SO
Sakar Law Office

Contributor

Sakar Law Office logo
Sakar is a client and solution oriented, investigative and innovative law firm based in Istanbul. Our Firm is committed to provide our clients with high-quality legal services and business-minded approach. We are a full service law firm to clients across a wide range of areas including Mergers and Acquisitions, Corporate and Commercial, Contracts, Banking and Finance, Competition, Litigation, Employment, Real Estate, Energy, Capital Markets, Foundations, E-commerce, Media and Technology, Data Privacy and Data Protection and Intellectual Property. In order to offer the best possible service for our clients, we harness the latest market developments in legal technology and innovation and we closely follow the legislative changes in Turkish Law. Our lawyers are multi-specialists, equipped to handle a broad range of legal matters. In addition to our depth of experience and awareness of market practice, clients know they will benefit from our team’s innovative mindset and willingness.
Explore Firm Details
The Best Practice Guide on the Protection of Personal Data in the Payment and Electronic Money Sector ("the Guide") has been published by the Personal Data Protection Authority ("KVKK") or "the Authority") in cooperation with the Turkish Payment and Electronic Money Institutions Association ("TÖDEB") as part of KVKK's publications.
Turkey Privacy
Gözde Esen Sakar,Ece Nart, and Pelinsu Üstündağ
Your Author LinkedIn Connections

The Best Practice Guide on the Protection of Personal Data in the Payment and Electronic Money Sector ("the Guide") has been published by the Personal Data Protection Authority ("KVKK") or "the Authority") in cooperation with the Turkish Payment and Electronic Money Institutions Association ("TÖDEB") as part of KVKK's publications.

PURPOSE AND SCOPE

The purpose of the Guide is to provide best practice examples to ensure that personal data processing activities carried out by payment and electronic money institutions are conducted in compliance with the Law on the Protection of Personal Data ("Law No. 6698") and secondary regulations. It sets out the procedures and principles to be followed by payment and electronic money institutions, along with general explanations. The scope of the Guide includes assessments of compliance with the Law and examples of good practices regarding personal data processing activities carried out within the framework of electronic money issuance, money transfer services, POS services, bill payment intermediation services, and mobile payment services.

DATA CONTROLLER AND DATA PROCESSOR

In the payment and electronic money sector, data controllership varies depending on the type of service provided. Generally, electronic money institutions, payment service providers, mobile operators, and merchants may act as data controllers or, in certain cases, as data processors.

DATA SUBJECT

The Guide identifies various groups of data subjects, including individuals who benefit from electronic money and payment services, representatives of legal entities, transaction parties such as senders and recipients, and service provider merchants.

PROCESSED PERSONAL DATA

The personal data processed may vary in each case depending on the nature of the transaction and service within the sector. Generally, the Guide provides examples of personal data such as identity information, contact details, financial data, professional and educational background, transaction security data, customer transaction details, visual and audio records, and biometric data.

GENERAL PRINCIPLES

The general principles for processing personal data are set out under Law No. 6698, and each principle is closely interrelated and essential. According to these principles, the data controller must act lawfully and in good faith, refrain from abusing trust, consider the purpose of processing, and ensure the accuracy and currency of the data. The data controller must also observe the principle of data minimization.

For example, under these principles, processing the identity information of a data subject by a payment service provider within the scope of its services may be considered a legitimate purpose, while processing blood type data would not be justified.

CONDITIONS FOR PROCESSING

Personal data processed as a result of the operations of payment and electronic money institutions must be based on a valid legal ground under Law No. 6698.

  1. Explicit Consent

Explicit consent is defined under Law No. 6698 and is also regulated as a legal basis for processing. It must first be evaluated whether the personal data processing activity carried out by the data controller falls under another legal basis besides explicit consent. Based on this evaluation, it should be decided whether explicit consent is required. According to the Regulation on Payment Services, if personal data is accessed for reasons not directly related to the execution of the payment service, explicit consent must be obtained from the customer.

  1. Explicit Provision in Laws

If there is an explicit provision in a law or a referral through a secondary regulation concerning personal data processing, the processing of such data is permitted. At this point, payment and electronic money institutions also qualify as "obligated entities" under Law No. 6493, the Measures Regulation, and the Law on the Prevention of Laundering Proceeds of Crime (Law No. 5549). For example, to prevent money laundering and terrorist financing, identifying real person customers is mandatory, and personal data processing activities carried out within this scope rely on this legal basis.

  1. Necessity for the Protection of Life or Physical Integrity of the Data Subject or Another Person in Cases Where Consent Cannot Be Given Due to Actual Impossibility or Legal Invalidity

There are no processing activities in the context of payment services that rely on this legal basis.

  1. Necessity for the Performance or Establishment of a Contract to Which the Data Subject is a Party

This legal basis is evaluated in detail for each sectoral activity.

4.1. Electronic Money Issuance: When a framework contract is established, the personal data of the data subject is processed based on this legal ground.

4.2. Money Transfer Services: While a framework contract is not established for money transfers, they are based on one-time payment transactions as per the Regulation on Payment Services. In this case, the sender's personal data is processed based on this condition.

4.3. POS Services: During payments made between the payment institution, the merchant, and the data subject, card information is processed based on the necessity of establishing or performing a contract. The same applies to one-click payments or wallet services, where a contract is established between the payer and the payment institution.

4.4. Bill Payment Intermediation Services: Even if no formal contract is signed between the payment institution and the customer, a contractual relationship may be deemed to exist, and data may be processed accordingly.

4.5. Mobile Payment Services: Given the existence of a framework contract between the mobile line owner and the affiliated payment institution, a contract between the mobile operator and the payment institution, and a subscription agreement between the mobile operator and the line owner, the data is considered to be processed on this legal basis.

  1. Necessity for the Data Controller to Fulfill its Legal Obligations

This condition is also evaluated specifically for each sectoral activity.

5.1. Electronic Money Issuance: Under Law No. 5549 and the Measures Regulation, institutions must identify individuals before transactions are executed, to prevent money laundering and terrorist financing. Related data processing is based on this legal obligation.

5.2. Money Transfer Services: Processing and retaining identity data of the sender and recipient is a legal obligation under Law No. 5549 and is carried out based on this condition.

5.3. POS Services: Since these transactions are carried out online, identity verification is mandatory. The related data processing is based on fulfilling a legal obligation.

  1. Necessity for Establishment, Exercise, or Defense of a Legal Claim

In money transfers, a contractual relationship is established between the sender and the payment institution through a one-time payment arrangement. The recipient, however, is not a party to this contract and is considered a "silent party" by the European Data Protection Board. Nonetheless, their data may still need to be processed, and this can rely on this legal basis.

  1. Necessity for the Legitimate Interests of the Data Controller, provided that the Data Subject's Fundamental Rights and Freedoms Are Not Harmed

Payment and electronic money institutions that qualify as data controllers may process personal data based on legitimate interest within the criteria outlined by the Board in its decision dated 25.03.2019 and numbered 2019/78. Before processing data on this ground, the institutions must assess the purpose, proportionality, and necessity of the processing.

Processing of Special Categories of Personal Data and Processing Conditions

Special categories of personal data include information relating to a person's race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and attire, membership in associations, foundations, or trade unions, health, sexual life, criminal convictions, security measures, as well as biometric and genetic data. Such sensitive data (e.g., health and biometric data) may only be processed based on explicit consent or under exceptional conditions stipulated by law. The processing of such data requires the implementation of additional technical and administrative safeguards specified by the Personal Data Protection Authority (KVKK).

Processing Biometric Data in Identity Verification and Remote Communication Processes

  1. General Provisions on the Processing of Biometric Data

Under Law No. 6698 and related legislation, biometric data is classified as sensitive personal data and may only be processed based on explicit consent or under exceptional conditions. Especially in remote identity verification procedures, the processing of biometric data may be required. Specifically for the sector, the Communiqué on Data Sharing Services mandates that explicit consent must be obtained from payment service users. While MASAK General Communiqué No. 19 outlines general principles, it leaves detailed regulations to sector-specific legislation. Therefore, in remote identity verification applications, payment institutions must act according to their own sectoral regulations.

Authentication and Strong Authentication

Strong authentication refers to methods that involve at least two different authentication components used together, designed in such a way that compromising one does not endanger the security of the others. Components such as PINs, passwords, or biometric data alone are not considered sufficient. The Communiqué on Data Sharing Services clearly regulates the circumstances under which strong authentication is mandatory, along with its technical requirements. It mandates features such as session traceability, transaction security, and timestamping.

Processing Criminal Record Certificates

It is mandatory to obtain and, if necessary, share with public institutions the criminal record certificates of certain individuals such as company representatives, board members, and shareholders to ensure regulatory compliance.

TRANSFER OF PERSONAL DATA

According to Law No. 6698, personal data cannot be transferred without the explicit consent of the data subject, except in specific cases where transfer without consent is permitted. Under Law No. 5549 and the Measures Regulation, payment institutions are required to report suspicious activities related to illegal asset transactions to the Financial Crimes Investigation Board ("MASAK"). The Suspicious Transaction Notification Form may include personal data such as name, surname, national ID number, contact details, and occupation.

Additionally, during payment transactions, data may be collected and processed by both the payment service provider and the merchant. In such cases, data controllership depends on the origin of the data, which could belong to either the merchant or the payment institution. Public authorities may request access to such data when necessary.

For international data transfers, it must first be verified whether there are specific provisions in international treaties or relevant laws. In the absence of such provisions, either an adequacy decision or appropriate safeguards must be ensured in accordance with Article 9 of Law No. 6698. If these are not in place, exceptional data transfer conditions may be applied. When services are provided in cooperation with legal entities abroad, personal data may be transferred internationally. However, pursuant to Law No. 6493, institutions' information systems must be in Türkiye. The Regulation on Payment Services states that such partnerships are only permitted if either the sender or the recipient is located abroad. In these partnerships, transaction records must be kept in Türkiye; otherwise, the foreign partner's systems must also be located within Türkiye. If data transfer occurs, the entire process must be conducted in compliance with Article 9 of Law No. 6698, and necessary technical and administrative measures must be taken.

OBLIGATIONS OF THE DATA CONTROLLER

  1. Obligation to Inform (Transparency Obligation)

Under Law No. 6698, data controllers are obliged to inform data subjects clearly, understandably, and in a timely manner whenever personal data is processed. This obligation can be fulfilled through written, verbal, electronic, or audio notifications, and the burden of proof lies with the data controller.

In transactions where a framework agreement is established, payment institutions are required to directly inform the users. In one-time transactions, if it is not possible to reach the recipient using the data provided by the sender, alternative methods of providing information should be developed and documented.

In cases where third parties such as merchants, representatives, or mobile operators initially collect the data, they may provide the information on behalf of the data controller. However, the ultimate responsibility still lies with the primary data controller. For services such as POS, bill payment, or mobile payment, the data controller must be clearly identified, and the notification must be made accordingly.

  1. Obligation to Register with VERBİS

According to Article 16 of Law No. 6698, data controllers who process personal data must register with the Data Controllers' Registry ("VERBİS") under certain conditions.

The information to be submitted to the Authority during registration includes:

  • The identity and address of the data controller and, if any, its representative
  • The purposes of processing personal data
  • The group(s) of data subjects and categories of personal data
  • Recipient or recipient groups
  • Personal data intended to be transferred abroad
  • Measures taken regarding data security
  • Retention periods and criteria for deletion

It is important that the information provided at registration is consistent, coherent, and explanatory. If any of this information changes after registration, the data controller is obliged to update it on VERBİS within 7 days.

  1. Obligation to Retain and Destroy Personal Data

Under Article 7 of Law No. 6698, personal data must be deleted, destroyed, or anonymized when the reasons for its processing no longer exist and in accordance with relevant legal provisions. Data controllers are permitted to retain personal data only for as long as required by applicable law or necessary for the purpose of processing. Data may not be retained simply in case it might be useful in the future.

The Guide recommends that data controllers prepare a personal data retention and destruction policy. This policy must comply with the principle of limitation and the retention periods established by legislation. If no specific retention period is provided with the relevant law, data must only be retained for as long as is necessary to fulfill the purpose of processing. These durations must be clearly stated in VERBİS notifications.

Retention periods should be assessed by considering not only the statutory periods but also the maximum retention periods determined by the data controller. Once these periods expire, data must be deleted, destroyed, or anonymized in compliance with the law.

  1. Rights of the Data Subject and Handling of Complaints Constitutional Rights

Article 20 of the Constitution guarantees the right to the protection of personal data. Under this right, individuals may request to learn whether their data is being processed and may demand the correction or deletion of their data. Personal data can only be processed with explicit consent or in cases explicitly provided by law.

Rights under Law No. 6698

Data subjects may apply to the data controller to exercise the following rights:

  • To learn whether their personal data is being processed,
  • To request information if their data has been processed,
  • To learn the purpose of the processing and whether it is used in line with that purpose,
  • To know the third party to whom the data is transferred domestically or abroad,
  • To request correction if the data is incomplete or incorrect,
  • To request deletion or destruction of the data,
  • To request notification of the rectification or deletion to third parties to whom the data was transferred
  • To object to the occurrence of a result against them through the exclusive analysis of the data by automated systems,
  • To request compensation if they suffer damage due to unlawful data processing.

Application and Complaint Process

Pursuant to Article 13 of Law No. 6698, data subjects must first apply to the data controller. This application can be submitted in written form or through electronic means. Required information includes name and surname, Turkish identity number (if the applicant is a Turkish citizen), notification address, signature (if in writing), ID or passport copy depending on nationality, email/phone/fax number, and subject of the request.

Form and Timeframe of Application

To exercise their rights regarding personal data, data subjects must first apply to the data controller. Applications can be made in writing, via registered electronic mail (KEP), secure electronic signature, or through the relevant system. The data controller is obliged to respond to the request free of charge within 30 days at the latest. If the response is insufficient or not provided at all, the data subject may file a complaint with the Personal Data Protection Board ("the Board"). The deadline for applying to the Board is 60 days from the date of the request if no response is received, or 30 days from the date a response is received if the response is deemed inadequate. The Board may order the data controller to rectify the issue based on its examination. Such orders must be complied with within 30 days, and the result must be reported back to the Board.

Right of Access by Data Subjects

According to Article 11 of Law No. 6698, data subjects have the right to learn whether their personal data is being processed and to request access to such data. Requests for access are evaluated by the data controllers and must be fulfilled while taking necessary technical and administrative measures. It is emphasized that such requests must be carried out in a manner that does not infringe on the rights of third parties and ensures data security.

  1. Obligation to Comply with Board Decisions

In cases where an investigation is initiated at the request of the Board or following a complaint, data controllers must submit the necessary documents to the Board. If a violation of the law is determined, the Board may issue a decision instructing the data controller to remedy the violation. This decision must be implemented within 30 days, and its fulfillment must be reported to the Board. For the processing of sensitive personal data, the technical and administrative measures set by the Board must be applied.

  1. Obligation to Notify Data Breaches

If personal data is obtained through unlawful means, the data controller must immediately notify the Board.

This obligation is regulated under the section titled "Incident Management and Cyber Events" of the Communiqué on Data Sharing Services.

DATA SECURITY

Data controllers are responsible for ensuring the security of personal data, including preventing unauthorized access, securing system infrastructure and promptly reporting breaches to the Board. Necessary technical and administrative measures must be implemented in all these respects.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Gözde Esen Sakar
Gözde Esen Sakar
Photo of Ece Nart
Ece Nart
Photo of Pelinsu Üstündağ
Pelinsu Üstündağ
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More