13 Oct, 2022

Transfer Of Personal Data And Remote Access In The Banking Sector

I. General Information

kişisel-verilerin-aktarımı

In accordance with the technological developments in today’s world, the banking sector is in a technological transformation. This transformation in the banking sector has increased the activities of providing services in digital environments without the need to visit the branches instead of classical banking methods. Although this change in the banking sector provides convenience both on behalf of banks and on behalf of individuals using the service, it may have some negative consequences in terms of privacy of individuals and data protection law. In order to minimize these negative consequences, the bank providing services should take into account the issues in the Personal Data Protection Law No. 6698 (“Law”), especially its own legislation, regarding data protection law. In this context, the personal data processing conditions of banks, the conditions for transferring personal data in general and the transfer of personal data processed in the banking sector will be examined. 

In the first paragraph of Article 5 of the Law, normal personal data cannot be processed without express consent, but in the second paragraph; a) It is clearly stipulated in the laws, b) The actual impossibility situations, c) It is necessary to process the personal data of the parties of the contract, provided that it is directly related to the establishment or performance of a contract, ç) It is mandatory for the data controller to fulfill its legal obligations, d) The data subject is e) Data processing is mandatory for the establishment, exercise or protection of a right, f) Explicit consent for the processing of normal personal data in cases where data processing is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject. has no requirement.

In Article 6 of the Law, personal data of a private nature cannot be processed without the express consent of the person concerned, but personal data other than health and sexual life, situations stipulated in the law, and personal data related to health and sexual life can only be processed for the protection of public health, preventive medicine, medical diagnosis. may be processed by persons or authorized institutions and organizations under the obligation of secrecy for the purpose of carrying out treatment, treatment and care services, planning and management of health services and financing, without seeking the explicit consent of the person concerned. In the processing of personal data of special nature, it is also essential to take adequate measures determined by the Board.

Transfer of Personal Data

Personal data transfer; The conditions of the transfer made by a data controller, who processes personal data on the basis of compliance with the law listed in Articles 5 and 6 of the Law, to a data controller residing in Turkey, are regulated in Article 8 of the Law, and the conditions of the transfer to the data controller abroad are regulated in Article 9.

In the first paragraph of Article 8 of the Law regulating data transfer to the country, personal data cannot be transferred without explicit consent, but in case the conditions specified in paragraph 2 a) second paragraph of article 5 and b) provided that adequate precautions are taken, in the third paragraph of article 6, the data subject Transfers can be made within the country without seeking explicit consent. 8/3 of the Law. There is a provision in the article that the provisions in other laws regarding the transfer of personal data are reserved. 

Article 9 of the Law on data transfer abroad;

  • “(1) Personal data cannot be transferred abroad without the explicit consent of the person concerned.
  • (2) Personal data, the existence of one of the conditions specified in the second paragraph of article 5 and the third paragraph of article 6, and in the foreign country to which the personal data will be transferred;
    • a) The availability of adequate protection,
    • b) In the absence of sufficient protection, it can be transferred abroad without the explicit consent of the data subject, provided that the data controllers in Turkey and in the relevant foreign country undertake an adequate protection in writing and that the Board has permission. 
  • (3) Countries with adequate protection are determined and announced by the Board.
  • (4) The Board shall determine whether there is sufficient protection in the foreign country and whether a permit will be granted pursuant to subparagraph (b) of the second paragraph; 
    • a) International conventions to which Turkey is a party,
    • b) The reciprocity of data transfer between the country requesting personal data and Turkey,
    • c) With regard to each concrete personal data transfer, the nature of the personal data, the purpose and duration of its processing,
    • ç) The relevant legislation and practice of the country to which the personal data will be transferred, 
    • d) It decides by evaluating the measures undertaken by the data controller in the country where the personal data will be transferred, and by taking the opinion of the relevant institutions and organizations if needed.
  • (5) Personal data can be transferred abroad with the permission of the Board, only after obtaining the opinion of the relevant public institution or organization, in cases where the interests of Turkey or the person concerned would be seriously harmed, without prejudice to the provisions of international conventions. 
  • (6) Provisions in other laws regarding the transfer of personal data abroad are reserved.” formatted. 

Data transfer, which is a data processing activity, firstly requires explicit consent in the Law. However, if there are conditions set out in Articles 5 and 6 of the Law explained above; In the event that there is sufficient protection in the country to which the transfer is to be made or in the absence of sufficient protection, personal data can be transferred abroad without the need for explicit consent, with the permission of the Personal Data Protection Board, after the data controllers in Turkey and in the relevant foreign country undertake an adequate protection in writing. The Board determines whether the countries to which the transfer will be transferred have sufficient protection and announces it to the public. To date, countries with adequate protection have not been declared by the Board. In addition, in paragraph 6 of the article, there is a provision that the provisions of the regulations in different laws will be reserved in cases of transfer abroad.

II. Personal Data Transfer in the Banking Sector

Today, almost every individual has a relationship with a bank due to our habit of making payments for the services or products we receive in every field in electronic/digital fields. Within the framework of the services offered by the banks, many personal data are collected in the service areas in order to fulfill their legal obligations. In accordance with the primary and secondary legislation of this collected personal data; It must be collected, preserved, transferred and properly disposed of when the legal obligation expires. 

The principles, rules, principles and provisions regarding the protection of the rights and interests of depositors operating in the field of banking and personal data are regulated in the Banking Law No. 5411 (“Banking Law”).

In the 3rd paragraph of Article 73, titled Keeping Secrets in the Banking Law, “Data belonging to real and legal persons, which are formed after establishing a customer relationship with banks specific to banking activities, become customer secrets. Without prejudice to the mandatory provisions of other laws, information in the nature of customer secret is a request or request from the customer, even if the customer's explicit consent is obtained in accordance with the Personal Data Protection Law No. It cannot be shared with or transferred to third parties at home and abroad without an instruction. As a result of its assessment on economic security, the Board is authorized to prohibit the sharing or transfer of all kinds of data, which are customer secrets or bank secrets, to third parties abroad, and to take decisions regarding the information systems used by banks in carrying out their activities and keeping their backups in the country. Information in the nature of customer secrets and bank secrets, including the sharing to be made in cases that are exempted from the confidentiality obligation specified in this article, may be shared only to be limited to the stated purposes and to include as much data as required for these purposes in accordance with the principle of proportionality.

Regarding the protection of personal data, the banking legislation, which is the special law in the banking sector, should be taken into consideration first. Concept of customer Banking Law m. Natural or legal persons benefiting from at least one of the activities described in paragraph 4. Customer secret is any information obtained by the bank about the economic, financial, commercial and/or professional status of persons who have or will establish a legal relationship with the bank within the framework of the activities of the banks, and the services they receive or want to receive, or the legal relationship between the parties. can be defined as all data. In short, customer secret is the data belonging to real or legal persons obtained from the customer relationship established between the bank and the service user. Considering the notion that the customer secret is the opposite of the concept stated in the paragraph above, it emerges that the data obtained from the relevant person or from different channels before any relationship is established between the banks and the customer will not be considered as customer secret.

Personal Data and Customer Secret Relationship

The definition of personal data is defined in Article 3/1-d of the Law as "any information relating to an identified or identifiable natural person". As seen in the definition of personal data, the subject is a natural person. However, the definition of customer secret is defined more broadly compared to the definition of personal data and is the data belonging to the real or legal person obtained after establishing a customer relationship with the bank. Therefore, since the data obtained from real persons at the bank before the customer relationship is established, it is clear that the Personal Data Protection Law will be applied since the data obtained from real persons in the classical sense will be applied, and after the customer relationship is established, the data obtained from the real or legal person within the bank will be applied first since the banking legislation is of special nature.

Banks' Evaluation of Transferring Personal Data

Article 73/3 of the Banking Law, which is of special nature within the scope of data protection legislation. The article has been detailed above. Within the scope of this paragraph, data in the nature of customer secret cannot be transferred to the country or abroad without a direct request or instruction from the customer, even if explicit consent is obtained in accordance with the Law. As an exception to this provision, the cases that are not covered by the obligation to keep secrets in the Banking Law, Article 73/3 of the Banking Law. Although the transfer is made in accordance with the conditions set forth in the Regulation on Sharing of Secret Information published in the Official Gazette dated 4 June 2021 and numbered 31501 and entered into force on 01/01/2022, the transfer is done without the need for a customer request or instruction. will be considered lawful. However, the customer's request or instruction is required for a transfer to be made, except in cases where there is an exception to the confidentiality obligation. 

Banks' Use of Cloud Computing Services

73/3 of the Banking Law. As a result of its assessment on economic security, the Board is authorized to prohibit the sharing or transfer of any data that is a customer secret or a bank secret to third parties abroad, and to decide on the information systems used by banks to carry out their activities and keeping their backups in the country. ” has a provision. In accordance with the provision, the Regulation on Information Systems of Banks and Electronic Banking Services (“BS Regulation”) was published in the Official Gazette dated March 15, 2020 and numbered 31069. Article 25 of the IS Regulation titled Primary and secondary systems;

  • “(1) It is obligatory for banks to maintain their primary and secondary systems domestically.
  • (2) Regardless of the number of backups of primary systems, all kinds of backups of primary systems are considered secondary systems and are subject to the provisions of the first paragraph.
  • (3) Systems such as in-bank messaging systems and market monitoring platforms, which do not aim to carry out banking activities or fulfill the responsibilities defined in the Law and legislation, are not within the scope of primary systems. In order for any system or application used by the bank not to fall within the scope of primary systems, it is necessary not to carry out any business process over the system or application, and not to process, transmit or store sensitive data or data that may be classified as confidential.
  • (4) With the exception of banking transactions such as payment or messaging systems, where interaction with abroad is required due to the nature of the transactions, the bank can perform banking transactions from a system established abroad without being subject to any approval process and even in cases where its connections with foreign communication networks are cut off. It is essential that it can continue to offer its banking activities within the country through its established primary and secondary systems.
  • (5) In case outsourcing or cloud computing service is outsourced for an activity within the scope of primary or secondary systems, the information systems used by the outsourcing provider to carry out the activities related to the service provided and their backups are also considered within the scope of primary and secondary systems and kept in the country. ” is in the form.

25/1 of the BS Regulation. In accordance with the Article 73/3 of the Banking Law, the primary and secondary systems of banks must be located in the country. 25/5 of the said regulation. The article does not restrict the use of cloud computing services, since the cloud computing service obtained through external service will also be considered as a primary and secondary system in accordance with 25/1, but it is stated that the cloud computing system must be present in the country.

Remote access to in-bank applications

Remote access to in-bank applications Regulation on Banks’ Information Systems and Electronic Banking Services; 14/7. clause ; Unless there is a mandatory business requirement and it is approved by the Information Security Officer, remote access to in-bank applications and systems from outside the bank is not performed by the bank personnel or external service providers. In cases where remote access is mandatory, secure connection methods based on multi-component authentication are applied, accesses are recorded, the duration of the connection and the devices to which the connection can be made are restricted, and the user is forced to re-verify his identity at regular intervals. It includes the provision.

In today’s conditions, banking sector employees, like many other sector employees, have to work remotely and provide secure remote connections to in-bank applications in order to ensure business continuity. For secure remote access based on multi-component authentication as per the regulation, it has become important to implement the Zero Trust Network Technology, the architecture that changes the rules in cyber security, known as ZTNA, which we frequently review on our page, in the banking sector.

III. Conclusion

Although the general data protection law in our national legislation is the Law on the Protection of Personal Data No. 6698, the provisions of other laws as seen in Articles 8/3 and 9/6 of the Law are reserved in the implementation of the provisions of this law. Likewise, the Personal Data Protection Board, with its decision dated 09/04/2020 and numbered 2020/265, in case of the existence of special provisions regarding data transfer abroad in other laws according to the 6th paragraph of the 9th article of the Law; stated that these provisions will be applied as a priority. 

In the light of this information, banks can use the data belonging to the real person, which is not a customer secret, according to the personal data protection law. They can make transfers in accordance with the Banking Law. Acting in accordance with the Banking legislation, which is a special norm, does not mean that the Personal Data Protection Law, which has become a general norm in the concrete case, is disabled, but the transfer should be made by taking the general principles listed in the Law and other necessary precautions. 

In remote access, Zero Trust Network Access should be positioned for full compliance with the regulation, as it enables users to securely connect to applications used in-house with multi-component authentication, without ever providing network access or exposing applications to the internet. ISO 27001:2013 Information Security Management System Annex-A 13.1.2 In terms of security of network services, ZTNA will ensure the security of network services by allowing access to applications, not networks.


To request a quotation for the following: Cyber Security, Digital Transformation, MSSP, Penetration Testing, KVKK, GDPR, ISO 27001 and ISO 27701, please click here.


About Content:
Share on Social Media:
Facebook
Twitter
LinkedIn
Telegram