02 Sep, 2022

Banking Sector Good Practices Guide On The Protection Of Personal Data

I. Introduction

Since 2016, when the Law on the Protection of Personal Data No. 6698 (“Law”) came into force, Banks are among the institutions that individuals frequently deal with in their daily lives; Within the scope of its activities, it obtains personal data intensively through various channels and processes such personal data for various purposes. It is extremely important for both natural persons whose data is processed and data processing institutions to explain the procedures and principles that banks must comply with and the obligations to be fulfilled within the framework of the Personal Data Protection Law and the relevant secondary legislation, with examples of good practice. 

In this context, the Guide to Good Practices on the Protection of Personal Data in the Banking Sector (“Guide”), prepared in cooperation with the Personal Data Protection Authority (“KVKK”) and the Banking Regulation and Supervision Agency (“BDDK”), to prepare a guiding regulation, 5 August It was shared with the public through the website of KVKK in 2022. We have compiled good practice examples in the content of the Guide for you.

iyi-uygulamaII. Open Consent

In the Law, it is regulated that the main condition for the processing of personal data is that the express consent of the person concerned is possible in the absence of the conditions of compliance with the law regulated in 5/2 and 6/3 of the Law. Explicit consent is defined in Article 3 of the Law as “consent related to a certain subject, based on information and expressed with free will”. According to the definition, in order to be able to talk about express consent in accordance with the law, the necessary conditions must be specific, the subject of the express consent must be specific, information must be provided by informing in accordance with the Law, and it must be based on the free will of the person concerned.

Since the explicit consent to be obtained from the data subjects does not have to be “written”, the bank does not have to provide a written and signed text, but the data controller is responsible for proving that explicit consent has been obtained. Since there is no official form requirement, the data controller must perform explicit consent procedures in accordance with the law, which are prepared specifically for each channel for which explicit consent will be obtained.

Branch

Approval for explicit consent texts can be obtained from the persons related to the branch channel, by wet signature or other methods (digital signature, e-signature, etc.) stipulated by the legislation to replace it.

ATM

If explicit consent is requested from the relevant persons from the ATM, after the relevant person enters the said channels; consent can be obtained for the explicit consent text.

Internet/Mobile Banking

Boxes/buttons, etc., that people can tick in order to obtain explicit consent texts from relevant persons in internet/mobile banking channels. methods can be used. This box/button etc. In the selections made with these methods, the options should not be pre-selected.

Call Center

In the call center, express consent can be obtained by providing the relevant persons with the opportunity to press a button or verbally declare their preference to the customer representative.

SMS

It is possible to direct the relevant persons to respond to the processing of their personal data by enlightening the phone numbers registered in the bank via SMS and sending a verification code via SMS.

Electronic Mail

Clarification and explicit consent texts can be directed to the e-mail address of the relevant persons registered in the bank, and boxes may be presented in this channel for the relevant persons to indicate whether they accept the explicit consent text or not.

Within the scope of information/document transfers that banks process personal data in cases where express consent is not required; The obligation to disclose customer and bank secrets to the authorities expressly authorized by law should be limited to the information requested by the authorized authority and the Bank should not share more natural person data than is clearly stated in the request of the authorized authority of the Bank at its own discretion. Therefore, in personal data sharing to institutions and organizations authorized to request information and documents from banks, the shared information/document should be limited to the requested data, and if this is not possible, other personal data in the relevant document should be deleted/masked/anonymized.

III. Special Qualified Personal Data Processed by Banks

Special categories of personal data are defined in Article 6 of the Law as “race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, association, foundation or union membership, health, sexual life, criminal conviction and security. data related to the measures taken, biometric and genetic data are counted as limited.

The law has made the processing of special quality personal data more important than normal personal data. According to these conditions; Special categories of personal data other than health and sexual life, only in cases stipulated by law, personal data related to health and sexual life, only for the purposes of protecting public health, conducting preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing, confidentially. It may be processed by persons or authorized institutions and organizations that are under the obligation of storage without seeking the explicit consent of the person concerned. Examples of good practices in the processing of sensitive personal data discussed in the guide will be shown below.

Identity Document Copies

Banks review the processes for which a copy of the identity document is obtained and, if necessary, revise their processes within the scope of compliance with the relevant legislation. In this context:

  • The sensitive data contained in the identity document should not be processed without express consent.
  • If possible, only the front side/relevant page of the identity document should be processed without processing the sensitive data in the identity document.
  • If special quality personal data in the form of identity document in the relevant processes of the bank is processed for a purpose other than identification, technical and administrative measures for blacking out the special quality data digits in the identity photocopy or not using the said data for persons whose explicit consent to be processed for this purpose cannot be obtained. should be taken.

Health Reports

Banks review the processes in which the health data of their customers are processed and, if necessary, revise their processes within the scope of compliance with the relevant legislation. In this context:

  • In the current situation, it should control whether the explicit consent of the person concerned is obtained in the processes where health data is processed.
  • The health data of people who do not have a clear consent for the processing of health data within the scope of the purposes targeted for the relevant process should not be processed.

Criminal Conviction and Security Measures

Banks review the processes of processing personal data regarding criminal convictions and security measures in court decisions and revise their processes if necessary within the scope of compliance with the relevant legislation. In this context, by banks;

  • Requesting criminal conviction (criminal record) information of employee candidates is not a process explicitly stipulated in the law, so it may be preferable not to collect this information. If this information is considered to be absolutely necessary, it will be necessary to collect this information with the express consent of the employee candidate.
  •  The customer’s criminal record can be processed without an additional explicit consent in order to be able to evaluate the check ban. However, in case the criminal record record is used for a purpose other than the check ban evaluation, at least one of the special categories of personal data processing conditions specified in Article 6 of the Law must also be present in order to process the criminal record data within the scope of the said purpose.

Employee Health Data

Banks review the processes in which the health data of their employees are processed and, if necessary, revise their processes within the scope of compliance with the relevant legislation. In this context, banks:

  • It should process the health data of the employees through the workplace doctor as much as possible and establish processes that will prevent the sharing of the said data within the bank by the workplace doctor (for example, if an employee is subjected to a health check in terms of suitability for the job/position, only the person’s job is done by the workplace doctor in the bank. The information about whether he/she is suitable for the position can be shared).
  • If some departments within the bank other than the workplace doctor (such as human resources, occupational health and safety) need to access the health data of the employees, access authorization/restriction regarding this health information is applied and only certain persons/departments within the bank can access the health data by stating the legal reason. is provided.
  • In accordance with the Decision of the Personal Data Protection Board dated 31/01/2018 and numbered 2018/10 on “Adequate Precautions to be Taken by Data Controllers in the Processing of Special Quality Personal Data”, sensitive data, including health data, should be kept in an encrypted form, movements on the data should be logged, access authorization should be made and other measures included in the Decision should be taken. 
  • In the current situation, in any case, banks must obtain the express consent of the employee, as banks are required to process employee health data.

IV. Lighting Obligation

The obligation to inform the data controller; The identity of the data controller and, if any, its representative in its content, the purpose for which the personal data will be processed, to whom and for what purpose the processed personal data can be transferred, The method and legal reason for collecting personal data can be summarized as information containing information on other rights listed in Article 11 of the Law.

aydinlatma-yukumlulugu

Layered illumination, while obtaining personal data, is informed about the purpose of directing the relevant person to the illumination in accordance with Article 10 of the Law, by providing preliminary information about the acquisition of personal data, first by presenting a short and easy-to-understand text and simultaneously (just-in-law). time) is the case of pointing/referencing detailed explanations through text. Examples of good practices given in the Guide for the realization of lighting are shown below.

Branch

In the fulfillment of the lighting obligation in accordance with the Law, lighting can be made in visual or printed media (banner, brochure, board, digital screen, etc.) in such a way that the relevant person is informed.

Web Site

It is recommended that the bank’s disclosure texts be easily accessible on the banks’ websites. In this way, customers who are directed to these texts through the links provided in layered illuminations will be able to easily provide illumination, and banks will be able to fulfill their illumination obligations.

Internet Branch

Internet branch users can inform them through the clarification texts that will be issued to them through the Internet branch.

Mobile Branch and Mobile Application

Mobile branch/application users can be informed with the illumination texts to be issued through the mobile branch/application. It may fulfill the obligation to send an illumination text to the relevant persons with push notification and to enlighten with a short and guiding illumination text.

Call Center/IVR

It can be done by providing a sample text to those who want to listen to the lighting text by providing the option to press a key at the beginning of the interview.

Electronic Mail

Information can be sent to the e-mail addresses (for example, to which account statements and credit card statements are sent) or to the electronic notification addresses of the persons concerned to contact the bank.

Physical Mail

Information can be provided by sending the clarification text (for example, sending it in the same envelope with the credit card account statement) to the address notified by the person concerned as the communication/notification address to the banks.

SMS

In lighting made via SMS, layered lighting can be made by including a text of the length allowed by the channel and a link that leads to the lighting text when clicked.

ATM

In notifications made through the ATM channel, which is an area where limited characters can be entered, such as Short Message Service (SMS), it is possible to make layered illumination so that the relevant person can access the illumination text after a short text is included.

For the full text of the guide; https://kvkk.gov.tr/SharedFolderServer/CMSFiles/12236bad-8de1-4c94-aad6-bb93f53271fb.pdf adresini ziyaret edebilirsiniz.


To request a quotation for the following: Cyber Security, Digital Transformation, MSSP, Penetration Testing, KVKK, GDPR, ISO 27001 and ISO 27701, please click here.


About Content:
Share on Social Media:
Facebook
Twitter
LinkedIn
Telegram