Good Practices Guide For The Banking Sector On Personal Data Protection Updated
In cooperation with the Personal Data Protection Authority and The Banks Association of Turkey, the Banking Sector Good Practices Guide on the Protection of Personal Data (“Guide”), which includes comprehensive assessments and good practice examples regarding personal data processing activities specific to the banking sector, was published in July 2022. The Guide was updated in December 2024, considering the amendments made to the Personal Data Protection Law (“PDP Law”) on March 12, 2024. You can access the current version of the Guide here.
The Guide's explanations regarding processing special categories of personal data have been expanded within the framework of the amended Article 6 of the PDP Law. Regarding the transfer of data abroad, the explicit consent-based system has been abandoned, and provisions have been established for data transfer based on adequacy decisions, appropriate safeguards, and occasional transfers. As such, the Guide has also been reviewed concerning Article 9 of the PDP Law. Several essential points regarding occasional transfers abroad have been highlighted, emphasizing that cases of occasional transfer should be interpreted in a very narrow manner.
In the Guide, an example of an occasional transfer is provided whereby Bank “A”, located in Turkey, sends the personal data of the relevant customer to Bank “B,” based in Ethiopia, to fulfill the money transfer request. It is noted that, in this example, the transfer can be conducted by applying for the explicit consent of the data subject after informing him/her about the risks that may arise by Article 9/6(a) of the PDP Law, provided that the transfer is not regular, does not show continuity and occurs rarely and is not among the Bank's usual transactions. However, since the transfer of money is among the usual transactions of banks, it is unclear which transactions are meant by the expression “usual transactions of the bank” in this example. In addition, considering that the transaction in the example is carried out to fulfill a request given by the customer, it seems possible that the transfer abroad is carried out based on the legal reason that “the transfer is mandatory for the establishment or performance of a contract between the data controller and another natural or legal person for the benefit of the data subject” under Article 9/6(c) of the PDP Law. In this respect, the requirement of explicit consent in the Guide raises questions on this issue.
Another example of occasional circumstances is a bank transfer of personal data to conduct a litigation process—provided that this transfer is mandatory for the establishment, exercise, or protection of a right and that the transfer is not regular, inconsistent, and rarely occurs.
Consequently, the Guide’s examples require further clarification. Future decisions made by the Personal Data Protection Board are anticipated to illuminate these issues and provide more precise guidance.
For further information and support, please contact us at info@lbfpartners.com.
LBF Partners Law Firm
The Guide's explanations regarding processing special categories of personal data have been expanded within the framework of the amended Article 6 of the PDP Law. Regarding the transfer of data abroad, the explicit consent-based system has been abandoned, and provisions have been established for data transfer based on adequacy decisions, appropriate safeguards, and occasional transfers. As such, the Guide has also been reviewed concerning Article 9 of the PDP Law. Several essential points regarding occasional transfers abroad have been highlighted, emphasizing that cases of occasional transfer should be interpreted in a very narrow manner.
In the Guide, an example of an occasional transfer is provided whereby Bank “A”, located in Turkey, sends the personal data of the relevant customer to Bank “B,” based in Ethiopia, to fulfill the money transfer request. It is noted that, in this example, the transfer can be conducted by applying for the explicit consent of the data subject after informing him/her about the risks that may arise by Article 9/6(a) of the PDP Law, provided that the transfer is not regular, does not show continuity and occurs rarely and is not among the Bank's usual transactions. However, since the transfer of money is among the usual transactions of banks, it is unclear which transactions are meant by the expression “usual transactions of the bank” in this example. In addition, considering that the transaction in the example is carried out to fulfill a request given by the customer, it seems possible that the transfer abroad is carried out based on the legal reason that “the transfer is mandatory for the establishment or performance of a contract between the data controller and another natural or legal person for the benefit of the data subject” under Article 9/6(c) of the PDP Law. In this respect, the requirement of explicit consent in the Guide raises questions on this issue.
Another example of occasional circumstances is a bank transfer of personal data to conduct a litigation process—provided that this transfer is mandatory for the establishment, exercise, or protection of a right and that the transfer is not regular, inconsistent, and rarely occurs.
Consequently, the Guide’s examples require further clarification. Future decisions made by the Personal Data Protection Board are anticipated to illuminate these issues and provide more precise guidance.
For further information and support, please contact us at info@lbfpartners.com.
LBF Partners Law Firm
b.uyanik@lbfpartners.com