Good Practice Guideline on the Protection of Personal Data in the Payment and Electronic Money Sector

The Good Practice Guideline on the Protection of Personal Data in the Payment and Electronic Money Sector (Guideline) is published on 11.04.2025 on the website of the Turkish Personal Data Protection Authority (Authority).

The Guideline presents best practice examples regarding the processing of personal data by payment service providers within the scope of financial services such as money remittance, POS services, bill payment, and mobile payments (payment services) regulated under Law No. 6493 on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions. 

The Guideline elaborates on key topics such as the obligation to inform data subjects, obtaining explicit consent, processing sensitive personal data, cross-border transfer, implementation of technical and administrative security measures, data controller–data processor relationships, registration with the Data Controllers’ Registry (VERBIS), data retention and destruction obligations, application and complaint procedures.

Key highlights from the Guideline are summarized below:

• The Guideline, emphasizes that, depending on the specific circumstances and without being limited to them, payment service providers (banks, payment institutions, electronic money institutions, and PTT under the Banking Law No. 5411) as well as mobile network operators and employers may be considered data controllers in the provision of payment services. It includes a service-based table and provides detailed explanations regarding these processes.
• The Guideline states that the personal data processed in the payment and electronic money sector may vary depending on the nature of the service. Categories such as identity, contact, financial, transaction security, and biometric data are processed in accordance with sectoral and technical regulations. Furthermore, identity verification procedures under MASAK Communique No. 5 are elaborated.
• The Guideline refers to the 06/2020 Guideline prepared by the European Data Protection Board (EDPB) regarding the interaction of the Second Payment Services Directive (PSD2) and the European General Data Protection Regulation (GDPR) and defines individuals whose personal data is processed in connection with the provision of payment services, even if they are not direct customers of the service provider, as "silent parties." In such cases, the data must be processed for lawful, specific, and legitimate purposes, and only to the extent necessary for the initial processing purpose (to fulfill a contract between the service provider and the payment service user), and any further processing must be based on a valid legal ground.
• The Guideline also draws attention to the personal data protection aspect of audits conducted by the Central Bank of the Republic of Türkiye. Additionally, it is noted that independent audits contribute to ensuring the transparency and compliance of personal data processing activities with applicable regulations.