The Banking Sector Best Practices Guide on Personal Data Protection Updated

The Banking Sector Best Practices Guide on Personal Data Protection (Guide), prepared in collaboration with the Personal Data Protection Authority (Authority) and the Banks Association of Turkey, has been updated.

The Guide has been aligned with the amendments made to the Code of Criminal Procedure No. 7499 published in the Official Gazette dated 12.03.2024, issue number 32487, and the Law on Amendments to Some Laws, as well as the changes made to the Personal Data Protection Law No. 6698 (KVKK Amendments). 

The changes made in Section VIII titled 'Transfer of Personal Data' are briefly summarized below: 

• Explanations regarding the conditions for the transfer of sensitive personal data within the country have been expanded by the amendments made in Article 6 of the Personal Data Protection Law (KVKK). 
• Evaluations regarding transfers abroad have been aligned with the comprehensive amendments made in Article 9 of the KVKK, which includes regulations on transferring of personal data abroad. Additional explanations on adequacy decisions, appropriate safeguards, and occasional transfers have been included. 
• For banks, examples of occasional transfers, which can be made without the need for an adequacy decision or appropriate safeguard, have been provided, given that the conditions specified in Article 9 of the KVKK, such as explicit consent, are met. Accordingly; 

1. The transfer of a customer's personal data by a bank established in Turkiye to a bank located in Ethiopia to execute a money transfer request may be possible under certain conditions. This type of data transfer can be carried out provided that the data subject is informed about the risks associated with the absence of an adequacy decision or appropriate safeguards, and their explicit consent is obtained. Moreover, the transfer must not be a regular, ongoing, or recurring transaction and must not be part of the bank's usual operations. 
2. Similarly, the transfer of personal data by a bank abroad to conduct a legal process can only be carried out when the transfer is necessary for the establishment, use, or protection of a right, and provided it is not a regular, continuous, or customary transaction. 

• The Guide contains significant evaluations on priority legal regulations within the scope of Article 9/10 of the KVKK. Accordingly, the provisions under the Banking Law No. 5411, Article 73 titled “Confidentiality of Secrets”, and the Regulation on the Sharing of Confidential Information are reserved for transfers abroad under these regulations. In this context, the provisions of the Banking Law No. 5411 and the aforementioned Regulation must be considered when transferring personal data that qualifies as banking or customer secrets abroad within the limits specified in the relevant legislation. 

The Guide aims to provide a concrete structure for aligning with the changes made under the KVKK, with practical examples from the application.