Author: Defne Pirildar
Introduction
Banks process large volumes of personal data in their daily operations. In order to deal with this sensitive information, the Turkish Personal Data Protection Authority (“Authority”), in cooperation with the Banks Association of Turkey, published Good Practice Guidelines on Personal Data Protection in the Banking Sector (“Guidelines”) on 5th August 2022. This Newsletter aims to provide a general framework for the Guidelines.
Data Controller and Data Processor
The Guidelines state that banks are data controllers in their activities within the scope of Article 4 (Fields of activity) under Banking Law No. 5411 (“Banking Law”). However, the Guidelines state that the characteristics of a particular case should be considered to determine whether a bank qualifies as a data controller or data processor for operations they conduct as an agency and intermediary organization regarding insurance, private pensions, investment instruments, international fast money transfers and payment for invoices, taxes and fees. For instance, they state that a separate assessment is necessary for services that banks provide to their subsidiaries. A bank located in Turkiye will be considered as a data processor in terms of the service it provides to its subsidiary abroad for signing of a loan agreement. Another example is insurance activities by banks in their capacity as agents. For instance, if a bank does not decide which personal data will be processed for which purposes and by which means, and if the responsibility for the establishment and management of the data recording system is on the insurance company, then the bank will be considered as a data processor.
Moreover, the Guidelines draw attention to joint data controllers and data processing agreements. They indicate that provisions related to data processing can be included in the service agreements or in a separate arrangement. They also list the items to be included in these agreements, and recommend that they be in writing.