Policy For Protection and Processing of Personal Data

1       GENERAL INFORMATION

1.1     Introduction

Protection of personal data is one of the most important priorities of Turkland Bank Anonim Şirketi (“Bank”) and the Bank do its best to act in compliance with entire current legislation. Most important part of this subject is Turkland Bank Anonim Şirketi’s Policy for Protection and Processing of Personal Data (“Policy”).

This Policy describes the principles adopted for execution of personal data processing activities by our Bank as well as the basic principles adopted for compliance of our Bank’s data processing activities with the regulations mentioned in the Law No. 6698 on Protection of Personal Data (“Law”) and so our Bank informs the owners of personal data and ensures necessary transparency and by being fully aware of our responsibility herein, your personal data are processed and protected under our policy.

 

1.2     Scope

This Policy is related with all personal data of persons other than our Bank’s employees (full and/or part-time employees, interns, expatriates, members of board of directors and/or their representatives), which are collected through automatic or non-automatic means, provided that these are a part of any data processing  system.

Detailed information regarding to owners of personal data can be found in ANNEX-2 of the Policy (“ANNEX 2 – Data Subject”).

Activities performed by our Bank for protection of personal data of our employees is managed under the Policy on Protection and Processing of Personal Data of Employees of Turkland Bank A.Ş., which is prepared in parallel with the principles of this Policy.

2       PRINCIPLES OF PROCESSING OF PERSONAL DATA

 

2.1     Principles of Processing the Personal Data

Bank process the personal data in accordance with the procedures and principles prescribed by the Law and other applicable legislations. Accordingly, our Bank processes the personal data

•           In accordance with the law and rules of integrity;

•           Accurately and being up to date, if necessary;

•           For certain, clear and legitimate purposes;

•           In connection and restricted with the purpose of processing and carefully;

•           For the period prescribed by the applicable legislations or as required for the purpose of processing.

2.2     Processing of Personal Data

2.2.1   Processing of Personal Data

Explicit consent of the owner of personal data is only one of the legal bases required for processing of personal data in accordance with applicable legislations and, if any of the following situations occur, the personal data can be processed by our Bank without requiring explicit consent of the owner of such personal data.

Although the basis of processing of personal data can be any of the following other than excplicit consent of the owner of personal data, more than one of the following conditions can also be applicable. If processed data are Special Categories of Personal Data, the conditions written in Article 2.2.2 of this Policy (“Processing of Special Categories of Personal Data”) will be applied.

  1. i.      Clear Requirement by Laws

Personal data can be processed if clearly required by certain laws.

 

  1. ii.     Failure to Obtain Explicit Consent of Relevant Person due to Physical Impossibility

If it becomes necessary to process the personal data of a person, who cannot provide his/her explicit consent or his/her explicit consent cannot be accepted as valid due to physical impossibility, in order to save his/her or another person’s life or physical integrity, the personal data of such data owner can be processed.

  1. iii.    Directly in Connection with Execution or Performance of an Agreement

If necessary to process personal data that is related to the parties of the contract, provided that it is directly related to the establishment or performance of that contract.

 

  1. iv.    Fulfillment of the Bank’s Legal Obligation

If it is required to process personal data in order for our Bank to fulfill its legal obligations as data controller, the personal data of data owner can be processed.

 

  1. v.     Publicizing of Personal Data by Its Owner

In case the data owner publicizes his/her personal data, relevant personal data can be processed.

 

  1. vi.    Obligation to Process the Data to Establish or Protect a Right

If it is required to process the data in order to establish, exercise or protect a right, the personal data of data owner can be processed.

 

  1. vii.   Obligation to Process the Data for Legitimate Interests of our Bank

If it is required to process the data for legitimate interests of our Bank, the personal data of data owner can be processed, provided that fundamental rights and freedoms of the personal data owner shall not violated.

2.2.2   Processing of Special Categories of Personal Data

Some of personal data are organized separately as ‘Special Categories of Personal Data’ and they are subject to a special protection. Since they may cause unjust treatment or discrimination of persons in case they are processed illegally, these data are treated specially.

Special Categories of Personal Data are processed by our Bank in accordance with the principles specified herein and by taking all necessary administrative and technical measures, including the methods to be determined by the Board of Protection of Personal Data (“Board”), and in case any of the following conditions occur.

  1. In case there is an excplicit consent of the data owner;
  2. Without any excplicit consent of the data owner, (a) Special Categories of Personal Data other than those related with the health and sexual life of data owner can be processed only in cases required by laws, and (b) Special Categories of Personal Data in relation with the health and sexual life of data owner can be processed only for purposes of protection of public health, provision of preventive medicine, medical diagnosis, treatment and healthcare services, and planning and management of health services and financing by persons, who are obliged to keep these data secret, or by authorized entities and organizations.

2.3     Purposes of Processing the Personal Data

The purposes of processing of personal data by our Bank in accordance with the Law and other applicable legislations under the terms and conditions of processing of personal data and Special Categories of Personal Data as detailed herein are as follows:

  1. Planning and/or execution of human resources processes in accordance with our Bank’s policies and procedures and applicable legislations;
  2. Performance of necessary works by our relevant business units in order to perform administrative and/or operational activities of our Bank and to ensure business continuity and execution of related business processes;
  3. Planning, monitoring and/or execution of the works in order for compliance of legal works framework and operations of our Bank with applicable legislations;
  4. Planning and/or execution of activities needed to customize our Bank’s products and/or services in accordance with  preferences, usage behavior  and needs of relevant persons and to recommend and promote them to these relevant persons;
  5. Performing the necessary work through relevant business units in order to ensure that customers can benefit from the products and/or services offered by our Bank;
  6. Planning and/or execution of necessary works and procedures to implement, develop and/or manage our Bank’s information systems and to ensure information security;
  7. Planning and/or execution of work related to finance, accounting and/or budget;
  8. Planning and/or execution of internal and external audit activities of our Bank.

Detailed information about these purposes of processing of personal data can be found in ANNEX-3 of the Policy (“ANNEX 3 - Purposes of Processing of Personal Data”).

 

 

2.4     Categories of Personal Data Processed by our Bank

Personal data including the following categories; Identity, Communication, Financial, Customer, Customer Transaction, Transaction Security, Risk Management, Physical Location Security, Audit and Inspection, Incident Management, Legal Operations and Compliance, Request/Complaint Management, Family Members and Relatives, Visual and Audio, Marketing, Vehicles, Employee Candidate, Personal Rights, Employee Transactions, Employee Performance and Career Development, Benefits and Interests and Special Categories of Personal Data are processed by our Bank based on the purposes and conditions described herein in accordance with provisions of the law and other applicable legislations.

Detailed information about these categories of personal data can be found in ANNEX-4 of the Policy (“ANNEX 4 - Categories of Personal Data”).

3       PRINCIPLES REGARDING TRANSFERRING OF PERSONAL DATA 

Our Bank can transfer personal data and Special Categories of Personal Data to third persons in and/or abroad (“Third parties”) by taking necessary security measures in accordance with legal purposes of processing of personal data. For this purpose, our Bank is acting in accordance with the regulations, prescribed by Articles 8 and 9 of the Law.

3.1     Transfer of Personal Data

For the cases where there is an excplicit consent of the data owner, our Bank can transfer personal data to third parties in accordance with the purposes of processing of personal data by paying necessary attention and taking all necessary measures, including the methods prescribed by the Board. However, personal data can be transferred to third parties without requiring an excplicit consent of the data owner under the following conditions:

  • If the activities regarding transfer of personal data are clearly required by laws;
  • If transfer of personal data by the Bank is directly related with and required for execution or performance of a contract;
  • If it is required to transfer personal data in order for the Bank to fulfill its legal obligations;
  • Personal data can be transferred by the Bank restricted with the purpose of publicizing, provided that such data have already been publicized by the data owner;
  • If transfer of personal data by the Bank is required for establishment, exercising or protection of the rights of the Bank or data owner or third parties;
  • If it is required to transfer personal data for the Bank’s legitimate interests, provided that fundamental rights and freedoms of data owner are not violated;
  • If it is required for the Bank to transfer personal data in order to protect the life or physical integrity of the owner of personal data or another person and, in such case, the owner of personal data is not capable to present his/her consent due to physical impossibility or legal invalidity.

If personal data are going to be transferred to abroad, in addition to the conditions written above, personal data are transferred by our Bank to foreign countries, which were announced to have sufficient protection by the Board (“Foreign Country that has Sufficient Protection”) or, if there is not sufficient protection, to foreign countries, in which the data controllers and the data controllers in Turkey have undertaken in written that they have a sufficient protection and for which has the permission from the Board (“Foreign Country, in which there is a Data Controller that Undertakes Sufficient Protection”).

3.2     Transfer of Special Categories of Personal Data

If there is an expicit consent of the data owner, our Bank can transfer Special Categories of Personal Data in or abroad by paying necessary attention and taking all necessary measures, including the methods prescribed by the Board. However, personal data can be transferred to third parties without requiring an expicit consent of the data owner under the following conditions:

  1. Special Categories of Personal Data other than those related with the health and sexual life of data owner can be transferred when it is required by laws;
  2. Special Categories of Personal Data in relation with the health and sexual life of data owner can only be transferred for purposes of protection of public health, provision of preventive medicine, medical diagnosis, treatment and healthcare services, and planning and management of health services and financing by persons, who are obliged to keep these data confidential, or by authorized entities and organizations.

If Special Categories of Personal Data are going to be transferred to abroad, in addition to the conditions written above, our Bank can transfer such Special Categories of Personal Data to Foreign Countries that have Sufficient Protection or Foreign Countries, in which there is a Data Controller that Undertakes Sufficient Protection.

3.3     Categorization of Parties, to whom Personal Data are Transferred

Our Bank can transfer personal data of data owners to the categories of parties listed above in accordance with Articles 8 and 9 of the Law:

i.          Shareholders;

ii.          Partners;

iii.         Suppliers;

iv.         Legally Authorized Public Entities and Private Persons;

v.         Correspondent Banks;

Detailed information about these third persons, to whom such personal data are transferred, can be found in ANNEX-5 of the Policy (“ANNEX 5 - Categories of Third Persons, to whom Personal Data are Transferred”).

4       STORAGE AND DESTRUCTION OF PERSONAL DATA

Based on an ex officio decision of our Bank or a request of personal data owner in case the reasons for processing such personal data are no longer available despite they have been processed by our Bank in accordance with the Law and provisions of other applicable legislations, as required by the obligation to delete, destroy or anonymize personal data according to Turkish Criminal Code Personal data are deleted, destroyed or anonymized.

 

5       ENSURING THE SECURITY AND CONFIDENTIALITY OF PERSONAL DATA

Our Bank takes necessary measures, based on the nature of data to be protected, in order to prevent illegal disclosure, access, transfer or any other security vulnerability of personal data.

For this purpose, our Bank takes (i) administrative and (ii) technical measures, (iii) establishes an audit system within the Bank, and (iv) acts in accordance with the measures required by the Law in case personal data are disclosed through illegal means.

5.1     Administrative Measures Taken by our Bank to Ensure Personal Data are Processed Legally and to Prevent Illegal Access to Personal Data

–      Our Bank trains and ensures that its employees become aware of processing and protection of personal data.

–      In case personal data are being transferred, it is ensured by our Bank that provisions for fulfillment of obligations to ensure data security by the third party, to which personal data are transferred, are included to the agreements executed with these parties.

–      Personal data processing activities being performed by our Bank are examined in details and, for this purpose, the actions to be taken to ensure compliance with personal data processing requirements of the Law are determined.

–      Our Bank determines the requirements that needs to be applied in order to comply with the Law and embed these requirements into the internal policies.

5.2     Technical Measures Taken by our Bank to Ensure Data are Processed Legally and to Prevent Illegal Access to Personal Data

–      Our Bank takes technical measures as much as technically possible for processing and protection of personal data and these measures are updated and improved in parallel with technological developments.

–      Expert staff are employed for technical issues.

–      Implementation of these measures are periodically audited.

–      Software and systems to ensure security are installed.

–      Access to personal data that is being processed within our Bank is restricted with the employees, based on the purpose of processing.

–      Special Categories of Personal Data are protected in accordance with the measures stated in the Law and other applicable legislations.

5.3     Measures to be Taken in case of Illegal Disclosure of Personal Data

In case personal data are obtained illegally by unauthorized persons, as a part of the activities for processing personal data being performed in our Bank, the situation will immediately be notified to the Board and relevant data owners.

 

6       INFORMING THE DATA SUBJECT

Our Bank informs the owners of personal data while their personal data are being obtained as per Article 10 of the Law. For this purpose, our Bank and, if any, its representative informs the owner of personal data about the identity details, purpose of processing of personal data, to whom and for which purpose the personal data can be transferred, and the methods and legal reasons of obtaining personal data.

 

It is stated in Article 20 of the Constitution of Turkish Republic that everybody has the right regarding to be informed about their personal data. Therefore “the right to request information” is included to the rights of owners of personal data, listed in Article 11 of the Law. And our Bank provides necessary information upon a request of the owner of personal data in accordance with Article 20 of the Constitution of Turkish Republic and Article 11 of the Law. Detailed information about the rights of the owner of personal data are provided in Article 7.1 (Rights of the Owner of Personal Data) of this Policy.

7       RIGHTS OF THE OWNER OF PERSONAL DATA AND EXERCISING THESE RIGHTS

7.1     Rights of the Owner of Personal Data

Legal rights that the owner of personal data can exercise are listed below:

1)    To inquire whether their personal data have been processed or not;

2)    If their personal data have been processed, to request information about such processing;

3)    To inquire the purpose of processing of their personal data and whether such data have been used in accordance with the said purpose or not;

4)    To inquire the third parties in or abroad, to which their personal data have been transferred;

5)    If their personal data have been processed incompletely or inaccurately, to request rectification of such data and notification of third parties, to whom their personal data were transferred, about such rectifications;

6)    If, despite of processing in compliance with the provisions of the Law  and other applicable laws, the reasons that require processing of personal data are no longer available, to request deletion, destruction or anonymization of their personal data and to request the third parties, to whom the personal data were transferred, to be notified about the actions performed under this sub-paragraph;

7)    To object to occurrence of any result that is to their detriment by means of analysis of personal data exclusively through automated systems;

8)    To request compensation for the damages in case the they suffer damages due to unlawful processing of their personal data.

7.2     Cases, in which Data Owner cannot Claim any Rights

Owners of personal data cannot claim their rights, listed in Article 7.1 (“Rights of the Owners of Personal Data”) above in cases, listed in Article 28 of the Law. Because these cases are excluded from the scope of data protection stated in the Law.

The cases listed in the said article are as follows:

1)    Processing of personal data for research, planning and statistics purposes by anonymizing them with official statistical data;

2)    Processing of personal data for art, history, literature or scientific purposes or as a part of freedom of expression, provided that national defense, national security, public security, public order, economical security, privacy of private life or personal rights are not violated or no crime is committed;

3)    Processing of personal data as a part of preventive, protective and intelligence related activities being performed by legally authorized public entities and organizations in order to ensure national defense, national security, public security, public order, or economical security;

4)    Processing of personal data by judicial authorities or execution authorities for investigation, prosecution, judgment or execution operations.

Owners of personal data cannot claim their rights, listed in Article 7.1 (“Rights of the Owners of Personal Data”) above, except the right to request compensation of their damages, in cases, listed below as per the second paragraph of Article 28 of the Law:

1)    If it is required to process personal data in order to prevent committing crimes or to investigate a crime;

2)    Processing of personal data that were anonymized by the owner of such personal data;

3)    If it is required to process personal data for execution of audit or regulation tasks of public entities and organizations as well as professional organizations with public institution status, which are assigned and authorized by law, and for disciplinary investigation or prosecution purposes;

4)    If it is required to process personal data to protect economic and financial interests of the government for budgeting, taxation and financial issues.

7.3     Exercising of Rights by Owners of Personal Data

Owners of personal data can submit their requests for their rights, listed in Article 7.1 (“Rights of the Owners of Personal Data”) above, either in written by completing “Data Owner Application Form of Turkland Bank Anonim Şirketi” or through Registered Electronic Mail (KEP) address, Secure Electronic Signature, Mobile Signature or their electronic mail address that they have provided to our Bank and been registered to our system.

Above mentioned form is available in ANNEX-6 (“ANNEX-6 Data Owner Application Form of Turkland Bank Anonim Şirketi”) of this Policy.

7.4     Reply of our Bank to Applications

Our Bank takes all administrative and technical measures necessary to resolve the applications of personal data owner effectively, legally and honestly.

Our Bank may either accept the applications of personal data owner or refuse them by explaining the justification. Our Bank can submit its reply to personal data owner either in written or through electronic means.

If personal data owner submits its request for the rights listed in Section 7.1 (“Rights of the Owners of Personal Data”) above to our Bank in accordance with described procedures, our Bank will resolve such request as soon as possible and not later than 30 (thirty) days free of charge, based on the nature of request. However, if the action requires any separate cost, the fee mentioned below can be taken.

If our Bank will reply in written to the application of personal data owner, no fee will be charged for replies up to ten pages, but it is allowed to take 1 Turkish Lira as transaction fee for each page over ten pages of reply as stated in the Law and other applicable legislations.

8       GOVERNANCE PLAN FOR PROTECTION AND PROCESSING OF PERSONAL DATA

A “Committee for Protection of Personal Data” is formed within the Bank based on a resolution of the Bank’s senior management in order to manage this Policy and other policies associated with and related to this Policy. The tasks of this committee are written below.

  • To prepare basic policies for protection and processing of personal data and present them to the approval of senior management in order to put them into force;
  • To decide how the policies for protection and processing of personal data will be implemented and audited and, for this purpose, to assign relevant duties within the Bank and present them to the approval of senior management in order to ensure coordination;
  • To determine the actions to be taken in order to ensure compliance with the Law and other applicable legislations, to present them to the approval of senior management, to supervise their implementation and ensure coordination;
  • To increase awareness within the Bank and the organizations, with which the Bank collaborates, for protection and processing of personal data;
  • To ensure necessary actions are taken by identifying the risks that might occur in personal data processing activities of the Bank and to present improvement suggestions to the approval of senior management;
  • To coordinate trainings to ensure that personal data are protected and relevant policies are implemented and to ensure that these trainings are completed;
  • To take decisions on the applications of personal data owners at the highest level;
  • To coordinate performance of information and training activities in order to ensure that personal data owners are informed about data processing activities and their legal rights;
  • To prepare amendments in main policies for protection and processing of personal data and present them to the approval of senior management in order to put them into force;
  • To monitor developments and regulations in the protection of personal data and to make suggestions to senior management for actions to be taken within the Bank according to such developments and arrangements;
  • To coordinate relationships with the Board and Personal Data Protection Authority;
  • To perform other tasks that might be assigned by the Company’s senior management for protection of personal data.

 

This Policy approved through  BoD Resolution dated 08.03.2019, Nr:580.

 

 

 

 

 

ANNEX 1 – Definitions

DEFINITION

DESCRIPTION

Explicit Consent

Means the consent for a certain subject, based on information and given with free will.

Personal Data Owner

Means the natural person, whose personal data is processed.

Personal Data

Means any information (e.g. Name & surname, Turkish Republic ID, e-mail, address, date of birth, credit card number) about the natural person, whose identity is or can be identified. Hence, processing of information about non-individuals (legal entities) is not covered by the Law.

Special Categories of Personal Data

Means the data related with race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance, membership to an association, society or labor union, health, sexual life, criminal sentence, and security measures and biometric and genetic data.

Processing of Personal Data

Means any operation which is performed on personal data such as collection, recording, storage, preservation, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization or blocking its use by wholly or partly automatic means or otherwise than by automatic means which form a part of a data recording system.

Data Processor

Means natural person or legal entity that processes personal data on behalf of data controller, based on the authority given by the said data controller.

Data Controller

Means natural person or legal entity that determines the purposes and methods of processing of personal data and is responsible for implementation and management of data recording system.

Registered Electronic Mail (KEP) Address

Means the qualified method of electronic mail, which provides legal evidence for use of electronic messages, including their transmission and delivery.

Mobile Signature

Means electronic signature created by using a mobile device.

Secure Electronic Signature

Means the electronic signature, which is exclusively linked with and only possessed by the signatory, is created by a secure electronic signature creation tool, does ensure that the signatory is identified based on qualified electronic signature, is signed, and does ensure to find whether electronic data is modified later or not.

 

 

 

 

 

 

ANNEX 2 - Personal Data Owners

CATEGORIES OF  DATA SUBJECT

DESCRIPTION

Employee & Intern Candidate

Means natural persons, who have applied to our Bank through any means in order for a job or have allowed our Bank to examine their resumes and other relevant information.

Former Employee & Retired

Means natural persons, whose employee agreement with our Bank has been terminated for any reason (quit, dismissal, retirement, etc.).

Natural Person Customer

Means natural persons, who are using or have used the products and services offered by our Bank regardless of having a contractual relationship with our Bank or not.

Shareholder & Authorized Officer & Representative & Employee of Legal Entity Customer

Means natural persons, who are shareholders / authorized officers / representatives or employees of our legal entity customers, which are using or have used the products and services offered by our Bank regardless of having a contractual relationship with our Bank or not.

Potential Customer

Means natural persons, who have not requested to or interested in using our products and services but it has been evaluated according to commercial practices and rules of integrity that they may be interested in using them.

Shareholder & Authorized Officer & Representative & Employee of Potential Legal Entity Customer

Means natural persons, who are shareholders / authorized officers / representatives or employees of our potential legal entity customers that have not requested to or interested in using our products and services but it has been evaluated according to commercial practices and rules of integrity that they may be interested in using them.

Customer’s Proxy & Guardian & Trustee

Means natural persons that are authorized to represent or legally appointed to perform a work for customers, who have not reached lawful age yet or who are legally restricted and with whom our Bank has a relationship.

Third Party person Authorized by the Customer with an Order

Means natural persons and the persons that are shareholders / authorized officers / representatives or employees of legal entities, who are authorized to make transactions in our Bank’s branches based on an order of our Bank’s customers.

Third Persons that Give Guarantee

Means third party natural persons, with whom a relationship is established to ensure the safety of commercial and legal transactions between our Bank and customers and/or for credit debt guarantees of customers.

Parties that are subject to the transaction connected with Laundering of Criminal Proceeds or Financing of Terrorism

Means natural persons or natural persons that are shareholders / authorized officers / representatives or employees of legal entities, which are the subject matter of an event or news that is connected with Laundering of Criminal Proceeds or Financing of Terrorism.

Parties that are subject to Cash Transactions (Deposit/Withdrawal)

Means natural persons or natural persons that are shareholders / authorized officers / representatives or employees of legal entities other than the customers of our Bank, which are the subject matter of cash withdrawal/deposit transactions performed through our branches.

Other Bank Customers

Means natural persons that make transactions with the cards of other banks through ATMs of our Bank.

Owners of Opinions & Complaints & Recommendations & Information 

Means natural persons or natural persons that are shareholders / authorized officers / representatives or employees of legal entities, who have submitted their opinions / complaints / recommendations or information or other requests to our Bank regardless of benefiting from our Bank’s products and services or not.

Drawers & Endorsers & Payees of Cheques / Bills

 

Means natural persons or natural persons that are shareholders / authorized officers / representatives or employees of legal entities, who have used our Bank’s cheque and/or bond services and/or have been subject matter of these transactions.

Lessor

Means natural persons or natural persons that are shareholders / authorized officers / representatives or employees of legal entities, who have rented out their real estates for the locations of our Bank

Visitor         

Means natural persons that have visited our Bank premises for any purpose or have accessed our Bank’s Internet network for guests.

Press

Means natural persons that are working at press organizations, with whom our Bank does collaborate for any press / media activity.

Family Members

Means family natural persons, who are family members and/or relatives of our Bank’s employees, customers or third persons that gave guarantee for our customers.

Ultimate Beneficiary

Means persons that ultimately benefits from the transactions performed at the Bank.

Parties of Incoming and Outgoing Money Transfers

Means persons other than the customers of our Bank, who are the parties of money or security transfers from the customers of our Bank to the customers of other banks or from the customers of other banks to the customers of our Bank.

Authorized Representatives & Employees of Correspondent Banks

Means natural persons, who are employees and/or authorized representatives of current and/or potential correspondent banks of our Bank.

Parties of Letter of Guarantee

Means persons, who are beneficiaries and counter parties of letters of guarantee that have been issued.

Parties of Export or Import Transactions

Means the parties that are subject matter of foreign trade transactions performed through our Bank.

Shareholder & Authorized Officer & Representative & Employee of Supplier or Potential Supplier

Means natural persons, who are shareholders, authorized officers, representatives or employees of companies that provide goods and/or services to our Bank based on an existing or potential contract executed with our Bank.

Shareholder & Authorized Officer & Representative & Employee of Partner or Potential Partner

Means natural persons, who are shareholders / authorized officers / representatives or employees of legal entities, with which our Bank has established or intends to establish collaboration, partnership or program partnership.

Shareholder & Authorized Officer & Representative & Employee of Sub-Employer

Means natural persons, who are shareholders / authorized officers / representatives or employees of legal entities, which take a role as sub-employer in the works and operations of our Bank, based on the contract signed with our Bank.

Authorized Representatives & Employees of Legally Authorized Public / Private Entity

Means natural persons that are employed or authorized by legally authorized public or private entities, with which our Bank has a relationship.

Other Third Party Persons

Means other natural persons that are defined in this Policy and in the Policy for Protection and Processing of Personal Data of Turkland Bank A.Ş.’s Employees.

 

ANNEX 3 - Purposes of Processing Personal Data

MAIN PURPOSES (PRIMARY)

SUB-PURPOSES (SECONDARY)

 

 

Planning and/or execution of human resources processes in accordance with our Bank’s policies and procedures and applicable legislations

Planning and/or execution of recruitment and/or personal right processes of employees

Planning and/or execution of application, selection and evaluation processes of employee candidates

Facilitating the processes for reevaluation of employee candidates, whose applications were refused

Planning and/or execution of reference activities for recruitment of staff and/or the Bank’s security processes

Planning and/or execution of financial risk investigation activities for recruitment of staff and/or the Bank’s security processes

Fulfillment of obligations arising out of employment agreements and/or applicable legislations for the Bank’s staff

Planning and/or execution of talent/career development activities

Planning and/or execution of performance evaluation and monitoring processes of employees

Monitoring and/or auditing the works of employees

Planning and/or execution of internal/external training activities

Planning and/or execution of the activities for meeting information/document requests of employees

Planning and/or execution of benefits for employees

Planning and/or execution of employee compensations

Planning and/or execution of termination procedures for employees

Planning and/or execution of employee insurances

Planning and/or execution of the activities for receiving and evaluation of staff loan applications and facilitating loans

Planning and/or execution of the activities for creating, auditing and/or monitoring personal right records of sub-employer’s employees

Planning and/or execution of operational activities, needed for unethical behaviors and/or abuse incidents of employees

 

 

Performance of necessary works by our relevant business units in order to perform administrative and/or operational activities of our Bank and to ensure business continuity and execution of related business processes

Ensuring the security of the Bank’s premises and/or facilities

Planning and/or execution of operational activities needed to ensure that the Bank’s activities are performed in accordance with the Bank’s procedures and/or applicable legislations

Planning and/or execution of processes for receiving, evaluating and concluding the complaints/requests

Planning and/or execution of the activities for ensuring transaction security

Planning and/or execution of relationships with main shareholders

Ensuring the security of the Bank’s operations

Planning and/or execution of the activities to ensure business continuity

Planning and/or execution of business operations

Planning and/or execution of operation and/or productivity processes

Planning and/or execution of communication activities       

Planning and/or execution of the Bank’s administrative works

Planning and/or execution of the activities for management and/or sale of the real estates of our Bank ı

Planning and/or execution of correspondent banking operations

Management of relationships with current and potential correspondent banks

Planning and/or execution of the activities to perform effectiveness/efficiency and/or appropriateness analysis of business operations

Planning and/or execution of purchasing/procurement processes

Management of relationships with partners and/or suppliers

Planning and/or execution of reporting activities for the Bank’s works and operations in accordance with the Bank’s procedures and objectives as well as applicable legislations

Planning and/or execution of strategic planning operations

 

Planning, monitoring and/or execution of the works in order for compliance with legal frameworks and operations of our Bank with applicable legislations

Monitoring the legal works

Planning and/or execution of activities to meet requests received from legally authorized public and/or private entities (including sharing information/documents)

Planning and/or execution of processes for monitoring execution, seizure and/or bankruptcy procedures

Planning and/or execution of criminal and/or legal lawsuit processes

Planning and/or execution of administrative proceedings and/or restructuring activities

Ensuring that data are correct and/or updated

Monitoring the contract processes and/or legal requests

 

Planning and/or execution of activities needed to customize our Bank’s products and/or services in accordance with liking, usage habits and needs of relevant persons and to recommend and promote them to these relevant persons

Planning and/or execution of cross-selling activities for other products offered by our Bank

Planning and/or execution of processes for creating and/or increasing the loyalty to products and/or services offered by our Bank

Planning and/or execution of processes for promotion of products and/or services

Planning and/or execution of the activities for customer satisfaction and/or experience

Designing and/or execution of activities to be performed in digital and/or other channels to gain customers and/or create value for existing customers

Planning and/or execution of data analytics for marketing purposes

 

 

 

Performance of necessary works by our business units in order to ensure that relevant persons can benefit from the products and/or services offered by our Bank

Planning and/or execution of the activities for establishing, maintaining and/or releasing the guarantee(s)

Creating and/or monitoring the processes for evaluation and/or allocation of products and/or services

Planning and/or execution of the processes for performance of banking transactions by third persons, based on orders and/or authorizations of the Bank’s customers

Planning and/or execution of processes for sales of products and/or services

Creating and/or monitoring the application processes for products and/or services

Planning and/or execution of the activities for monitoring and/or controlling credit monitoring and repayment processes

Creating and/or monitoring the utilization processes for products and/or services

Planning and/or execution of customer relationship management processes

Planning and/or execution of processes for providing the tools and/or information for the channels to be used by customer to access and/or use products and/or services to the customer

Planning and/or execution of the activities in order to know the Bank’s customers and the activities related to prevent laundering of criminal proceed, financing of terrorism and suspicious transactions

Planning and/or execution of the activities for identifying/controlling the risks for persons covered by risk groups according to applicable legislations and the Bank’s policies and procedures

Planning and/or execution of identification processes

Planning and/or execution of necessary works and procedures to install, develop and/or manage our Bank’s information systems and to ensure information security

Creation and/or management of the infrastructure of information technologies

Planning and/or execution of the processes for creating, testing and maintaining the software for information systems

Planning, auditing and/or execution of information security processes

Planning and/or execution of the activities for tracking and storing the logs of access to the Bank’s network for guests

Planning and/or execution of the activities for granting and/or controlling the authorizations regarding information security

 

Planning and/or execution of finance, accounting and/or budget related works of our Bank

Performing and/or execution of budgeting related works

Planning and/or execution of finance and/or accounting related works

Planning and/or execution of the Bank’s financial risk processes

Planning and/or execution of internal and external audit activities of our Bank

Planning and/or execution of internal and external audit activities of the Bank

Planning and/or execution of rating activities and management of relationships with credit rating institutions for this purpose

 

 

ANNEX 4 - Categories of Personal Data

CATEGORIES OF PERSONAL DATA

DESCRIPTION

Identity Details

Means all details in a driver’s license, identity card, passport, professional identity cards and other similar documents, which do clearly belong to a natural person, whose identity is known or can be found.

Communication Details

Means phone number, address, e-mail and other similar contact details, which do clearly belong to a natural person, whose identity is known or can be found.

Financial Details

Means the personal data that have been processed for the information, documents and records that show any kind of financial and have been processed partially or completely automatically or through non-automatic methods that are a part of a data recording system, which do clearly belong to a natural person, whose identity is known or can be found.

Customer Details

 

Means the information collected and generated for our customers as a result of our commercial activities and operations being performed by our business units, which do clearly belong to a natural person, whose identity is known or can be found.

Customer Transaction Details

Means the information, such as records of use of our products and sevices and orders and requests of our customers for the use of our products and services, which do clearly belong to a natural person, whose identity is known or can be found.

Transaction Security Details

Means personal data that have been processed to ensure technical, administrative, legal and commercial security of our Bank while performing commercial operations, which do clearly belong to a natural person, whose identity is known or can be found.

Risk Management Details

Means personal data (e.g. credibility of persons) that have been processed in order to minimize the risks as required by our Bank’s policies and legislative obligations, which do clearly belong to a natural person, whose identity is known or can be found.

Physical Location Security Details

Means personal data about the records and documents taken when entering to and staying within the physical premises, which do clearly belong to a natural person, whose identity is known or can be found.

Audit and Inspection Details

Means personal data that have been processed as a part of legal obligations of our Bank and for purposes of audit and compliance with the Bank’s policies, which do clearly belong to a natural person, whose identity is known or can be found.

Incident Management Details

Means the information collected and assessments made about the incidents that may affect our Bank, its employees and shareholders, which do clearly belong to a natural person, whose identity is known or can be found. 

Legal Action and Compliance Details

Means personal data that have been processed for determining and tracking our legal rights and receivables, fulfillment of our liabilities and compliance with our legal obligations and the policies of our Bank, which do clearly belong to a natural person, whose identity is known or can be found.

Request/Complaint Management Details

Means personal data about receiving and evaluation of any request or complaint received by our Bank, which do clearly belong to a natural person, whose identity is known or can be found.

Details of Family Members and Relatives

Means information about family members and relatives of our customers and third party persons that have given guarantees to our customers for products and services that we offer, which do clearly belong to a natural person, whose identity is known or can be found

Audio and Visual Data

Means audio or visual data, such as photos, videos, etc., which do clearly belong to a natural person, whose identity is known or can be found.

Marketing Details

Means personal data that have been processed for promoting our products and services by customizing them according to usage behavior, preferences and needs of personal data owner and the reports and evaluations that have been prepared as a result of such processing.

Vehicle Details

Means details of vehicles associated with data owner, which do clearly belong to a natural person, whose identity is known or can be found.

Details of Employee Candidate

Means resume details of employee and/or intern candidates that have applied for a job to our Bank through any means.

Personal Right Details

Means the information that will form the basis of personal rights and files of our former employees, which do clearly belong to a natural person, whose identity is known or can be found.

Details of Employee Transactions

Means personal data that have been processed regarding any transaction of our former employees in our Bank, which do clearly belong to a natural person, whose identity is known or can be found.

Employee Performance and Career Development Details

Means personal data that have been processed to measure performances and plan and execute career developments of our former employees in accordance with human resources policies and procedures of our Bank, which do clearly belong to a natural person, whose identity is known or can be found.

Details of Benefits

Means personal data that have been processed to plan the benefits that we have been and will be offering to our former employees, to determine objective criteria in order to be entitled for these benefits and to monitor these entitlements, which do clearly belong to a natural person, whose identity is known or can be found.

Special Categories of Personal Data

Means the data specified in Article 6 of the Law, which do clearly belong to a natural person, whose identity is known or can be found.

 

ANNEX 5 - Categories of Third Persons, to whom Personal Data are Transferred

THIRD PARTY PERSONS

DESCRIPTION

Shareholders

Means the persons, who have a share in our Bank according to the provisions of applicable legislations.

Suppliers

Means the parties that provide service to our Bank based on a contract and in accordance with the orders and instructions of our Bank while performing the commercial operations of our Bank.

Partners

Means the parties, with whom our Bank collaborates for selling, promoting and marketing our Bank’s products and services, after-sales support, joint customer loyalty programs, etc. while performing the commercial operations of our Bank.

Legally Authorized Public Entities and Private Persons

Means public or private entities that have been established according to the provisions of applicable legislations.

Correspondent Banks

Means the banks that were authorized to act on behalf of our Bank in order to provide various banking services at places, where our Bank does not have a branch.

 

ANNEX 6 - Turkland Bank Anonim Şirketi Data Owner Application Form

 

TURKLAND BANK ANONİM ŞİRKETİ DATA OWNER APPLICATION FORM

  1. 1.    General Information about your Application Right

As the data owner, you can apply to Turkland Bank Anonim Şirketi (“Bank”) and make the following requests as per Article 11 of the Law no. 6698 on Protection of Personal Data (“Law”):

(1)   To inquire whether your personal data have been processed or not,

(2)   If your personal data have been processed, to request information about such processing,

(3)   To inquire the purpose of processing of your personal data and whether such data have been used in accordance with the said purpose or not,

(4)   To inquire the third party persons in or abroad, to which your personal data have been transferred,

(5)   If your personal data have been processed incompletely or inaccurately, to request rectification of such data and notification of third parties, to whom your personal data were transferred, about such rectifications

(6)   If, despite of processing in compliance with the provisions of the Law  and other applicable laws, the reasons that require processing of personal data are no longer available, to request deletion, destruction or anonymization of your personal data and to request the third parties, to whom the personal data were transferred, to be notified about the actions performed under this sub-paragraph,

(7)   To object to occurrence of any result that is to your detriment by means of analysis of personal data exclusively through automated systems,

(8)   To request compensation for the damages in case the you suffer damages due to unlawful processing of your personal data.

Our Bank will resolve your application as soon as possible and within thirty (30) days, depending on the nature of request, in accordance with Article 13 of the Law.

  1. 2.    Application Method

You can submit your requests for these rights either in written or by registered electronic mail (KEP) address, secure electronic signature, mobile signature or your electronic mail address that you have provided to our Bank and been registered to our system in accordance with Article 13 of the Law and Article 5 of the Communiqué on Procedures and Principles of Applications to Data Controller. 

Following details for written application channels must be taken into consideration when an application is being made by the data owner.

APPLICATION METHOD

Written Application

By E-mail

By Fax

APPLICATION ADDRESS

19 Mayıs Mah. 19 Mayıs Cad. Şişli Plaza A Blok No: 7 34360 Şişli 34360 İSTANBUL

[email protected]

0212 368 35 35

INFORMATION TO BE PROVIDED IN THE APPLICATION

“Information Request under the Law on Protection of Personal Data” must be written on the envelope/notice.

“Information Request under the Law on Protection of Personal Data” must be written in the subject section of e-mail.

“Information Request under the Law on Protection of Personal Data” must be written on the request.

  1. 3.    Your Identity and Contact Details

Please complete the fields below in order to contact with you and verify your identity.

Name & Surname

 

Turkish Republic ID /

Passport ID or Citizenship ID for Citizens of Other Countries

 

Address of Residence / Office for Notices

 

Mobile Phone Number

 

Phone Number

 

Fax Number

 

E-mail Address 

 

Your Relationship with our Bank

 Customer  Visitor  Employee  Partner  Other:................................

  1. 4.    Subject of Request

We kindly request from you to write your request for your personal data clearly below. Any relevant information and document must be attached to the application.

 

 

 

 

 

Subject

Preference

1

Are my personal data being processed by your Bank?

 

2

If my personal data are being processed by your Bank, I hereby request information about such processing operations

 

3

If my personal data are being processed by your Bank, I hereby request information about the purpose of processing of personal data and whether the operations are performed in accordance with such purpose or not.

 

4

Are my personal data being transferred to third persons in or abroad? If my personal data are being transferred, I hereby request information about these third persons.

 

5

I believe that my personal data are processed inaccurately or incompletely by your Bank and I request them to be corrected.

Below information and documents must be submitted to our Bank upon request:

•              The content of your personal data, which you believe are incomplete or wrong and which you request to be corrected.

•              Documents showing correct and complementary details of your personal data.

 

6

I think that the reasons for processing my personal data are no longer available, therefore I request them to be destructured.

Descriptive information/documents for your thought that the reasons for processing your personal data are no longer available must be presented to our Bank upon request.

 

7

If my personal data are processed inaccurately or incompletely by your Bank, I hereby request from you to inform third persons, to whom my personal data have been transferred, about this situation.

Below information and documents must be submitted to our Bank upon request:

 The content of your personal data, which you believe are incomplete or wrong and which you request to be corrected.

 Documents showing correct and complementary details of your personal data.  

 

8

If the reasons for processing my personal data are no longer available, I hereby request from you to inform third party persons, to whom my personal data have been transferred, about this situation.

Descriptive information/documents for your thought that the reasons for processing your personal data are no longer available must be presented to our Bank upon request.

 

9

I hereby object to the results that are against me as a result of analysis of my personal data, which were processed by your Bank, exclusively through automated systems.

Any information/document that explains the results against you must be provided to our Bank upon request.

 

10

I hereby request from you to compensate my damages due to illegal processing of my personal data.

Any information/document that explains the damages that you have suffered must be provided to our Bank upon request.

 

I hereby kindly request from you to evaluate my application to your Bank for the requests I have mentioned above in accordance with Article 13 of the Law and to inform me about the result.

I hereby represent and undertake that the information and documents that I provided to you with this application are correct and updated and I have been informed that the Bank may request additional information to conclude my application and I might be required to pay the fee, which is determined by the Board, in case any additional cost incurs.

 I want the reply to be sent to my mailing address that I gave in Section 2 above.

 I want the reply to be sent to my electronic mail address that I gave in Section 2 above.

 I want the reply to be sent to my fax number that I gave in Section 2 above.

The Applicant (Data Owner)

Name & Surname:...............................................

Application Date :............................................

Signature                       :.............................................

 

 
 
TURKLAND BANK A.Ş. PRIVACY PROMISE

Your privacy is important for us. This is why we are committed to the Turkland Bank A.Ş. Privacy Promise for our customers, which is as follows:

In addition to the information that is legally required, only the information that is considered as necessary to offer the best products and services to our customers is requested by Turkland Bank A.Ş.

The privacy and the security of the information that is received from the customers are the most important criteria that are adopted.

In order to protect the privacy of the customer information, Turkland Bank A.Ş. adopts the rules described below:

Customer information is kept in the security system created by Turkland Bank A.Ş. and only authorized employees who are well-trained on the privacy and proper use of customer information have access to customer information.

Turkland Bank A.Ş. implements the tight security system in order to ensure that no access is given to unauthorized people including employees.

Except requirements related to the applicable legislations and regulations, customer information will not disclosed to 3rd parties without the customer’s consent.

Customer information that might be requested by Administrative authorities and judicial bodies will be disclosed in line with the scope of the regulatory request. Turkland Bank A.Ş. requires the third parties and its employees who provide service to the Bank to comply with the privacy and confidentiality requirements determined by the Bank when handling customers’ data.

Correctness / accuracy of the Information

It is important to ensure that your information is correct and up-to-date.. In case you notice that related information on the account statements or accessed through the internet banking is not correct or up-to-date, please inform your branch, following the guidelines under “Protection of Privacy” below; so that we can correct or update your information on a timely manner.

Protection of Privacy

Regarding the protection of your confidential information, we suggest you to:

  • Check your account balance and bank statements regularly and inform your branch in case of discrepancies,
  • If you suspect that your credentials, passwords or other confidential information is lost; or, stolen by the third party, please immediately inform your branch.
  • In all cases, we recommend not to disclose any of your information if you do not verify the credentials of the counterparty during phone calls or e-mailing, use a secure browser for online banking and close the online applications when not in use.

Turkland Bank A.Ş. will respect your trust and will work to keep the continuity of your trust through fulfilling its commitment specified in the guidelines above. Additionally, we believe that our clients will also demonstrate the required sensitivity for the privacy of the information that they provided to us.

The privacy promise will be updated timely with any changes in the applicable regulations or the internal policy, and will be always checked on the bank website.