Amendments to Turkish Banking Law No. 5411 in February 2020 introduced important provisions regarding how banks handle confidential customer data. Based on these provisions, the Banking Regulation and Supervision Agency introduced a secondary regulation that was finalized in March, the Regulation on Banks’ Information Technology and Electronic Banking Services. This regulation contains binding provisions related to data processing and transferring of bank customers.
Definition of customer confidential information
Under Article 73 of the Banking Law, customer confidential information is defined as data that is generated by "real and legal" individuals that have a customer relationship for banking activities with a bank.
As can be noted in this definition, customer relationships established in line with services performed by banks other than banking activities are excluded from the scope of customer confidential information. Besides, the data obtained by banks in cases where they provide services without establishing a customer relationship indirectly are also excluded from this definition.
Customer confidential information can both contain personal data and non-personal data. Thus, it is important to separately identify if the data is personal data according to Law on Personal Data Protection and stays within the scope of customer confidential information.
The transfer of customer confidential information
As a result of an evaluation based on economic security, BRSA is authorized to prohibit the transfer of customer confidential information or banking secrets with third parties abroad, as well as to make decisions regarding information systems used by banks and their backups.
It is important to highlight that the conditions under PDPL Article 9 (approval of data protection authority, explicit consent, safe country list) and the binding corporate rules announced by the DPA could not be relied for the transfer of customer confidential information to third parties abroad without the specific instruction or request from the customer.
In this context, there are two issues to be taken into account when it comes to the transfer of customer confidential information abroad: receiving the customer's instruction or request per the Banking Law and complying with the requirements of Article 9 of PDPL.
The only exceptions to the restrictions of transferring data are the mandatory legal provisions in other laws, audits, court requests, mergers and acquisitions deals, and information that must be disclosed to some specific ministries.
Whether it is in the scope of the exemptions or not, customer confidential information can only be shared if it is limited to stated purposes and is exclusively restricted with the attainment of such objectives.
As stated above, BRSA has been authorized to decide to keep the primary and secondary systems used by banks in carrying out banking activities within the country.
Article 11(4) of the Regulation on the Internal Systems and Interior Capital Adequacy Assessment Process of the Banks issued by BRSA before the amendments were published, required banks to keep their primary and secondary systems within the country. Article 25 of the regulation, issued after the amendments, also indicates that banks must keep their systems, regardless of how many backups there are, within the country. Additionally, if receiving an external service or cloud computing service for an activity within the scope of primary or secondary systems, the information systems used by either service performing the activities must also be installed within the country.
Besides the localization requirement, there are additional requirements to approve the external service provider in respect of services and products provided in the fields of critical information systems and security. Under Article 29 of the regulation, it is an important selection criterion that the products/services related to security and critical information systems are produced in Turkey or the producers must have a research and development center within the country.
According to Article 159 of the Banking Law, the individuals who do not comply with the conditions of transferring customer confidential information according to Article 73 can face imprisonment for up to three years. Also, according to Article 148 of Banking Law, BRSA is authorized to impose administrative fines on banks who do not comply with the Banking Law or regulations issued pursuant to the Banking Law. On the other hand, the incompliant transfer of personal data within the scope of PDPL might be subject to administrative fines under the PDPL and criminal sanctions under the Turkish Criminal Law.
Evaluating the amendments along with the provisions of the regulation, the banks must define the data they hold in line with the customer confidential information definition under the Banking Law and the definition of personal data under the PDPL. Then, the transfer method must be set according to the requirements specified for each data set. In addition, there are still uncertainties regarding the transfer of personal data abroad, so it would be appropriate to consider different dimensions of data transfer within the scope of both personal data and customer confidential information.
First published by IAPP - Privacy Tracker, in 24.09.2020