Albaraka Mobil
Mobil Bankacılık

Personal Data Protecting And Processing Policy

1.         INTRODUCTION

Albaraka Türk Katılım Bankası A.Ş. is showing the ultimate sensitivity required to fully comply with the Personal Data Protection Law number 6698 (the “Law”) and other regulations relevant to practice of this law and all our employees are responsible for taking and implementing the proper security measures within this scope.  

Arranging the internal operation of Our Bank within the scope of the Law, secondary regulations, the Authority of Protection of Personal Data guides, decisions and regulations and communiqués are among the priority issues of Our Bank.

2.         OBJECTIVE

Purpose of this Albaraka Türk Katılım Bankası A.Ş. Personal Data Protection and Processing Policy (the “Policy”) drawn up to ensure adaptation of our Bank to the Personal Data Protection Law Number 6698 and the secondary regulations for implementation of this law is ensuring compliance with liabilities relevant to regulations on protection of personal data, determining in-house operation rules and responsibilities of the Bank, processing information obtained within the scope of the activities the Bank performance and determining strategies, in-house controls and measures and operation rules and responsibilities by evaluating issues relevant to protection of their confidentiality and informing personal data owners and the Bank employees.

Another purpose of preparing this Policy is defining the processes of deleting, destruction or anonymization of personal data by the Bank (Data Controller) in case the reasons requiring process of personal data within the Bank are removed and to be sure whether the storage period of personal data of real persons within the Bank is not exceeding the period required for processing and whether the security controls appropriate for the classes of data are established during the protection.          

In accordance with the basic regulations stipulated by law, administrative and technical measures required for processing and protection of personal data within the operation of the Bank are taken, necessary internal procedures are created, various training are being organized to increase awareness, necessary measures for the compliance of the employees with Personal Data Protection Law processes are taken, and technological infrastructure, administrative and legal systems are being established with proper and effective inspection mechanisms by Our Bank. 

3.         SCOPE

This Policy is being applied to all Personal Data of institutions and organizations it is in business relation with, their employees, shareholders and officers and third parties processed by automated means or nonautomated means provided that they are a part of any data entry system within the framework of an agreement (support service, evaluation, independent audit, rating, consultancy, service, purchasing, collaboration, solution partnerships, etc.) signed with the Bank customers, potential customers, employees, employee candidates, shareholders and guests at the branches abroad and their subsidiaries provided that legislation at the Bank and the Bank’s subsidiaries and the countries they are carrying out business is appropriate.

All activities to be performed within the Bank and measures to be taken within the framework of this Policy are determined by relevant procedures.

4.         DEFINITIONS

Explicit Consent               :              Freely given consent based on informing on a specific subject,

Bank      :              Albaraka Türk Katılım Bankası A.Ş.

Anonymization :              Rendering personal data by no means identified or identifiable with a natural person even by linking with other data

Relevant User   :              Excluding persons or units responsible for technically storing, protection and backup of data, persons processing personal data in accordance with the power and instruction taken within the data controller organization or from data controller, 

Destruction        :              Deletion, destruction or anonymization of personal data,

Law  :     Personal Data Protection Law Number 6698,

Personal Data Owner / Relevant Person: Institutions and organizations it is in business relation with, their employees, shareholders and officers, and real third party within the framework of an agreement (support service, independent audit, rating, consultancy, service, purchasing, collaboration, solution partnerships, etc. evaluation,) signed with the customers or potential customers who are not customers whose personal data are processed, employees, employee candidates, shareholders and guests

Personal Data   :              Any information relating to an identified or identifiable natural person,

Special Categories of Personal Data: Data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dressing, membership of association, foundation or trade-union, health, sexual life, criminal conviction and security measures, and biometric data and genetics data

Process of Personal Data            :              Any operation which is performed on personal data such as obtaining by completely or partially automated means or nonautomated means provided that they are a part of any data entry system, recording, storage, preservation, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization or blocking its use,

Personal Data Processing Inventory: The inventory which our Bank has explained in detail the personal data processing activities which our Bank is performing in connection with the work processes; personal data processing purposes and just cause, data category, the maximum storing period it has determined by associating with the receiving group they are transferred to and individuals group which are the subject of data and the purposes which personal data are processed for, and measures taken relevant to personal data stipulated to be transferred to foreign countries and data security,”       

Board    :              The Board of Protection of Personal Data,

Authority            :              The Authority of Protection of Personal Data,

Data Processor :              Natural or legal person who processes personal data based on the authority granted by and on behalf of the data controller,

Data Recording System :              Any recording system through which personal data are processed by structuring according to specific criteria,

Data Controller :              Natural or legal person who determines the purposes and means of the processing of personal data, and who is responsible for establishment and management of the data entry system,

Data Controllers Registry Information System (VERBIS): Information system to be used by data controllers in application to the Registry and in other procedures relevant to the Registry, which may be accessed over internet and created and managed by the Presidency.

5.         OFFICERS

5.1.  The Board of Directors

The Board of Directors is responsible of management, scope and creating the frame of the Personal Data Protection and Processing Policy and reviewing it periodically.

5.2.  Audit Committee

Observes whether regulations on protection of personal data and the in-house policy within this scope and its implementing procedures are followed or not.

It reassures the Board of Directors on sufficiency and efficiency of the management framework on the protection of personal data.

5.3.  Senior Management

It is responsible of implementation of the Personal Data Protection and Processing Policy within the Bank.

It structures the management levels reporting to it and work processes in accordance with the regulations on protection of personal data.   

It plays an active role in establishing the Bank culture on protection of the personal data and working environment and ensuring its continuance. 

5.4.  Contact Person

Contact Person provides communications relevant to demands to come from the Authority of Protection of Personal Data and relevant persons.

He is responsible of recording and updating the Bank data inventory to the data controllers registry information system.

6.         PERSONAL DATA

Personal data states any information relating to an identified or identifiable natural person. To mention personal data, data should belong to a real person and this person should be identified or identifiable. Accordingly;

To be relevant to a natural person: Personal data is relevant to natural person, data of legal entity are not included in the definition of personal data.

Making the person identified or identifiable: Personal data may directly show the identity of the relevant person as well as involving all information enabling identification of the person as a result of associating with any record although it does not show the identity directly.

All Kinds of Information: The expression “all kinds of information” is quite comprehensive, not only information setting forth the identity of a real person as his name, family name, date of birth and place of birth, but also telephone number, motor vehicle plate, social security number, passport number, curriculum vitae, photograph, image and voice records, fingerprints, e-mail address, hobbies, preferences, people interacted with, group memberships, family information, health information and all such data making a person directly or indirectly identifiable are considered as personal data.

7.         PROCESSING PERSONAL DATA

It expresses all kinds of operations which is performed on data as processing personal data, such as obtaining by completely or partially automated means or nonautomated means provided that they are a part of any data entry system, recording, storage, preservation, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization or blocking its use.

Automatic Processing: Processing activity occurring automatically without any human intervention, carried out by devices having processor as computer, telephone, clock, etc. within the scope of algorithms prepared previously through their software and hardware features.

Processing by Nonautomated Means: Although personal data are not subject to automatic processing, they are subject to the provisions of the Law when they are processed through "data recording system".

8.         GENERAL PRINCIPLES IN PROCESSING PERSONAL DATA

In processing personal data by the Bank, general principles set forth in the Law are always complied with. General principles in processing personal data are as the following:

  1. Compatibility with Law and Good Faith Rules,
  2. Being Accurate and Updated when Necessary,
  3. Processing for Specific, Explicit and Legal Purposes,
  4. Being Connected, Limited and Measurable with the Purpose They are Processed for
  5. Being kept for a period stipulated in the relevant legislation and required for the purpose they are processed for.

8.1.  Compatibility with Law and Good Faith Rules 

Personal data processing activities are carried out by Our Bank in compliance with primarily   Banking legislation and legal legislation on protection of Personal Data and all legislation provisions Our Bank is subject to and good faith rule stipulated in Article 2 of the Code of Civil Law.

8.2.  Being Accurate and Updated when Necessary

Our Bank ensures Personal Data processed by considering Personal Data Owners’ fundamental rights and legitimate interests to be accurate and up to date. Within this scope, it keeps channels enabling relevant person information to be accurate and up to date open. Besides, it meticulously considers the issues as sources where data are obtained to be certain, confirming their accuracy and whether it is required to be updated.   

8.3.  Processing for Specific, Explicit and Legal Purposes

Our Bank clearly and definitely determines the purpose of data processing and ensures this purpose to be legitimate. Within this scope, personal data are presented by Our Bank or processed limited with the product/services to be offered and legal liabilities. The purpose for processing personal data is set forth before the personal data processing activity is started.

8.4.  Being Connected, Limited and Measurable with the Purpose They are Processed for

Personal data is processed by Our Bank to the extent it is necessary to realize this purpose in connection and limited with the processing purposes, processing of Personal Data not related with realizing the purpose or not needed is avoided. Process of personal data is limited with activities and legal liabilities.    

8.5.  Being kept for a period stipulated in the relevant legislation and required for the purpose they are processed for

Pursuant to all legislations Our Bank is subject to within the scope of Banking Law number 5411 and its activities, Our Bank accords with the periods if there is a stipulated period for storing data; otherwise, it keeps the personal data only for a period required for the purpose they are processed. In case there is no valid reason to keep personal data, the subject data is destroyed.     

9.         PROCESSING CONDITIONS OF PERSONAL DATA

9.1.  Being Explicitly Stipulated in Laws

In cases when it is explicitly seen in the provisions of the legal legislation, data processing activities may be carried out without receiving consent of the relevant person provided that the limits of legal legislation are not exceeded.

9.2.  Actual Impossibility

Personal data of a person who cannot declare his consent due to actual impossibility or his consent is not considered as legally valid, may be processed if it is mandatory for protection of his or any other’s life or body integrity. Our Bank shall be able to process personal data in cases stipulated in accordance with this adjustment.   

9.3.  Being Necessary for Establishment and Execution of the Agreement

Provided that it shall be directly relevant to the drawing up or execution of an agreement, in case it is necessary to process personal data of the parties of the agreement and to be limited with this purpose, personal data is being processed.

9.4.  Legal Obligation

In order to fulfill the liabilities of Our Bank arising from legislation provisions, personal data is being processed, being bound with the limits of the subject liability.  

9.5.  Declaring Personal Data by the Personal Data Owner

In case the relevant person discloses his personal data, the subject personal data is processed by our Bank in accordance with the purposes of disclosure.

9.6.  Data Processing being Mandatory for Establishing or Protecting a Right

Personal data may be processed by Our Bank to the extent it is mandatory for establishment, use or protection of a right.

9.7.  Data Processing being Mandatory for the Bank’s Legitimate Interest

Provided that the fundamental rights and freedoms of the personal data owner is not damaged, personal data of the data owner may be processed if data processing is mandatory for the legitimate interests of Our Bank.  

9.8.  Personal Data Owner Having an Explicit Consent

In case one of the personal data processing conditions set forth above is not existing in the processing of personal data, Our Bank may apply for explicit consent of the relevant person. 

Explicit consent of the personal data owner should be received on the basis of informing on a specific subject and by free will.

10.      CONDITIONS OF PROCESSING SPECIAL CATEGORIES OF PERSONAL DATA

In the 6th Article of the Law, some personal data having the risk of causing suffering of people or discrimination when processed contrary to law are determined as “special categories”.

Special categories of personal data are data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dressing, membership of association, foundation or trade-union, health, sexual life, criminal conviction and security measures, and biometric data and genetics data.

Personal data determined as “special categories” by the Law are processed by Our Bank in the following circumstances in accordance with the Law and by taking sufficient measures determined and to be determined by the Board.    

10.1. Being Stipulated by the Provisions of Legislation

In cases when it is explicitly seen in the provisions of the legal legislation, special categories of personal data processing activities may be carried out without receiving consent of the relevant person provided that the limits of legal legislation are not exceeded.

10.2. Actual Impossibility

Special categories of personal data of a person who cannot declare his consent due to actual impossibility or his consent is not considered as legally valid, may be processed if it is mandatory for protection of his or any other’s life or body integrity. Our Bank shall be able to process special categories of personal data in cases stipulated in accordance with this adjustment.   

10.3. Declaring Personal Data by the Personal Data Owner

In case the relevant person discloses his special categories of personal data, the subject special categories of personal data is processed by our Bank in accordance with the purposes of disclosure

10.4. Data Processing being Mandatory for Establishing or Protecting a Right

Special categories of personal data may be processed by Our Bank to the extent it is mandatory for establishment, use or protection of a right.

10.5. Planning, Management and Financing of Health Services

Special categories of personal data may be processed by persons under the obligation of confidentiality or authorized institutions and organizations if necessary for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, and the planning, management and financing of health services.

10.6. Legal Obligation

Special categories of personal data may be processed by our Bank to the extent necessary to fulfill legal obligations in the fields of employment, occupational health and safety, social security, social services and social assistance.

10.7. Foundation, Association and Trade Union Membership

Special categories of personal data may be processed for current or former members and members of foundations, associations and other non-profit organizations or formations established for political, philosophical, religious or trade union purposes, provided that they comply with the legislation to which they are subject and their purposes, are limited to their fields of activity and are not disclosed to third parties; or for persons who are in regular contact with these organizations and formations.

10.8. Personal Data Owner Having an Explicit Consent

In case one of the personal data processing conditions set forth above is not existing in the processing of special categories of personal data, Our Bank may apply for explicit consent of the relevant person. 

Explicit consent of the personal data owner should be received on the basis of informing on a specific subject and by free will.

11.      TRANSFERRING PERSONAL DATA

11.1.      Transfer of Personal Data Within the Country

11.1.1.  Meeting the Conditions on Processing Personal Data

Under the conditions determined under the title Data Processing Conditions of this Policy, declared with the Articles 9.1, 9.2, 9.3, 9.4, 9.5, 9.6, 9.7 and arranged in Article 5/2 of the Law relevant to processing of personal data, personal data may be transferred to receiving groups determined in personal data processing inventory of Our Bank.       

11.1.2.  Providing the Relevant Conditions for the Transfer of Special Categories Personal Data

Our Bank may transfer special categories of personal data to third parties provided that adequate measures determined by the Board are taken by determining that the conditions described in Article 10 of this Policy and regulated in Article 6/3 of the Law are met. 

11.2. Transfer of Personal Data Abroad

In the transfer of personal data abroad, our Bank may transfer data abroad by making sure that the conditions specified in the Data Processing Conditions heading of this Policy regarding the processing of personal data and sensitive personal data, described in Articles 9 and 10 and regulated in Articles 5/2 and 6/3 of the Law are met, and also by complying with the following issues.

11.2.1.  Adequacy Decision on the Country, Sectors or International Organizations to which Personal Data will be Transferred 

Personal data and special categories of personal data may be transferred abroad if one of the conditions specified in Articles 5 and 6 of the Law exists and there is a adequacy decision issued by the Board regarding the country, sectors within the country or international organizations to which the transfer will be made.

11.2.2.  In Case of Absence of an Adequacy Decision

In the absence of an adequacy decision issued by the Board, personal data and special categories of personal data may be transferred abroad by providing one of the appropriate safeguards specified below, provided that one of the conditions specified in Articles 5 and 6 of the Law exists and it is determined that the person concerned has the opportunity to exercise his rights and to apply for effective legal remedies in the country where the transfer will be made.

11.2.2.1. Existence of a Standard Contract with Data Protection Measures

Personal data may be transferred abroad in the presence of a standard contract, which is announced by the Board and which contains matters such as data categories, purposes of data transfer, recipients and recipient groups, technical and administrative measures to be taken by the data recipient, additional measures taken for special categories of personal data, and which is arranged between the data controller in Turkey (our Bank) and the data controller in the relevant foreign country.

11.2.2.2. Existence of Written Undertaking and Consent of the Board

Personal data may be transferred abroad in the presence of a written undertaking between the data controller in Turkey (our Bank) and the data controller in the relevant foreign country, which includes provisions to ensure adequate protection, and if the transfer is authorized by the Board.

11.2.2.3. Binding Corporate Rules

Personal data may be transferred abroad in the presence of binding corporate rules approved by the Board containing provisions on the protection of personal data that companies within the group of undertakings engaged in joint economic activities are obliged to comply with.

11.2.3.  Exceptional Cases

In the absence of an adequacy decision issued by the Board and in cases where any of the appropriate safeguards specified in Article 11.2.2 of this policy cannot be provided, personal data and special categories of personal data may be transferred abroad in the presence of one of the following situations, provided that it is incidental.

11.2.3.1. Relevant Person Having Explicit Consent

Our Bank may transfer personal data and/or special categories of personal data abroad, provided that the relevant person gives explicit consent to the transfer, provided that he/she is informed about the possible risks.

11.2.3.2. Performance of the Contract  between the Relevant Person and our Bank

In the event that data transfer is mandatory for the performance of a contract between our Bank and the relevant person or for the implementation of pre-contractual measures taken upon the request of the relevant person, personal data and/or special categories of personal data may be transferred abroad.

11.2.3.3. Establishment and Performance of an Contract between our Bank and another Natural or Legal Person

In the event that data transfer is mandatory for the establishment or performance of a contract between our Bank and another natural or legal person for the benefit of the person concerned, his/her personal data and/or special categories of personal data may be transferred abroad.

11.2.3.4. Presence of a Superior Public Interest

Personal data and/or special categories of personal data may be transferred abroad if the data transfer abroad is mandatory for a superior public interest.

11.2.3.5. Establishment of a Right

Personal data and/or special categories of personal data may be transferred abroad by our Bank to the extent necessary for the establishment, exercise or protection of a right.

11.2.3.6. De facto Incapability

Personal data and/or special categories of personal data may be transferred abroad by our Bank in order to protect the life or physical integrity of the person or another person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid.

11.2.3.7. Transfer from a Register Open to the Public or Persons with a Legitimate Interest Upon the Request of a Person with a Legitimate Interest

Personal data and/or special categories of personal data may be transferred abroad by our Bank from a registry open to the public or to persons with legitimate interests, provided that the conditions required to access the registry in the relevant legislation are met and the person with a legitimate interest requests it.

12.      DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA

Our Bank keeps personal data for the periods stipulated in laws and other legislation. As the reasons requiring personal data processing disappear and following that, the period in the relevant law arrangements expires, personal data is deleted, destroyed or anonymized periodically ex officio twice a year or upon the request of the relevant person by Our Bank.    

13.      OUR LIABILITIES

13.1.      Informing

During obtaining the personal data by Our Bank, relevant person is informed about;

  • the identity of the data controller,
  • the purpose for processing the personal data,
  • to whom and for which purpose the personal data shall be transferred,
  • method and legal reasons for collecting personal data,
  • rights of the relevant person.

Besides, Our Bank announces primarily to personal data owners and relevant people with this Policy and various public documents that it has accomplished data processing activities in accordance with the relevant legislation and ensures informing the relevant people and transparency in personal data processing activities. 

13.2.      Liability of Ensuring Security of Personal Data

Our Bank shows the ultimate attention and care on providing personal data security and takes the necessary measures relevant to the issues stated below on providing “data security” within this scope pursuant to Article 12 of the Law. 

  1. a) The Bank ensures taking all kinds of necessary technical and administrative measures primarily the Personal Data Security Guide the Board has published on;
  • Preventing processing of personal data contrary to law,
  • Preventing access to of personal data contrary to law,
  • Ensuring proper security level to protect personal data.
  1. b) The Bank bearing ISO 27001 Information Security Management System Certificate ensures protection of confidentiality, accuracy and integrity of personal data.
  2. c) In case the personal data is processed on behalf of itself or by another natural or legal entity, the Bank is jointly responsible with these people on taking the measures stated in the first article above.
  3. d) The Bank ensures necessary audits to be made by Internal Audit/Internal Control units to provide practicing provisions of the Law.
  4. e) Employees working at Our Bank are informed and trained on personal data protection law and processing of personal data in compliance with the law.
  5. f) All of the employees of Our Bank are prevented from accessing all personal data being processed by the Bank in the capacity of a data controller and their power of access are being arranged considering the purpose of data processing.
  6. g) Our Bank adds the confidentiality provisions arranging processing of personal data in compliance with the law, requirements of acting according to the liabilities stipulated by the Law, not disclosing personal data and not using the personal data contrary to law to all kinds of documents drawing up the relations between the Bank and its employees.
  7. h) Employees working at Our Bank and/or people learning personal information due to their duties do not disclose the subject information to others against the Law and other relevant legislation provisions and do not use besides the purpose of their processing. This liability continues even after they leave their duties.
  8. i) Our Bank is responsible for the third parties to whom personal data is transferred to fulfill their liabilities to process, protect and access data in compliance with the law in accordance with the provisions of this Policy and the Law pursuant to the 12th Article of the Law.

         Accordingly, provisions on the people which personal data is transferred to take necessary security measures for protection of personal data, to ensure following these measures at their institutions and to grant Our Bank the power of auditing are added in the agreements concluded with people which personal data is transferred in compliance with the law.  

  1. j) Our Bank ensures technological opportunities and necessary technical and administrative measures according to their cost to keep personal data in safe environments and prevent destruction, loss or changing with purposes contrary to law.
  2. k) Our Bank ensures establishment of necessary software and hardware to prevent infiltrating from outside to systems where personal data are kept and tracking possible risks, have leak tests to be performed, to take the same security measures for backups to avoid data loss.
  3. l) In case the processed personal data are obtained by others illegally, the subject situation is reported to the relevant person and the Board as soon as possible. Moreover, if the Board considers it necessary, this situation is announced in the Board’s website or by other means.

14.      RELEVANT PERSON’S RIGHTS

Pursuant to the 11th Article of the Law, relevant person has the following rights against Our Data Controller Bank.

  1. a) To learn whether personal data is processed,
  2. b) If the personal data is processed, to request information about this,
  3. c) To learn purpose of processing personal data and whether they are used in accordance with the purpose of processing,
  4. d) To know third parties to whom personal data are transferred within the country and abroad,
  5. e) In case personal data is processed deficiently or incorrectly, to ask correction of these,
  6. f) If the conditions are fulfilled, to ask deletion or destruction of personal data and ask their request to be transmitted to third parties,
  7. g) To object any result to arise against itself by analyzing processed data exclusively by automatic systems,
  8. h) In case of being exposed to damage for processing personal data contrary to law, to claim compensation of this damage.

15.      RELEVANT PERSON’S APPLICATION METHODS TO OUR BANK

In case relevant persons transmit their requests relevant to their rights determined in Article 14 to Our Bank, request is finalized free of charge as soon as possible or within thirty days at the latest according to the quality of the request. However, according to the content of the reply, a fee in the tariff determined by the Board may be collected.

Our Bank sends the result of the application of the relevant person’s request either in written or in electronic environment according to his wish.

According to the nature of the request, Our Bank may accept the application of the relevant person as well as rejecting by explaining the reason. In case the application is accepted, Our Bank fulfills the necessary without delay.

In case the application of the personal data owner is rejected, or if he finds the respond insufficient or the application is not responded or not responded in time, he has petition right to the Board.

The personal data owner relevant person may submit their requests to Our Bank Branches in written by applying personally along with documents certifying his identity (ID Card, driving license, passport etc.) or sent to the General Directorate of Our Bank through Notary or apply to albarakaturk@hs03.kep.tr  with safe electronic signature or  transmit to kvkk@albarakaturk.com.tr

By using the electronic post address notified to Our Bank previously and registered in the system. 

16.      EVALUATION OF CONFORMITY WITH THE BOARD DECISIONS AND EFFECT

There is an experienced and competent unit at Our Bank on Personal Data Protection Law, relevant regulations, communiqués and the Board resolutions and this unit performs necessary impact assessments on compliance with the Law as a stakeholder of the process at the stage of creating a new product/process.

17.      VALIDITY

This policy enters into force on the date of its approval by the Board of Directors of the Bank.