Clarification Text On The Protection And Processing Of Personal Data

1.PURPOSE OF THE CLARIFICATION TEXT

This disclosure is prepared to inform the individual customers of Dünya Katılım Bankası A.Ş. ("Bank") about the protection of their personal data within the scope of the Law on the Protection of Personal Data No. 6698. It aims to enlighten customers about the purposes for which personal data and special categories of personal data are collected by the Bank, the methods of collection, processing methods, transfer to third parties in cases permitted by legislation, and the protection of personal data through security measures, as well as informing customers about their rights related to the protection of personal data.


2. DATA CONTROLLER
The data controller is Dünya Katılım Bankası A.Ş. The Bank, in its capacity as the "Data Controller," processes customers' personal data in a limited, purposeful, and proportionate manner, in accordance with the law and the principle of fairness, while maintaining its accuracy and keeping it up-to-date.


3. PERSONAL DATA COLLECTED BY OUR BANK
Depending on the products and services customers receive from our bank, the necessary, proportionate, purpose-limited, lawful, and fair data is generally collected. You can access the Registry of Data Controllers Information System (VERBIS) at the "Registry Inquiry" page on the https://verbis.kvkk.gov.tr website.

 

 

Identity Information Name-Surname, Turkish Republic ID number, foreign ID number, blue card number, tax ID number, passport number, place of birth, date of birth, gender, marital status, spouse/child information, citizenship status, nationality information, criminal record information, and data obtained from the Population Registration System (KPS).
Banking and Finance
Data		 Financial data generated by our bank, such as pricing, credit card numbers, account numbers, IBAN, all kinds of financial data related to collection and payment activities, salary information, asset-income information, demographic information, Credit Bureau (KKB), Turkish Banking Association Risk Center data, debt information, delay and number of delay days, maturity information, information about connected persons, and asset information (vehicle and title deeds).
Education, Employment, and Professional
Life-Related Information		 Occupation, title, work information, and education status
Transaction Information Credit information, information related to participation fund accounts, credit card limit and balance information, account transactions, and credit card transaction information.
Visual and Auditory Records Call center voice recordings, video call camera recordings, visual and auditory data including photographs.
Legal Information Information in correspondence with judicial and administrative authorities, information in lawsuit files, information kept within the scope of alternative dispute resolution, and records from the Central Bank of the Republic of Türkiye (CBRT) and judicial decisions regarding check regulations and check account opening bans.
Contact Information Address, email, registered email address, mobile phone, landline, and fax numbers, among other contact details
Transaction Security Data Customer information necessary for accessing electronic banking channels, IP addresses, passwords, and PINs, location information processed with the consent of individuals for purposes such as fulfilling legal obligations and using security applications employed in these channels, as well as biometric data.
Advertising and Marketing
Data		 Cookie records, pages viewed through bank applications, shopping history information, information obtained through surveys, campaign activities, etc.
Commercial Life-Related Data Information pertaining to real individuals in documents such as tax certificates, trade registry newspapers and documents, authorization certificates, qualification certificates, signature circulars, and business activity certificates. Various information identifying individuals, such as tax liability status and information related to tax liability as a real person.
Sensitive Personal Data Information that falls under special categories is processed under the legislation or with the explicit consent of the customer, or in cases where a copy of the ID card is obtained, such as blood type information due to its inclusion in the ID card, gender information, criminal record, records from the Central Bank of the Republic of Türkiye (CBRT) or judicial decisions regarding check regulations and check account opening bans, health information in cases where financing is provided for health expenses, information related to memberships in fan clubs/associations/foundations in products targeting fan club/association/foundation members, fingerprint/face recognition information used for mobile banking logins, etc.
Cookies Information collected through the use of cookies for various purposes during website visits and sessions. This includes tracking visitor movements and recognition, security-related uses, remembering browser and application preferences, ensuring the correct functioning and intended use of the website, improving security and performance, recording searches, using functions such as logging in, advertising and marketing activities, enhancing website functionality, facilitating visits, improving experiences, making language, layout, or color adjustments, offering special campaigns and products, and categorizing internet habits, etc.
Software Against Malicious
Software		 Data gathered, stored, and employed through software installed, provided, or utilized on customer-owned devices like phones, computers, web, mobile, etc., aligns with the Bank's legal responsibilities and initiatives for application enhancement. This encompasses details related to identifying harmful software on these tools and devices, indicators suggesting potential infection with malicious software, and information concerning such malicious software

4.METHODS OF PERSONAL DATA COLLECTION
Your personal data may be collected through verbal, written, or visual means, in electronic media, utilizing automatic or non-automatic methods via the following channels:

  • During the banking services we provide, through the applications you make through digital (mobile banking, website, customer contact center, IVR, AT, etc.), through remote identification methods (for example, biometric face data), face-to-face (Head Office, branches and other service units), ATM, call center, support service/foreign service organizations. companies whose activities we carry out with the title of intermediary/agency, contracted/drawee banks, contracted dealers, customer meetings, member merchants and POSs, national and international institutions),
  • Channels such as the website, electronic banking channels (internet branch, mobile branch, or telephone banking), email, digital messaging platforms, security cameras belonging to service units, and social media,
  • Notifications, applications, and conversations conducted through registered email, electronic notifications, email, mail, fax, short message service (SMS), SWIFT, and similar channels,
  • Systems shared through public institutions and organizations (Identity Sharing System, Address Sharing System, Trade Registry Gazette, Land Registry and Cadastre Information System, Risk Center, Credit Registry Bureau, etc.)
  • Banks Association of Türkiye Risk Center or companies established by at least five banks or financial institutions (Interbank Card Center, Credit Bureau, etc.).
  • Data obtained from open banking channels (other banks or payment institutions) with your consent.

PURPOSES AND LEGAL BASIS OF PROCESSING PERSONAL DATA
Your personal data may be processed without the need for explicit consent in cases where the following purposes exist, based on your explicit consent, request or instruction, or the presence of one of the legal bases listed below, primarily to provide you with secure, efficient, and high-quality services or depending on the nature of the relationship you have established with our bank:

 

Legal Reasons:

  • Explicit stipulation in law,
  • Being directly related to the conclusion or performance of a contract,
  • The necessity of processing personal data of the parties to the contract,
  • Being compulsory for our Bank to fulfill its legal obligations,
  • Being mandatory for the establishment, use or protection of a right,
  • Being mandatory for the legitimate interests of our Bank, provided that it does not harm the fundamental rights and freedoms of your person

 

Processing Purposes:

  • Banking services, foreign trade services, financing (credit) transactions, insurance, agency services, brokerage services, and other services falling under the activities listed in Article 4 of Banking Law No. 5411, encompass the provision of services, the execution of operational processes, activities related to monitoring, sustainability, and continuity, compliance with internal systems, risk monitoring, and information disclosure obligations, as well as the fulfillment of obligations arising from agreements signed with our bank,
  • Compliance with legal obligations, adherence to internal systems, and fulfillment of responsibilities related to risk monitoring and information disclosure;
  • Conducting necessary assessments and inspections for the services provided, identifying the owner, authorized personnel, and stakeholders of tasks and processes,
  • Execution of investment processes, organization of all records and documents that will serve as the basis for transactions conducted electronically or in paper format,
  • Intelligence gathering for credit transactions (Credit Bureau information), credit history, credibility, conducting collateral transactions, and analyzing other necessary data, and implementation of credit receivables tracking,
  • Recording complaints, objections, requests, suggestions, satisfaction, and similar notifications in our notification management system to provide better service, and ensuring the accuracy and currency of existing data,
  • Execution of planning and statistical activities, organization and event management, implementation of sponsorship and corporate social responsibility activities,
  • Analysis and development of banking systems, maintenance of application management operations, execution/planning of information security processes, establishment, management, audit, and implementation of information systems infrastructure, security applications.
  • Ensuring transaction security in cardless transactions conducted through QR codes,
  • In the context of ATOM (Gold Savings Generation Model), when transactions are conducted and services are obtained, the amounts involved in transactions at the relevant jewelers and refineries are transferred to the account,
  • Designing the business processes and activities of our bank, planning and executing operational processes and procurement operations, Managing relationships established with support services/external service providers, business partners, or suppliers, Execution of post-service support tasks.
  • Establishment of transaction security in electronic banking usage, protecting customers, the bank, and the banking system against incidents such as fraud, forgery, and attacks that they may face in the electronic environment, and Maintaining logs in case of using internet access,
  • Recording user experience and preferences on our bank's website (such as language preferences) for use in subsequent visits, recording user statistics for improving website performance, and keeping track of information entered into calculation tools on the website,
  • Recording your site visit information to predict your banking product preferences and offer personalized products, collecting statistical information for more effective marketing activities, limiting the number of displayed ads, showing relevant and personalized ads, and measuring the effectiveness of advertising campaigns,
  • Verifying the reliability of subsequent requests to the website, confirming that the cookie clarification text has been read and cookie usage has been accepted,
  • Detection of signs indicating harmful software on used devices such as phones, computers, web, mobile, etc., fulfillment of the bank's legal obligations through software, and improvement of applications,
  •  If you give explicit consent; using it in promotional, product/service offering, marketing, advertising, and campaign activities, developing services and products tailored to you, conducting analyses based on website and application usage and behavioral modeling, conducting customer satisfaction studies, obtaining and measuring likes and evaluations through surveys and other means, performing analysis, reporting, and evaluation, conducting customer satisfaction/loyalty studies, managing customer relationship processes, improving service quality, and using it for third-party advertising and marketing activities,
  • In the case of your explicit consent or as a basis for the transaction within the scope of services; for the provision of legal and physical security or in compliance with legal obligations, the recording of camera images and photos at our Head Office, Branches, other service units, and ATMs, as well as the processing of the biometric photo on your Turkish ID card for security and identity verification purposes,
  • If you give explicit consent, informing you about the ATMs closest to your current location.
  • If you provide explicit consent, processing location information for withdrawal and push transactions.

 

PURPOSE OF PROCESSING PERSONAL DATA OF INDIVIDUALS IN THE SAME RISK GROUP:

 Under the Banking legislation, irrespective of whether you are a customer of our bank, your personal data may be processed in the event that you are in the same risk group with the customer of our Bank, within the framework of credit evaluations and following the Banking legislation, to determine, identify, monitor, monitor, report the risk group and control the loans extended to the risk group.

The term "Risk Group" succinctly refers to you, your spouse, children, parents, or legal entities where you, your spouse, children, or parents serve as board members or general managers, exercise control, hold shares, and individuals for whom you provide surety, guarantee, or similar commitments, to the extent that the financial instability of one may lead to the insolvency of others within the defined relationships. The principles regarding the determination of the Risk Group can be updated within the framework of the Banking Legislation.

 

  1. PERSONS TO WHOM AND FOR WHAT PURPOSE THE PROCESSED PERSONAL DATA MAY BE TRANSFERRED
    In accordance with the provisions of the Personal Data Protection Law, your personal information retained by our bank may be shared with domestic and international entities for the following purposes, and such sharing may occur with third parties or institutions in adherence to the regulations stipulated in Articles 8 and 9 of the law:

 

  • As authorized by law to fulfill our legal obligations to the Banking Regulation and Supervision Agency, Capital Markets Board, Central Bank of the Republic of Türkiye, Revenue Administration, Financial Crimes Investigation Board, Credit Bureau, Interbank Card Center, Social Security Institution, Association of Financial Institutions, and other relevant persons, institutions and/or organizations authorized by law,
    Public legal entities such as TBB Risk Center,
  • To carry out our banking activities and within the limits set by the provisions of the legislation and to the extent required by the business processes, third parties, support services, external service organizations and cooperating organizations from which services are obtained,
  • In scope of ATOM (Gold Savings Generation Model), relevant jewelers and refineries in case of transactions and services.
  • Persons, institutions and organizations that we conduct their activities as intermediary and agency,
  • for the pursuit and execution of legal affairs, judicial authorities such as courts, execution and bankruptcy offices, prosecutor's offices and alternative dispute resolution authorities such as mediation, arbitral tribunal, arbitration, conciliator, law offices, asset management companies
  • In order to audit that the activities are carried out in accordance with the legislation, the independent audit company
  • Contracted and correspondent banks and domestic/foreign financial institutions,
  • For the execution of credit cards and money transfer processes due to the nature of the transaction; payment systems organizations including Europay Int. SA, Western Union, Mastercard Int. INC, Visa INC, JCB Int. Co., Maestro, Electron, card organizations, domestic/international member merchants.

 

8.MAXIMUM PROCESSING AND RETENTION PERIOD OF PERSONAL DATA

Your personal information will undergo processing and retention in accordance with the duration necessary for the intended purpose and for a minimum of 10 (ten) years, as dictated by Banking Legislation, unless there exists a legislative provision or legal justification requiring a more extended processing and storage period. At the end of these periods, your personal data will be immediately deleted, destroyed or anonymized.

 

 

9. SECURITY MEASURES TAKEN FOR PERSONAL DATA

All essential technical and administrative measures are implemented to uphold an adequate level of security, preventing unauthorized processing or access to your personal data and ensuring its protection.

 

 

10. RIGHTS OF APPLICATION OF THE DATA SUBJECT
Under Article 11 of the Law, you have the following rights:

  • To find out whether your personal data has been processed and to request information if it has been processed
  • To learn the purpose of processing of your data and whether this data is used for intended purposes,
  • To learn the third parties (if any) to whom your personal data is transferred domestically or abroad,
  • To request correction of your personal data in case of incomplete or incorrect processing,
  • To demand the deletion or destruction of personal data under the conditions stipulated in the Law,
  • To ask that these matters be notified to third parties to whom personal data are transferred,
  • To appeal against the results that arise to the detriment of data subject by analyzing the processed data (if any) exclusively through automated systems,
  • To request compensation for damages in case of loss due to the processing of personal data by the Bank in violation of the Law.

You may submit your requests under the Law to our Bank by filling out the personal data subject application form on the Bank's website in full and using the following methods.

  • You have the option to submit it to the Head Office of our Bank either by regular mail, registered mail with a return receipt requested, or through a notary public.

Our Bank will finalize the request free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request. Nonetheless, if the processing of the request involves an extra charge, our Bank may request you to cover the fee specified in the tariff determined by the Personal Data Protection Board.