PDPL

PDPL

Personal Data Processing Clarification Text

PURPOSE AND SCOPE OF THE CLARIFICATION TEXT

 

As Dünya Katılım Bankası A.Ş., we respect the security of your personal data and your right of privacy, and prioritize protection of your data and privacy. In this respect, we would like to present you this clarification text aimed at informing you about your rights on the use and protection of your personal data within the scope of the Personal Data Protection Law No. 6698 (“PDPL” / ”The Law”), as well as processing, transferring, storage and destruction of your data shared with us throughout the process of provision of Dünya Katılım Bankası A.Ş. services.

As explained in this clarification text, your personal data and sensitive personal data may be recorded, archived, updated, transferred, classified, and processed in the ways specified in the applicable legislation and in accordance with the provisions of the Personal Data Protection Law (PDPL).

This clarification text has been prepared for the attention of the relevant individuals whose personal data is being processed (“Data Subjects”). The term "Data Subject" should be understood as follows:

  • Current and potential customers (“Customers”): Some sections of this Clarification Text are specifically aimed at customers who hold certain accounts or products with the Bank. These specific cases are clearly stated within the Clarification Text.
  • Non-customer individuals: This refers to persons conducting any transactions with the Bank, whether or not they have an account; those involved in any collateral transactions in favor of the Bank, or who will be involved in such transactions (e.g., guarantors, sureties, pledge/assignment debtors, endorsers, spouses in cases where consent is legally required); individuals visiting the Bank's website, headquarters, or branches; shareholders, ultimate beneficiaries, board members, or representatives/proxies of any company that is a customer; and persons engaged in any other transactions with the Bank or its customers.

1. Data Controller and Data Processor

DESIGNATION

DÜNYA KATILIM BANKASI A.Ş.

ADDRESS

Yamanevler Mahallesi Ahmet Tevfik İleri Caddesi No: 1/3 Ümraniye/İSTANBUL

CONTACT DETAILS

444 3 166 / bilgi@dunyakatilim.com.tr

CRS / REGISTRY NO

0007-0015-4810-0028 / 206564-0

REM ADDRESS

dunyakatilim@hs01.kep.tr

 

VERBİS

https://verbis.kvkk.gov.tr/

2. Categories of Personal Data

Identity Information

Name, surname, Turkish identification number (TRIN), foreign identification number, blue card number, tax identification number, passport number, driver's license, place of birth, date of birth, gender, marital status, spouse/child information, citizenship status, nationality information, criminal record, and other information obtained from the Identity Sharing System (KPS).

Contact Information

Contact information such as address, email, registered electronic mail (KEP) address, landline phone, and fax number.

Location Information

Information such as the location of the place where the individual is present.

Legal Proceedings and Compliance Information

Personal data processed within the scope of determining, tracking the Bank’s legal receivables and rights, fulfilling its debts, legal obligations, and ensuring compliance with the Bank’s policies. For example: records of the Central Bank of Türkiye (CBRT), etc.

Customer Transaction Details

Personal data obtained and generated about the individual within the framework of the customer relationship. For example: credit information, account movements, participation fund account information, credit card limits and balance information, promissory note/check information, counter receipts, etc.

Physical Space Security Information

Information such as entry and exit records to physical spaces, camera recordings, etc.

Transaction Security Information

Information such as customer details required for accessing electronic banking channels, IP addresses, passwords and codes, security applications used on these channels, and location data processed for fulfilling legal obligations, as well as biometric data processed based on the individual’s consent.

Risk Management

Personal data processed within the scope of the Bank's commercial, technical, and administrative risk management activities. For example: records from the Risk Center of the Banks Association, credit risk score, credit and risk information, etc.

Banking and Financial Data

Financial data of any kind related to pricing produced by the Bank, credit card numbers, account numbers, IBAN, collection and payment activities, salary information, asset-income details (real estate and vehicles), maturity information, information about related persons, asset information (vehicles and real estate), shareholding (and rights) and investment information, etc.

Educational and Professional Experience

Information such as profession, title, work details, education level, etc.

Marketing Data

Information such as cookie records, pages viewed via bank applications, shopping history, information obtained from surveys, campaign activities, etc.

Visual and Auditory Records

Visual and audio data, primarily call center voice recordings, camera recordings, photographs, etc.

Sensitive Personal Data

Information such as blood type (due to its inclusion on the identity card) and gender obtained with the explicit consent of the data subject or as required by law; health information in cases where financing is provided for health expenditures; membership details for associations/foundations regarding products aimed at supporters or members of associations/foundations, etc.

Criminal Convictions and Security Measures

Information related to criminal convictions, security measures, criminal record, records from the Central Bank of Türkiye (CBRT) regarding restrictions on issuing or opening check accounts, judicial decisions, etc.

 

3. Methods of Obtaining Personal Data

Your personal data may be collected through verbal, written, or visual means, and in electronic environments via automated or non-automated methods through the following channels:

  1. Obtaining Personal Data from the Data Subject

1.1 Through Semi-Automated Methods

Your personal data, categorized under Identity Information, Contact Information, Legal Proceedings and Compliance Information, Customer Transaction Information, Physical Premises Security Information, Risk Management, Banking and Financial Data, Education and Professional Experience Information, Marketing Data, and Visual and Audio Recordings, is obtained from you under the following circumstances:

  • When applying for the products and/or services offered by the Bank,
  • When utilizing accounts held with the Bank,
  • When visiting the General Directorate units or branches and utilizing kiosks or phone services (e.g., CCTV recordings are captured in physical locations for security purposes),
  • When carrying out transactions such as collections or payments through the Bank’s branches or channels,
  • When engaging in verbal and/or written communication with the Bank through any communication channel (e.g., via KEP, electronic notifications, mail, fax, social media methods, etc.),
  • Personal data categorized under Health Information is obtained when applying for an insurance product.

1.2. Through Automated Methods

Transaction Security Data and Location Information are obtained under the following circumstances:

  • When downloading any of the Bank's mobile applications, or using kiosks, ATMs, websites, or digital services,
  • Transaction Security Data is collected to obtain information such as the type of device used, type of operating system, connected IP address, login and logout details for internet banking, password and code information, as well as how access to and use of these services is performed,
  • Location Information is collected when using the Bank’s digital platforms such as internet banking, to provide services like weather conditions at your location and the nearest ATM,
  • In accordance with Regulation No. 31441, sensitive personal data is collected when a request is made to become a new customer through remote identity verification or when a request is made to conduct transactions via remote identity verification through the mobile application.
  1. Obtaining Personal Data from Third Parties

2.1. Personal data categorized under Identity Information, Contact Information, Legal Transaction and Compliance Information, Customer Transaction Information, Risk Management, Banking and Financial Data, Marketing Data, Visual and Audio Records, Criminal Conviction, and Security Measures are collected through automated methods from the following institutions, organizations, and/or individuals:

  • Companies established by the Risk Center of the Banks Association of Türkiye or by at least five banks or financial institutions, as well as institutions combating the laundering of proceeds of crime, the financing of terrorism, corruption, bribery, and fraud, along with public or private institutions providing information from official and private databases [e.g., the Identity Sharing System (KPS), Address Sharing System, Central Registration System, National Judiciary Informatics System (UYAP), Revenue Administration (GİB), records from the Trade Registry Offices, Land Registry and Cadastre Information System, Credit Bureau (KKB), Interbank Card Center (BKM), SWIFT KYC, Participation Banks Association of Türkiye (TKBB), Banks Association of Türkiye (TBB), MEKS, etc.],
  • Hardware or software service providers contracted to improve the obtained personal data and to enhance the quality of marketing activities directed at the data subject,
  • Member merchants and POS terminals,
  • The Central Bank of the Republic of Türkiye (TCMB), the Ministry of Treasury and Finance, General Directorate of Highways, PTT, institutions authorized to issue invoices, and persons or organizations involved in payment/collection processes,
  • Institutions and organizations facilitating international money transfers, such as SWIFT,
  • Parties providing ancillary services supporting the Bank's operations, such as fax, mail, courier, or cargo services, as well as contracted entities, support services, external service providers, and dealerships and sales offices,
  • Other banks and financial institutions (e.g., when accounts held at other banks or financial institutions are displayed on the Bank’s platforms, or when information is obtained to investigate incorrect payments),
  • Publicly available sources such as news media, online records, or directories from any social platform.

2.2. Personal data categorized under Identity Information, Contact Information, Legal Transaction and Compliance Information, Customer Transaction Information, Risk Management, Banking and Financial Data, Education and Professional Experience Information are collected through non-automated methods from the following institutions, organizations, and/or individuals:

  • Unions and associations such as chambers of commerce and trade associations,
  • Joint account holders,
  • Persons appointed or selected to act on your behalf (e.g., guardian, custodian, representative, attorney, etc.),
  • Businesses owned or associated with the data subject, such as investment companies, partnerships, or business partners, as well as the managers, directors, partners, trustees, officials, or attorneys of such businesses,
  • Employers,
  • Social Security Institution (SGK),
  • Judicial and administrative authorities,
  • Companies/partnerships operating under brokerage and agency capacities.
  1. When personal data belonging to third parties is provided to the Bank, or when the personal data of these individuals is requested to be shared by the Bank with third parties, it is confirmed that these individuals have been informed regarding this Clarification Text in the context of the relevant activities.

4. Purposes and Legal Reasons For Processing Your Personal Data

In accordance with Article 5 of the Law No. 6698 on the Protection of Personal Data, personal data cannot, as a rule, be processed without explicit consent. However, in certain circumstances outlined in the Law, personal data may be processed without the need for explicit consent:

  • Article 5/2-a: If it is expressly provided for by law.
  • Article 5/2-b: When it is inevitable to protect the life or bodily integrity of a person or someone else who is unable to give consent due to actual impossibility or whose consent is legally not valid.
  • Article 5/2-c: When it is necessary to process of personal data of the parties of a contract, provided that it is related directly to establishment or execution of the contract.
  • Article 5/2-ç:The fact that it is mandatory for the data controller to fulfill his/her legal obligation.
  • Article 5/2-d: If the data has been made public by the data subject themselves.
  • Article 5/2-e: When it is compulsory to process the data in order to establish, use or protect a right.
  • Article 5/2-f:When it is compulsory to process the data for the data responsible for his/her legitimate interests, provided that not harming fundamental rights and freedoms of the relevant person.
  •  

Personal Data Category

 Purpose of Data Processing

 Legal Reason

  • Identity Information
  • Contact Information
  • Banking and Financial Data
  • Customer Transaction Details
  • Visual and Auditory Records
  • Risk Management
  • Transaction Security Information

Personal data is processed for the purposes of providing banking services, capital market transactions, investment products, cash management services, foreign trade services, financing (credit) services, intermediary services, insurance, and other agency services, as well as for carrying out activities listed under Article 4 of the Banking Law No. 5411. This data is utilized to deliver banking and financial services, improve products and services, enhance customer satisfaction, manage and optimize operational processes, and conduct financial reporting and risk management activities in compliance with legal regulations.

article 5/2-a

article 5/2-c

article 5/2-ç

article 5/2-f*

 

*Enhancing the quality of service provided to the customer, as well as protecting the Bank’s commercial interests and those of the customer, falls within the scope of legitimate interest.

  • Identity Information
  • Contact Information
  • Banking and Financial Data
  • Customer Transaction Details
  • Visual and Auditory Records

 

Your personal data is processed to manage customer relationships, improve your satisfaction, and address complaints, objections, requests, and suggestions. It is also used to record necessary information for tracking and managing legal processes and to meet legal obligations.

article 5/2-ç

article 5/2-e

article 5/2-f*

 

*Reviewing complaints to enhance service quality for customers is considered a legitimate interest.

  • Identity Information
  • Contact Information
  • Location Information
  • Banking and Financial Data
  • Customer Transaction Details
  • Visual and Auditory Records

 

Your personal data is processed to verify the instructions you provide, analyze and assess our services, and for training and quality improvement purposes. Within this scope, all forms of communication with you, including phone calls, may be monitored or recorded.

article 5/2-ç

article 5/2-f*

 

*Verifying customer instructions, preventing and detecting fraud and other crimes, and enhancing services are considered legitimate interests.

  • Identity Information
  • Contact Information
  • Banking and Financial Data
  • Customer Transaction Details
  • Visual and Auditory Records
  • Risk Management
  • Transaction Security Information
  • Physical Space Security Information

Your personal data is processed in compliance with regulations concerning the Prevention of Money Laundering and the Financing of Terrorism, as well as the prevention of the proliferation of weapons of mass destruction. This processing involves checking national and international lists, conducting identity verification, fulfilling customer identification obligations, verifying identities and addresses, recording details related to occupation, profession, income status, and the purpose of transactions, as well as managing compliance processes as required by applicable foreign legislation.

article 5/2-a

article 5/2-c

article 5/2-ç

article 5/2-f*

 

*The verification of your identity falls within our legitimate interests to detect, prevent, and investigate fraud, money laundering, and the financing of terrorism, as well as other criminal activities, all aimed at protecting our bank.

  • Identity Information
  • Contact Information
  • Banking and Financial Data
  • Customer Transaction Details
  • Visual and Auditory Records
  • Risk Management
  • Transaction Security Information
  • Educational and Professional Experience
  • Marketing Data

Your personal data will be processed to define and deliver products and services related to banking, insurance, retirement, finance, and investment, as well as those provided in collaboration with companies within AHL Holding or associated organizations. This processing includes communication, offering proposals, and conducting promotional, marketing, cross-selling, and campaign activities. Furthermore, your data will be utilized to design tailored marketing and promotional activities specifically catered to your preferences.

article 5/1*

 

*These activities will be carried out with your explicit consent or upon your instruction.

  • Identity Information
  • Contact Information
  • Banking and Financial Data
  • Customer Transaction Details
  • Sensitive Personal Data

Your personal data is processed to deliver services related to insurance, investment, and financial products for which the Bank acts as an agent, as well as to execute transactions concerning the insurance products in which the Bank has a lien or creditor status.

article 5/2-c

article 5/2-ç

article 5/2-f*

 

*Offering you these products and obtaining price quotes is part of the Bank's legitimate interests. Your health data will be processed with your explicit consent, as outlined in Article 6(3)(a).

  • Identity Information
  • Customer Transaction Details
  • Transaction Security Information

 

Furthermore, your personal data will be utilized to determine service and product priorities and to identify service points.

article 5/2-f*

 

*Providing high-quality services to customers aligns with the Bank's legitimate interests.

  • Identity Information
  • Contact Information
  • Banking and Financial Data
  • Customer Transaction Details
  • Visual and Auditory Records
  • Risk Management
  • Transaction Security Information

 

Your personal data is processed for the purposes of debt collection, exercising legitimate rights, and protecting property rights and interests in accordance with any contract concluded with the Bank.

article 5/2-a

article 5/2-c

article 5/2-ç

article 5/2-f*

 

*The collection of debts and the protection of assets fall within the legitimate interests of the Bank.

  • Identity Information
  • Contact Information
  • Banking and Financial Data
  • Customer Transaction Details

 

Your personal data is processed to respond to your requests for initiating payments and account information services related to your accounts with other Payment Service Providers, as well as to facilitate these services for your existing accounts at the Bank, should third-party providers request the necessary information. When account transaction details—such as money transfers, checks, or bill payments—are requested by our account-holding customers or authorized intermediary institutions, your relevant data (e.g., TRIN/TIN) will be shared with the requesting party.

article 5/2-c

article 5/2-ç

 

  • Identity Information
  • Contact Information
  • Banking and Financial Data
  • Customer Transaction Details
  • Visual and Auditory Records
  • Risk Management
  • Transaction Security Information
  • Physical Space Security Information
  • Location Information
  • Legal Proceedings and Compliance Information

The security of the Bank's systems and operations, as well as the safety of bank branches, ATMs, and other facilities, may involve video and/or audio recordings through a closed-circuit camera system to ensure the integrity of information security processes and to prevent and detect fraud, money laundering, financing of terrorism, and other crimes (such as identity theft).

article 5/2-a

article 5/2-ç

article 5/2-f*

 

*Verifying your identity to prevent and investigate fraud, money laundering, financing of terrorism, and other offenses, as well as to protect the institution and comply with applicable regulations, is among our legitimate interests.

  • Identity Information
  • Contact Information
  • Banking and Financial Data
  • Customer Transaction Details
  • Risk Management
  • Transaction Security Information
  • Physical Space Security Information
  • Legal Proceedings and Compliance Information

Your personal data may be processed for the following purposes:

·        To ensure compliance with the legislation applicable to the Bank and to collaborate with regulatory authorities and law enforcement agencies, including fulfilling obligations arising from laws such as the Banking Law, the Law on Banking Cards and Credit Cards, Payment and Securities Settlement Systems, the Law on Payment Services and Electronic Money Institutions, as well as compliance with regulations regarding the prevention of money laundering and the financing of terrorism, both domestically and internationally;

·         To utilize the system ("İYS") that facilitates obtaining consent for commercial electronic communications in accordance with Law No. 6563 on the Regulation of Electronic Commerce and the associated Regulation on Commercial Communication and Commercial Electronic Messages, which also allows for the exercise of the right to refuse and manage complaint processes;

·        To comply with the data retention, reporting, and notification obligations mandated by authorities such as the Banking Regulation and Supervision Agency, the Capital Markets Board, the Central Bank of the Republic of Türkiye, Financial Crimes Investigation Board (MASAK), the Banks Association of Türkiye, KOSGEB, the Revenue Administration, the Ministry of Treasury and Finance, the Social Security Institution, the Central Securities Depository (CSD), the Credit Register Bureau, Risk Center, and other relevant authorities, as well as to fulfill identity and access obligations outlined in the Regulation on Information Systems and Electronic Banking Services.

article 5/2-a

article 5/2-ç

article 5/2-f*

 

*Protection of the Bank is among our legitimate interests.

  • Identity Information
  • Contact Information
  • Banking and Financial Data
  • Customer Transaction Details
  • Educational and Professional Experience
  • Marketing Data

To identify and develop suitable products and services for you, credit assessments, behavior scoring, market research, surveys, and statistical studies are conducted. The data obtained from these activities is evaluated and analyzed accordingly.

article 5/1*

 

*These activities will be carried out with your explicit consent or upon your instruction.

  • Identity Information
  • Contact Information
  • Banking and Financial Data
  • Customer Transaction Details
  • Marketing Data

Your personal data is processed to tailor marketing messages and advertisements to your requests and needs, as well as to facilitate the tracking of advertising and marketing activities.

article 5/1*

 

*These activities will be carried out with your explicit consent or upon your instruction.

  • Transaction Security

Personal data is processed to enhance the development of the mobile application and website, as well as to improve user experiences.

article 5/2-f*

 

*Improving customers' experiences on the mobile app and website, and ensuring easier, faster, and error-free access to the application and site are among the legitimate interests of both the customers and the Bank.

  • Identity Information
  • Contact Information
  • Customer Transaction Details
  • Transaction Security Information

 

In the event of internet access, traffic information and logs must be maintained in accordance with Law No. 5651 on the Regulation of Publications Made on the Internet and the Fight Against Crimes Committed Through These Publications. Additionally, it is required to record and monitor communications and transactions.

article 5/2-a

article 5/2-ç

 

  • Identity Information
  • Contact Information
  • Banking and Financial Data
  • Customer Transaction Details
  • Visual and Auditory Records
  • Transaction Security Information
  • Legal Proceedings and Compliance Information

Pursuant to Article 42 of Law No. 5411 on Banking and Article 17 of the Regulation on Accounting Practices of Banks and Document Retention Procedures, it is legally mandatory for the Bank to retain your information and documents for a period of ten years.
In this context, all records and documents serving as the basis for transactions must be organized and preserved in either electronic form (such as SWIFT, internet/mobile banking, head office units, branches, kiosks, ATMs, online banking, call centers, and other similar channels) or in paper format.

article 5/2-a

article 5/2-ç

 

  • Identity Information
  • Contact Information
  • Banking and Financial Data
  • Customer Transaction Details
  • Transaction Security Information
  • Risk Management

 

Pursuant to Article 73/4 of the Banking Law, necessary actions are taken in the preparation of consolidated financial statements by the parent companies and in the planning or execution of relationships with the parent company, as well as in risk management and assessment activities. These activities are conducted in accordance with the framework outlined in the Banking Law and relevant regulations, including the management of risks, audits, operational services carried out in conjunction with subsidiaries, and the provision of support services granted under the Banking Regulation and Supervision Agency's (BRSA) operational expansion permit.

article 5/2-a

article 5/2-c

article 5/2-ç

 

  • Identity Information
  • Contact Information
  • Banking and Financial Data
  • Customer Transaction Details
  • Transaction Security Information
  • Risk Management

 

In line with Article 73/4 of the Banking Law, necessary processes are implemented for valuation studies conducted by potential buyers aiming to sell shares that represent ten percent or more of the capital, either directly or indirectly. This encompasses valuation efforts related to the sale of assets, including loans, as well as securities derived from these assets.

article 5/2-a

article 5/2-ç

 

  • Identity Information
  • Banking and Financial Data
  • Customer Transaction Details
  • Risk Management

 

According to Article 73/4 of the Banking Law, necessary procedures are undertaken for valuation, rating, and independent auditing activities.

article 5/2-a

article 5/2-ç

 

  • Identity Information
  • Contact Information
  • Banking and Financial Data
  • Customer Transaction Details
  • Transaction Security Information
  • Risk Management

 

Even if you are not a customer, procedures are in place to determine the risk group to which you belong, establish credit limits for that group, and ensure these limits are monitored, reported, and controlled, in accordance with banking regulations.

article 5/2-a

article 5/2-ç

article 5/2-f*

 

*Protection of the Bank is among our legitimate interests.

  • Identity Information
  • Contact Information
  • Location Information
  • Customer Transaction Details
  • Visual and Auditory Records
  • Transaction Security Information

 

Upon request, we take the necessary steps to inform you of the nearest branches and ATMs through our website or applications, provide weather updates for your location, and implement innovative technologies such as video calls with customer representatives or voice-activated virtual assistants (chatbots) to address your inquiries and assist with your transactions.

article 5/2-c

article 5/2-e

article 5/2-f*

 

*Moreover, enhancing and refining our products and services to meet customer needs and sustain our competitive edge are integral to our legitimate interests.

 

  • Identity Information
  • Contact Information
  • Banking and Financial Data
  • Customer Transaction Details
  • Marketing Data
  • Legal Proceedings and Compliance Information
  • Transaction Security Information

 

*Your personal data is processed to communicate with you through mail, phone, SMS, email, ATMs, and other digital methods. The purposes of this processing include:

 

·        Assisting you in managing your accounts and obtaining your approvals for instructions and documents,

·        Fulfilling the Bank's legal obligations,

·        Providing you with account summaries and other information related to your account or our relationship,

·        Informing you about products and services held at the Bank and sending information about products, services, and offers that may interest you.

article 5/1*

 

*You will be informed about products and services only with your explicit consent.

 

article 5/2-a

article 5/2-c

article 5/2-ç

article 5/2-f*

 

*Sharing information with you regarding products and services that may be relevant or beneficial to you is among the legitimate interests of the Bank.

  • Identity Information
  • Contact Information
  • Banking and Financial Data
  • Customer Transaction Details
  • Risk Management
  • Transaction Security Information
  • Physical Space Security Information
  • Legal Proceedings and Compliance Information
  • Risk Management
  • Visual and Auditory Records

Personal data is processed to carry out the infrastructure, maintenance, repair, analysis, and development processes of the Bank's systems; to conduct user testing processes, report the tests, and ensure the operational security of the Bank.

article 5/2-ç

article 5/2-f*

 

*The accurate, current, and complete operation of the Bank’s systems is essential to our legitimate interests.

  • Identity Information
  • Contact Information
  • Banking and Financial Data
  • Customer Transaction Details
  • Legal Proceedings and Compliance Information
  • Transaction Security Information

In accordance with Article 5 of the Regulation on Compliance Programs for the Prevention of Money Laundering and Financing of Terrorism, AHL Holding processes your personal data to implement the compliance program on a group basis and to share customer, account, and transaction information within the group.

article 5/2-a

article 5/2-ç

article 5/2-f*

 

*The verification of your identity falls within our legitimate interests to detect, prevent, and investigate fraud, money laundering, and the financing of terrorism, as well as other criminal activities, all aimed at protecting our bank.

  • Identity Information
  • Contact Information
  • Banking and Financial Data
  • Customer Transaction Details
  • Visual and Auditory Records
  • Transaction Security Information
  • Legal Proceedings and Compliance Information
  • Physical Space Security Information
  • Risk Management

Your personal data is also processed for the purpose of sharing with the Turkish tax authorities or other relevant tax authorities, the Turkish Banking Association Risk Center, companies established by at least five banks or financial institutions, fraud prevention agencies, and regulatory authorities in Türkiye.

article 5/2-a

article 5/2-ç

article 5/2-f*

 

*We prioritize responsible commercial decision-making to aid in the prevention and detection of fraud and other criminal activities, ensuring compliance with both national and international regulations.

  • Identity Information
  • Contact Information
  • Banking and Financial Data
  • Customer Transaction Details
  • Transaction Security Information

Your personal data is processed to effectively manage, plan, and execute relationships and processes with support service providers, external service providers, business partners, and suppliers.

article 5/2-c

article 5/2-f*

 

*Furthermore, engaging third-party organizations or companies to deliver certain services on behalf of the Bank is an integral part of our commitment to these legitimate interests.

  • Identity Information
  • Contact Information
  • Location Information
  • Banking and Financial Data
  • Customer Transaction Details
  • Visual and Auditory Records
  • Transaction Security Information
  • Legal Proceedings and Compliance Information
  • Physical Space Security Information
  • Risk Management

Your personal data is processed to support various functions within the Bank, including internal systems, information technology, operations, auditing, internal controls, risk monitoring, risk management, ethical practices, and financial risk processes.

 

article 5/2-a

article 5/2-ç

 

  • Identity Information
  • Contact Information
  • Banking and Financial Data
  • Customer Transaction Details
  • Risk Management

If you are a representative or proxy for a natural person or any customer conducting a transaction, your data will be processed to ensure the transaction is completed effectively.

article 5/2-a

article 5/2-c

article 5/2-ç

 

  • Identity Information
  • Contact Information
  • Banking and Financial Data
  • Customer Transaction Details
  • Risk Management
  • Physical Space Security Information

 

Additionally, when a commercial customer requests a loan or investment product, we will process personal data related to the credit history, creditworthiness, and other pertinent information about the individual owner, partner, and manager of that commercial entity to properly evaluate the request.

article 5/2-a

article 5/2-c

article 5/2-ç

article 5/2-f*

 

*Ensuring the protection of the Bank's assets and maintaining cautious operations align with the Bank's legitimate interests.

  • Identity Information
  • Contact Information
  • Banking and Financial Data
  • Customer Transaction Details
  • Transaction Security Information
  • Legal Proceedings and Compliance Information

Personal data is processed to carry out credit and collateral assessments, conduct intelligence and information research, and manage processes related to credit sales, allocation, disbursement, monitoring, and follow-up.

article 5/2-a

article 5/2-c

article 5/2-ç

article 5/2-f*

 

*Ensuring the protection of the Bank's assets and maintaining cautious operations align with the Bank's legitimate interests.

5. Individuals In The Risk Group

Under the Banking legislation, irrespective of whether you are a customer of our bank, your personal data may be processed in the event that you are in the same risk group with the customer of our Bank, within the framework of credit evaluations and following the Banking legislation, to determine, identify, monitor, monitor, report the risk group and control the loans extended to the risk group.

The term “Risk Group” (Banking Law Article 49); refers to you, your spouse, children, parents, or legal entities where you, your spouse, children, or parents serve as board members or general managers, exercise control, hold shares, and individuals for whom you provide surety, guarantee, or similar commitments, to the extent that the financial instability of one may lead to the insolvency of others within the defined relationships. The principles regarding the determination of the Risk Group can be updated within the framework of the Banking Legislation.

In addition to these, other real and legal persons to be included in the risk group are determined by the Banking Regulation and Supervision Agency.

In this context, even if you are not a customer of ours, the Bank may process your personal data under Articles 5/2-a, 5/2-c, and 5/2-f of the Personal Data Protection Law (PDPL) for the purpose of determining the credit limits that may be extended to a risk group. This includes identifying the risk group to which you belong, as well as monitoring, reporting, and controlling the credit limits to be granted, in accordance with the Banking Law No. 5411 and related regulations.

6. Transfer of Personal Data

7. Rights Regarding The Protection of Personal Data

In accordance with Article 11 of the Personal Data Protection Law (PDPL), you have the following rights concerning your personal data:

  • We inform you that you have the rights; to learn whether your personal data are processed or not,
  • If your personal data are processed to request information about this,
  • To learn the purpose of processing of your data and whether this data is used for intended purposes,
  • To know the third parties to whom your personal data is transferred at home or abroad,
  • To request correction of your personal data in case of incomplete or incorrect processing and to request the notification of the transactions made within this scope to third persons to whom your personal data are transferred,
  • To request the deletion or destruction of your personal data in the event that the reasons requiring their processing are eliminated, and to request the notification of the transactions made within this scope to third persons to whom your personal data are transferred, although it was processed in accordance with the provisions of the Law No.6698 and other relevant laws,
  • To object if you believe that a result against you has emerged solely through the analysis of your processed data by automated systems,
  • To request compensation for any damages incurred due to the unlawful processing of your personal data.

In accordance with the Personal Data Protection Law No. 6698, you can exercise your rights regarding your personal data by sending your requests to the communication addresses provided above (Data Controller) or by using any other method specified in the Communiqué on Application Procedures and Principles to the Data Controller.

The application must include:

  • Your name, surname and if your application is in writing your signature,
  • If you are a citizen of the Republic of Türkiye your T.R. Identification number, if you are a foreign citizen, your nationality, passport number or identification number if any,
  • Your residential or workplace address for notification,
  • If applicable, please include your electronic mail address, phone number, fax number, and the subject of your request.

Your request will be processed free of charge as soon as possible and within a maximum of thirty (30) days. If your request requires additional costs, a fee may be charged according to the tariff determined by the Board.

8. Duration of Personal Data Processing and Storage

Pursuant to Article 42 of Banking Law No. 5411 and Article 17 of the Regulation on Accounting Practices for Banks and Document Retention Procedures, the Bank is legally required to keep your information and documents for a minimum of ten (10) years. Additionally, relevant legislation may prescribe different retention periods.

Upon the expiration of the maximum duration outlined in the Bank's Personal Data Protection Policy, your personal data will be promptly deleted, destroyed, or anonymized using the methods specified by the Bank.

9. Data Security and Right to Appeal

Dünya Katılım Bankası A.Ş. places great importance on the confidentiality and security of personal data. In this respect, technical and administrative security measures are taken to protect personal data against unauthorized access, damage, loss or disclosure. Required systematic access controls, data access controls, secure transfer protocols, business continuity measures, and other essential corporate controls are enforced.

The measures that data controllers can implement to prevent the unlawful processing of personal data, to avert unauthorized access to personal data, and to ensure the lawful retention of personal data are outlined below. When determining these technical and administrative measures, the nature of the personal data and the environment in which it is stored are taken into consideration.

Technical Measures

Administrative Measures

Authorization Matrix

Preparation of Personal Data Processing Inventory

Authorization Control

Corporate Policies (including Access, Information Security, Usage, Storage, and Destruction)

Access logs

Contracts (between Data Controllers, and between Data Controller and Data Processor)

User Account Management

Confidentiality Commitments

Network Security

Internal Periodic and/or Random Audits

Application Security

Risk Analyses

Encryption

Employment Contracts and Disciplinary Regulations (incorporating lawful provisions)

Infiltration Test

Corporate Communication (including Crisis Management, Processes for Informing Boards and Relevant Persons, Reputation Management, etc.)

Intrusion Detection and Prevention Systems

 

Training and Awareness Activities (focused on Information Security and Legal Compliance)

Log Records

 

Data Masking

 

Data Loss Prevention Software

 

Back-up

 

Firewalls

 

Updated Anti-virus Systems

 

Deletion, Destruction, or Anonymization

 

Key Management