Personal Data Processing Clarification Text
PURPOSE AND SCOPE OF THE CLARIFICATION TEXT
As Dünya Katılım Bankası A.Ş., we respect the security of your personal data and your right of privacy, and prioritize protection of your data and privacy. In this respect, we would like to present you this clarification text aimed at informing you about your rights on the use and protection of your personal data within the scope of the Personal Data Protection Law No. 6698 (“PDPL” / ”The Law”), as well as processing, transferring, storage and destruction of your data shared with us throughout the process of provision of Dünya Katılım Bankası A.Ş. services.
As explained in this clarification text, your personal data and sensitive personal data may be recorded, archived, updated, transferred, classified, and processed in the ways specified in the applicable legislation and in accordance with the provisions of the Personal Data Protection Law (PDPL).
This clarification text has been prepared for the attention of the relevant individuals whose personal data is being processed (“Data Subjects”). The term "Data Subject" should be understood as follows:
- Current and potential customers (“Customers”): Some sections of this Clarification Text are specifically aimed at customers who hold certain accounts or products with the Bank. These specific cases are clearly stated within the Clarification Text.
- Non-customer individuals: This refers to persons conducting any transactions with the Bank, whether or not they have an account; those involved in any collateral transactions in favor of the Bank, or who will be involved in such transactions (e.g., guarantors, sureties, pledge/assignment debtors, endorsers, spouses in cases where consent is legally required); individuals visiting the Bank's website, headquarters, or branches; shareholders, ultimate beneficiaries, board members, or representatives/proxies of any company that is a customer; and persons engaged in any other transactions with the Bank or its customers.
1. Data Controller and Data Processor
|
DESIGNATION |
DÜNYA KATILIM BANKASI A.Ş. |
|
ADDRESS |
Yamanevler Mahallesi Ahmet Tevfik İleri Caddesi No: 1/3 Ümraniye/İSTANBUL |
|
CONTACT DETAILS |
444 3 166 / bilgi@dunyakatilim.com.tr |
|
CRS / REGISTRY NO |
0007-0015-4810-0028 / 206564-0 |
|
REM ADDRESS |
dunyakatilim@hs01.kep.tr
|
|
VERBİS |
2. Categories of Personal Data
|
Identity Information |
Name, surname, Turkish identification number (TRIN), foreign identification number, blue card number, tax identification number, passport number, driver's license, place of birth, date of birth, gender, marital status, spouse/child information, citizenship status, nationality information, criminal record, and other information obtained from the Identity Sharing System (KPS). |
|
Contact Information |
Contact information such as address, email, registered electronic mail (KEP) address, landline phone, and fax number. |
|
Location Information |
Information such as the location of the place where the individual is present. |
|
Legal Proceedings and Compliance Information |
Personal data processed within the scope of determining, tracking the Bank’s legal receivables and rights, fulfilling its debts, legal obligations, and ensuring compliance with the Bank’s policies. For example: records of the Central Bank of Türkiye (CBRT), etc. |
|
Customer Transaction Details |
Personal data obtained and generated about the individual within the framework of the customer relationship. For example: credit information, account movements, participation fund account information, credit card limits and balance information, promissory note/check information, counter receipts, etc. |
|
Physical Space Security Information |
Information such as entry and exit records to physical spaces, camera recordings, etc. |
|
Transaction Security Information |
Information such as customer details required for accessing electronic banking channels, IP addresses, passwords and codes, security applications used on these channels, and location data processed for fulfilling legal obligations, as well as biometric data processed based on the individual’s consent. |
|
Risk Management |
Personal data processed within the scope of the Bank's commercial, technical, and administrative risk management activities. For example: records from the Risk Center of the Banks Association, credit risk score, credit and risk information, etc. |
|
Banking and Financial Data |
Financial data of any kind related to pricing produced by the Bank, credit card numbers, account numbers, IBAN, collection and payment activities, salary information, asset-income details (real estate and vehicles), maturity information, information about related persons, asset information (vehicles and real estate), shareholding (and rights) and investment information, etc. |
|
Educational and Professional Experience |
Information such as profession, title, work details, education level, etc. |
|
Marketing Data |
Information such as cookie records, pages viewed via bank applications, shopping history, information obtained from surveys, campaign activities, etc. |
|
Visual and Auditory Records |
Visual and audio data, primarily call center voice recordings, camera recordings, photographs, etc. |
|
Sensitive Personal Data |
Information such as blood type (due to its inclusion on the identity card) and gender obtained with the explicit consent of the data subject or as required by law; health information in cases where financing is provided for health expenditures; membership details for associations/foundations regarding products aimed at supporters or members of associations/foundations, etc. |
|
Criminal Convictions and Security Measures |
Information related to criminal convictions, security measures, criminal record, records from the Central Bank of Türkiye (CBRT) regarding restrictions on issuing or opening check accounts, judicial decisions, etc. |
3. Methods of Obtaining Personal Data
Your personal data may be collected through verbal, written, or visual means, and in electronic environments via automated or non-automated methods through the following channels:
- Obtaining Personal Data from the Data Subject
1.1 Through Semi-Automated Methods
Your personal data, categorized under Identity Information, Contact Information, Legal Proceedings and Compliance Information, Customer Transaction Information, Physical Premises Security Information, Risk Management, Banking and Financial Data, Education and Professional Experience Information, Marketing Data, and Visual and Audio Recordings, is obtained from you under the following circumstances:
- When applying for the products and/or services offered by the Bank,
- When utilizing accounts held with the Bank,
- When visiting the General Directorate units or branches and utilizing kiosks or phone services (e.g., CCTV recordings are captured in physical locations for security purposes),
- When carrying out transactions such as collections or payments through the Bank’s branches or channels,
- When engaging in verbal and/or written communication with the Bank through any communication channel (e.g., via KEP, electronic notifications, mail, fax, social media methods, etc.),
- Personal data categorized under Health Information is obtained when applying for an insurance product.
1.2. Through Automated Methods
Transaction Security Data and Location Information are obtained under the following circumstances:
- When downloading any of the Bank's mobile applications, or using kiosks, ATMs, websites, or digital services,
- Transaction Security Data is collected to obtain information such as the type of device used, type of operating system, connected IP address, login and logout details for internet banking, password and code information, as well as how access to and use of these services is performed,
- Location Information is collected when using the Bank’s digital platforms such as internet banking, to provide services like weather conditions at your location and the nearest ATM,
- In accordance with Regulation No. 31441, sensitive personal data is collected when a request is made to become a new customer through remote identity verification or when a request is made to conduct transactions via remote identity verification through the mobile application.
- Obtaining Personal Data from Third Parties
2.1. Personal data categorized under Identity Information, Contact Information, Legal Transaction and Compliance Information, Customer Transaction Information, Risk Management, Banking and Financial Data, Marketing Data, Visual and Audio Records, Criminal Conviction, and Security Measures are collected through automated methods from the following institutions, organizations, and/or individuals:
- Companies established by the Risk Center of the Banks Association of Türkiye or by at least five banks or financial institutions, as well as institutions combating the laundering of proceeds of crime, the financing of terrorism, corruption, bribery, and fraud, along with public or private institutions providing information from official and private databases [e.g., the Identity Sharing System (KPS), Address Sharing System, Central Registration System, National Judiciary Informatics System (UYAP), Revenue Administration (GİB), records from the Trade Registry Offices, Land Registry and Cadastre Information System, Credit Bureau (KKB), Interbank Card Center (BKM), SWIFT KYC, Participation Banks Association of Türkiye (TKBB), Banks Association of Türkiye (TBB), MEKS, etc.],
- Hardware or software service providers contracted to improve the obtained personal data and to enhance the quality of marketing activities directed at the data subject,
- Member merchants and POS terminals,
- The Central Bank of the Republic of Türkiye (TCMB), the Ministry of Treasury and Finance, General Directorate of Highways, PTT, institutions authorized to issue invoices, and persons or organizations involved in payment/collection processes,
- Institutions and organizations facilitating international money transfers, such as SWIFT,
- Parties providing ancillary services supporting the Bank's operations, such as fax, mail, courier, or cargo services, as well as contracted entities, support services, external service providers, and dealerships and sales offices,
- Other banks and financial institutions (e.g., when accounts held at other banks or financial institutions are displayed on the Bank’s platforms, or when information is obtained to investigate incorrect payments),
- Publicly available sources such as news media, online records, or directories from any social platform.
2.2. Personal data categorized under Identity Information, Contact Information, Legal Transaction and Compliance Information, Customer Transaction Information, Risk Management, Banking and Financial Data, Education and Professional Experience Information are collected through non-automated methods from the following institutions, organizations, and/or individuals:
- Unions and associations such as chambers of commerce and trade associations,
- Joint account holders,
- Persons appointed or selected to act on your behalf (e.g., guardian, custodian, representative, attorney, etc.),
- Businesses owned or associated with the data subject, such as investment companies, partnerships, or business partners, as well as the managers, directors, partners, trustees, officials, or attorneys of such businesses,
- Employers,
- Social Security Institution (SGK),
- Judicial and administrative authorities,
- Companies/partnerships operating under brokerage and agency capacities.
- When personal data belonging to third parties is provided to the Bank, or when the personal data of these individuals is requested to be shared by the Bank with third parties, it is confirmed that these individuals have been informed regarding this Clarification Text in the context of the relevant activities.
4. Purposes and Legal Reasons For Processing Your Personal Data
In accordance with Article 5 of the Law No. 6698 on the Protection of Personal Data, personal data cannot, as a rule, be processed without explicit consent. However, in certain circumstances outlined in the Law, personal data may be processed without the need for explicit consent:
- Article 5/2-a: If it is expressly provided for by law.
- Article 5/2-b: When it is inevitable to protect the life or bodily integrity of a person or someone else who is unable to give consent due to actual impossibility or whose consent is legally not valid.
- Article 5/2-c: When it is necessary to process of personal data of the parties of a contract, provided that it is related directly to establishment or execution of the contract.
- Article 5/2-ç:The fact that it is mandatory for the data controller to fulfill his/her legal obligation.
- Article 5/2-d: If the data has been made public by the data subject themselves.
- Article 5/2-e: When it is compulsory to process the data in order to establish, use or protect a right.
- Article 5/2-f:When it is compulsory to process the data for the data responsible for his/her legitimate interests, provided that not harming fundamental rights and freedoms of the relevant person.
|
Personal Data Category |
Purpose of Data Processing |
Legal Reason |
|
Personal data is processed for the purposes of providing banking services, capital market transactions, investment products, cash management services, foreign trade services, financing (credit) services, intermediary services, insurance, and other agency services, as well as for carrying out activities listed under Article 4 of the Banking Law No. 5411. This data is utilized to deliver banking and financial services, improve products and services, enhance customer satisfaction, manage and optimize operational processes, and conduct financial reporting and risk management activities in compliance with legal regulations. |
article 5/2-a article 5/2-c article 5/2-ç article 5/2-f*
*Enhancing the quality of service provided to the customer, as well as protecting the Bank’s commercial interests and those of the customer, falls within the scope of legitimate interest. |
|
Your personal data is processed to manage customer relationships, improve your satisfaction, and address complaints, objections, requests, and suggestions. It is also used to record necessary information for tracking and managing legal processes and to meet legal obligations. |
article 5/2-ç article 5/2-e article 5/2-f*
*Reviewing complaints to enhance service quality for customers is considered a legitimate interest. |
|
Your personal data is processed to verify the instructions you provide, analyze and assess our services, and for training and quality improvement purposes. Within this scope, all forms of communication with you, including phone calls, may be monitored or recorded. |
article 5/2-ç article 5/2-f*
*Verifying customer instructions, preventing and detecting fraud and other crimes, and enhancing services are considered legitimate interests. |
|
Your personal data is processed in compliance with regulations concerning the Prevention of Money Laundering and the Financing of Terrorism, as well as the prevention of the proliferation of weapons of mass destruction. This processing involves checking national and international lists, conducting identity verification, fulfilling customer identification obligations, verifying identities and addresses, recording details related to occupation, profession, income status, and the purpose of transactions, as well as managing compliance processes as required by applicable foreign legislation. |
article 5/2-a article 5/2-c article 5/2-ç article 5/2-f*
*The verification of your identity falls within our legitimate interests to detect, prevent, and investigate fraud, money laundering, and the financing of terrorism, as well as other criminal activities, all aimed at protecting our bank. |
|
Your personal data will be processed to define and deliver products and services related to banking, insurance, retirement, finance, and investment, as well as those provided in collaboration with companies within AHL Holding or associated organizations. This processing includes communication, offering proposals, and conducting promotional, marketing, cross-selling, and campaign activities. Furthermore, your data will be utilized to design tailored marketing and promotional activities specifically catered to your preferences. |
article 5/1*
*These activities will be carried out with your explicit consent or upon your instruction. |
|
Your personal data is processed to deliver services related to insurance, investment, and financial products for which the Bank acts as an agent, as well as to execute transactions concerning the insurance products in which the Bank has a lien or creditor status. |
article 5/2-c article 5/2-ç article 5/2-f*
*Offering you these products and obtaining price quotes is part of the Bank's legitimate interests. Your health data will be processed with your explicit consent, as outlined in Article 6(3)(a). |
|
Furthermore, your personal data will be utilized to determine service and product priorities and to identify service points. |
article 5/2-f*
*Providing high-quality services to customers aligns with the Bank's legitimate interests. |
|
Your personal data is processed for the purposes of debt collection, exercising legitimate rights, and protecting property rights and interests in accordance with any contract concluded with the Bank. |
article 5/2-a article 5/2-c article 5/2-ç article 5/2-f*
*The collection of debts and the protection of assets fall within the legitimate interests of the Bank. |
|
Your personal data is processed to respond to your requests for initiating payments and account information services related to your accounts with other Payment Service Providers, as well as to facilitate these services for your existing accounts at the Bank, should third-party providers request the necessary information. When account transaction details—such as money transfers, checks, or bill payments—are requested by our account-holding customers or authorized intermediary institutions, your relevant data (e.g., TRIN/TIN) will be shared with the requesting party. |
article 5/2-c article 5/2-ç
|
|
The security of the Bank's systems and operations, as well as the safety of bank branches, ATMs, and other facilities, may involve video and/or audio recordings through a closed-circuit camera system to ensure the integrity of information security processes and to prevent and detect fraud, money laundering, financing of terrorism, and other crimes (such as identity theft). |
article 5/2-a article 5/2-ç article 5/2-f*
*Verifying your identity to prevent and investigate fraud, money laundering, financing of terrorism, and other offenses, as well as to protect the institution and comply with applicable regulations, is among our legitimate interests. |
|
Your personal data may be processed for the following purposes: · To ensure compliance with the legislation applicable to the Bank and to collaborate with regulatory authorities and law enforcement agencies, including fulfilling obligations arising from laws such as the Banking Law, the Law on Banking Cards and Credit Cards, Payment and Securities Settlement Systems, the Law on Payment Services and Electronic Money Institutions, as well as compliance with regulations regarding the prevention of money laundering and the financing of terrorism, both domestically and internationally; · To utilize the system ("İYS") that facilitates obtaining consent for commercial electronic communications in accordance with Law No. 6563 on the Regulation of Electronic Commerce and the associated Regulation on Commercial Communication and Commercial Electronic Messages, which also allows for the exercise of the right to refuse and manage complaint processes; · To comply with the data retention, reporting, and notification obligations mandated by authorities such as the Banking Regulation and Supervision Agency, the Capital Markets Board, the Central Bank of the Republic of Türkiye, Financial Crimes Investigation Board (MASAK), the Banks Association of Türkiye, KOSGEB, the Revenue Administration, the Ministry of Treasury and Finance, the Social Security Institution, the Central Securities Depository (CSD), the Credit Register Bureau, Risk Center, and other relevant authorities, as well as to fulfill identity and access obligations outlined in the Regulation on Information Systems and Electronic Banking Services. |
article 5/2-a article 5/2-ç article 5/2-f*
*Protection of the Bank is among our legitimate interests. |
|
To identify and develop suitable products and services for you, credit assessments, behavior scoring, market research, surveys, and statistical studies are conducted. The data obtained from these activities is evaluated and analyzed accordingly. |
article 5/1*
*These activities will be carried out with your explicit consent or upon your instruction. |
|
Your personal data is processed to tailor marketing messages and advertisements to your requests and needs, as well as to facilitate the tracking of advertising and marketing activities. |
article 5/1*
*These activities will be carried out with your explicit consent or upon your instruction. |
|
Personal data is processed to enhance the development of the mobile application and website, as well as to improve user experiences. |
article 5/2-f*
*Improving customers' experiences on the mobile app and website, and ensuring easier, faster, and error-free access to the application and site are among the legitimate interests of both the customers and the Bank. |
|
In the event of internet access, traffic information and logs must be maintained in accordance with Law No. 5651 on the Regulation of Publications Made on the Internet and the Fight Against Crimes Committed Through These Publications. Additionally, it is required to record and monitor communications and transactions. |
article 5/2-a article 5/2-ç
|
|
Pursuant to Article 42 of Law No. 5411 on Banking and Article 17 of the Regulation on Accounting Practices of Banks and Document Retention Procedures, it is legally mandatory for the Bank to retain your information and documents for a period of ten years. |
article 5/2-a article 5/2-ç
|
|
Pursuant to Article 73/4 of the Banking Law, necessary actions are taken in the preparation of consolidated financial statements by the parent companies and in the planning or execution of relationships with the parent company, as well as in risk management and assessment activities. These activities are conducted in accordance with the framework outlined in the Banking Law and relevant regulations, including the management of risks, audits, operational services carried out in conjunction with subsidiaries, and the provision of support services granted under the Banking Regulation and Supervision Agency's (BRSA) operational expansion permit. |
article 5/2-a article 5/2-c article 5/2-ç
|
|
In line with Article 73/4 of the Banking Law, necessary processes are implemented for valuation studies conducted by potential buyers aiming to sell shares that represent ten percent or more of the capital, either directly or indirectly. This encompasses valuation efforts related to the sale of assets, including loans, as well as securities derived from these assets. |
article 5/2-a article 5/2-ç
|
|
According to Article 73/4 of the Banking Law, necessary procedures are undertaken for valuation, rating, and independent auditing activities. |
article 5/2-a article 5/2-ç
|
|
Even if you are not a customer, procedures are in place to determine the risk group to which you belong, establish credit limits for that group, and ensure these limits are monitored, reported, and controlled, in accordance with banking regulations. |
article 5/2-a article 5/2-ç article 5/2-f*
*Protection of the Bank is among our legitimate interests. |
|
Upon request, we take the necessary steps to inform you of the nearest branches and ATMs through our website or applications, provide weather updates for your location, and implement innovative technologies such as video calls with customer representatives or voice-activated virtual assistants (chatbots) to address your inquiries and assist with your transactions. |
article 5/2-c article 5/2-e article 5/2-f*
*Moreover, enhancing and refining our products and services to meet customer needs and sustain our competitive edge are integral to our legitimate interests.
|
|
*Your personal data is processed to communicate with you through mail, phone, SMS, email, ATMs, and other digital methods. The purposes of this processing include:
· Assisting you in managing your accounts and obtaining your approvals for instructions and documents, · Fulfilling the Bank's legal obligations, · Providing you with account summaries and other information related to your account or our relationship, · Informing you about products and services held at the Bank and sending information about products, services, and offers that may interest you. |
article 5/1*
*You will be informed about products and services only with your explicit consent.
article 5/2-a article 5/2-c article 5/2-ç article 5/2-f*
*Sharing information with you regarding products and services that may be relevant or beneficial to you is among the legitimate interests of the Bank. |
|
Personal data is processed to carry out the infrastructure, maintenance, repair, analysis, and development processes of the Bank's systems; to conduct user testing processes, report the tests, and ensure the operational security of the Bank. |
article 5/2-ç article 5/2-f*
*The accurate, current, and complete operation of the Bank’s systems is essential to our legitimate interests. |
|
In accordance with Article 5 of the Regulation on Compliance Programs for the Prevention of Money Laundering and Financing of Terrorism, AHL Holding processes your personal data to implement the compliance program on a group basis and to share customer, account, and transaction information within the group. |
article 5/2-a article 5/2-ç article 5/2-f*
*The verification of your identity falls within our legitimate interests to detect, prevent, and investigate fraud, money laundering, and the financing of terrorism, as well as other criminal activities, all aimed at protecting our bank. |
|
Your personal data is also processed for the purpose of sharing with the Turkish tax authorities or other relevant tax authorities, the Turkish Banking Association Risk Center, companies established by at least five banks or financial institutions, fraud prevention agencies, and regulatory authorities in Türkiye. |
article 5/2-a article 5/2-ç article 5/2-f*
*We prioritize responsible commercial decision-making to aid in the prevention and detection of fraud and other criminal activities, ensuring compliance with both national and international regulations. |
|
Your personal data is processed to effectively manage, plan, and execute relationships and processes with support service providers, external service providers, business partners, and suppliers. |
article 5/2-c article 5/2-f*
*Furthermore, engaging third-party organizations or companies to deliver certain services on behalf of the Bank is an integral part of our commitment to these legitimate interests. |
|
Your personal data is processed to support various functions within the Bank, including internal systems, information technology, operations, auditing, internal controls, risk monitoring, risk management, ethical practices, and financial risk processes.
|
article 5/2-a article 5/2-ç
|
|
If you are a representative or proxy for a natural person or any customer conducting a transaction, your data will be processed to ensure the transaction is completed effectively. |
article 5/2-a article 5/2-c article 5/2-ç
|
|
Additionally, when a commercial customer requests a loan or investment product, we will process personal data related to the credit history, creditworthiness, and other pertinent information about the individual owner, partner, and manager of that commercial entity to properly evaluate the request. |
article 5/2-a article 5/2-c article 5/2-ç article 5/2-f*
*Ensuring the protection of the Bank's assets and maintaining cautious operations align with the Bank's legitimate interests. |
|
Personal data is processed to carry out credit and collateral assessments, conduct intelligence and information research, and manage processes related to credit sales, allocation, disbursement, monitoring, and follow-up. |
article 5/2-a article 5/2-c article 5/2-ç article 5/2-f*
*Ensuring the protection of the Bank's assets and maintaining cautious operations align with the Bank's legitimate interests. |
5. Individuals In The Risk Group
Under the Banking legislation, irrespective of whether you are a customer of our bank, your personal data may be processed in the event that you are in the same risk group with the customer of our Bank, within the framework of credit evaluations and following the Banking legislation, to determine, identify, monitor, monitor, report the risk group and control the loans extended to the risk group.
The term “Risk Group” (Banking Law Article 49); refers to you, your spouse, children, parents, or legal entities where you, your spouse, children, or parents serve as board members or general managers, exercise control, hold shares, and individuals for whom you provide surety, guarantee, or similar commitments, to the extent that the financial instability of one may lead to the insolvency of others within the defined relationships. The principles regarding the determination of the Risk Group can be updated within the framework of the Banking Legislation.
In addition to these, other real and legal persons to be included in the risk group are determined by the Banking Regulation and Supervision Agency.
In this context, even if you are not a customer of ours, the Bank may process your personal data under Articles 5/2-a, 5/2-c, and 5/2-f of the Personal Data Protection Law (PDPL) for the purpose of determining the credit limits that may be extended to a risk group. This includes identifying the risk group to which you belong, as well as monitoring, reporting, and controlling the credit limits to be granted, in accordance with the Banking Law No. 5411 and related regulations.
6. Transfer of Personal Data
Your personal data may be shared with entities and individuals within the group of companies associated with Dünya Katılım Bankası A.Ş., as well as with our domestic and international affiliates, including our major shareholders and their subsidiaries, employees, company officials, legal, financial, and tax advisors, and auditors. This sharing may occur for purposes such as the preparation of consolidated financial statements, risk management and assessment activities, and internal audit practices as stipulated in Article 73 of the Banking Law. Additionally, it may involve the implementation of compliance programs as required by Article 5 of the Regulation on the Compliance Program Regarding the Prevention of Money Laundering and the Financing of Terrorism, which includes sharing customer identification, account, and transaction information within the group. The transfer of your personal data will be conducted in accordance with the provisions outlined in Article 8 regarding the transfer of personal data and Article 9 concerning the transfer of personal data abroad as specified in the Personal Data Protection Law (PDPL).
You can access information about the titles, countries, and addresses related to Dünya Katılım Bankası A.Ş.'s domestic and international subsidiaries, major shareholders, holding companies, and affiliates through the following link: https://dunyakatilim.com.tr/en/about-us/about-d%C3%BCnya-kat%C4%B1l%C4%B1m/about-us
Payment Processing Service Providers and Other Institutions:
Your personal data may be shared with payment processing service providers and other institutions that assist us in processing your payments. This sharing may also include financial institutions involved in the payment process that are members of payment programs or required for specific types of payments. This is done to enable the provision of products and services you have obtained from the Bank. Examples of such institutions include international or domestic entities involved in card payment systems as defined in Law No. 6493 and related regulations, such as VISA, RIA, and Maestro.
Third Parties Making Payments:
If necessary, your information may be shared solely for the purpose of verifying that payments are made to the correct account with individuals who are making payments to your account.
Other Banks and Financial Institutions and Merchants:
Your personal data may also be shared with correspondent banks, banks located domestically or internationally, merchant workplaces, and financial institutions for all types of money transfers to domestic and foreign accounts. This includes electronic transfer messages related to transactions conducted through banks or using the SWIFT system, international and domestic trade transactions, secure financial transaction messages, payment and credit transactions worldwide, and the settlement of domestic and international collateral transactions.
Independent Third Party Service Providers:
Your personal data may be shared with independent third-party service providers you authorize to share information, such as those offering payment initiation or account information services.
- Please note that once your data is shared with these third parties, the Bank has no control over how they use this information.
Our Service Providers and Agents:
Your personal data may be shared with service providers that complement or extend the Bank's operations. This includes support service organizations, collaborating consultants, parties, suppliers, external service providers, cloud computing service providers, mobile service providers authorized by the Information and Communications Technologies Authority, lawyers, law firms, notaries, agents, company auditors, independent audit, rating, and valuation firms, as well as other professional consultants and partner organizations.
Other Institutions:
Your data may be shared with individuals and/or institutions for purposes such as the design, development, and maintenance of internet-based tools and applications; acquiring application or infrastructure services (such as cloud services); conducting marketing activities or events; managing customer communications; preparing reports and statistics; verifying and confirming the accuracy of your contact information; producing materials and designing products; placing advertisements on applications and websites; obtaining legal, auditing, or other specialized services; monitoring and executing legal processes; ensuring compliance with regulatory requirements; providing postal services through our agents; archiving physical records; conducting securitization transactions; and offering or acquiring intermediary collection services.
Support Service Organizations:
Support Service Organizations can be categorized into archiving services, information systems, operational services, call centers, marketing, and collection management. You can access these organizations through the Bank's annual activity reports.
Our Business Partners:
Your personal data may be shared with our business partners who provide services in collaboration with the Bank, including agents and brokers acting on behalf of the Bank or jointly offering products and services, such as insurance. This also includes sharing data with individuals, institutions, or organizations conducting brokerage or agency activities (e.g., hotel or airline partners, and those associated with credit or debit cards bearing the names or logos of our business partners). Additionally, your information may be shared with other service providers and agents serving on behalf of the Bank’s partners.
Insurance Providers:
Your data may be shared with insurance providers, loss adjusters, and other relevant third parties.
- In the event of an insurance claim, the information you provide to us or the insurer may be recorded in a claims register and shared with other insurers. .
Public Institutions and Organizations:
Your personal data may be shared with legally authorized entities such as the Banking Regulation and Supervision Agency (BDDK), the Capital Markets Board (SPK), the Central Bank of the Republic of Türkiye (CBRT), the Revenue Administration (GİB), the Financial Crimes Investigation Board (MASAK), the Credit Registry Agency (KKB), the Interbank Card Center (BKM), the Social Security Institution (SGK), the Financial Institutions Association, the TBB Risk Center, the Turkish Banking Association (TBB), and the Turkish Participation Banks Association (TKBB) for the purpose of fulfilling our legal obligations. Additionally, your information may be shared with legally authorized public or private institutions, including judicial authorities such as courts, law enforcement, public prosecutors, and arbitration/mediation bodies, as well as entities specified in Article 73 of the Banking Law.
Sale or Restructuring of Receivables:
In the event of any restructuring, sale, or acquisition involving entities or debts related to Dünya Katılım Bankası A.Ş., your personal data may be shared with third parties, potential buyers, and asset management companies. This is essential for conducting valuation studies associated with the sale of our receivables or shares.
Contract Terms and Authorized Individuals:
Your personal data may be shared with any party to whom we have assigned or delegated our rights and obligations under any contract with the Bank, as permitted by the relevant terms and conditions. This includes your authorized representatives, such as accountants, lawyers, and other professional advisors, as well as any other individuals you have designated as authorized to issue instructions on your behalf regarding account management, product utilization, and service access (for instance, through a power of attorney).
Prevention of Crimes and Statistical Research:
In connection with tasks such as crime prevention (either directly or through third parties like credit bureaus) or conducting social and economic statistical research, your data may be shared with domestic and international regulatory authorities, law enforcement agencies, and other authorized bodies. This shared information may include payment details, encompassing information related to other parties involved in the payment.
- It is important to emphasize that if you provide false or fraudulent information to the Bank, we are obliged to report this to institutions combating fraud. This enables various organizations, including law enforcement both domestically and internationally, to use this information to prevent and detect fraud or other criminal activities.
Risk Center and Financial Institutions:
For the purpose of managing risk management and monitoring activities, your personal data may be shared with the Risk Center or with companies established by at least five banks or financial institutions (such as the Interbank Card Center, Credit Bureau Inc., etc.).
System Integrations:
To fulfill customer identification obligations, your personal data may be shared through system integrations facilitated by public institutions, such as the Identity Sharing System and Address-Based Population Registration System. This is done to ensure accurate processing of your applications and to safeguard your security.
International Regulatory Authorities:
If you are a natural or legal person from the United States (U.S.) and/or the European Union (EU), or if you engage in transactions within U.S. and/or EU markets, or are subject to U.S. and/or EU tax laws, or for any other legal requirements, your account number, identification information, address, business activities, and all other account-related, transactional, and personal data may be shared with and processed by U.S. regulatory authorities. This is in accordance with the Dodd-Frank Wall Street Reform and Consumer Protection Act, FATCA (Foreign Account Tax Compliance Act), ISDA (International Swaps and Derivatives Association), as well as the EMIR (European Market Infrastructure Regulation) and CRS (Common Reporting Standard) laws within the European Union. This information may be transmitted to relevant institutions, including the U.S. Internal Revenue Service (IRS) and the European Securities and Markets Authority (ESMA).
Additionally, laws or regulations may mandate that we share information related to your accounts directly with relevant tax authorities or via local tax authorities. The tax authority receiving this information may then share it with other appropriate tax authorities.
Donations and Foundations/Associations:
In the event that you make a donation, your data may be shared with relevant foundations and associations.
Explicit Consent/Instruction Status:
Your personal data may also be shared with other third parties in accordance with your explicit consent and/or instructions, as well as based on your requests.
Insured Individuals and Policyholders:
If you purchase an insurance product through another company within the World Participation Bank A.Ş. or the affiliated corporate group, your personal data may be shared with the relevant insurance companies.
- Details regarding how our insurance partners will utilize your data, including personal information you provide directly to them, can be found in the disclosure texts of the respective insurance companies.
Audit and Evaluation Authorities:
Your data may be shared with independent audit firms, rating agencies, and organizations possessing relevant expertise and information, both domestically and internationally. This sharing is intended to facilitate audit, rating, and credit restructuring processes, as well as to conduct assessments related to the financial status and feasibility of the restructuring.
Foreign Financial Institutions:
If the credit you obtain from the Bank is allocated to you through a foreign financial institution (such as the European Investment Bank, European Bank for Reconstruction and Development, GGF, EFSE, IFC, EIF, AFD, Proparco, AIIB, etc.) via the Bank, or if it is sourced from domestic financial institutions like Türkiye Kalkınma Bankası, Türk Eximbank, or Türkiye Sınai Kalkınma Bankası, which have secured funding from abroad and allocated these funds to you through the Bank as the intermediary financial institution; your personal data may be shared with those financial institutions and with third parties and entities that these institutions are obligated to inform. This sharing will support the execution of internal audits, internal controls, risk management, risk monitoring, credit disbursement, and credit restructuring activities.
7. Rights Regarding The Protection of Personal Data
In accordance with Article 11 of the Personal Data Protection Law (PDPL), you have the following rights concerning your personal data:
- We inform you that you have the rights; to learn whether your personal data are processed or not,
- If your personal data are processed to request information about this,
- To learn the purpose of processing of your data and whether this data is used for intended purposes,
- To know the third parties to whom your personal data is transferred at home or abroad,
- To request correction of your personal data in case of incomplete or incorrect processing and to request the notification of the transactions made within this scope to third persons to whom your personal data are transferred,
- To request the deletion or destruction of your personal data in the event that the reasons requiring their processing are eliminated, and to request the notification of the transactions made within this scope to third persons to whom your personal data are transferred, although it was processed in accordance with the provisions of the Law No.6698 and other relevant laws,
- To object if you believe that a result against you has emerged solely through the analysis of your processed data by automated systems,
- To request compensation for any damages incurred due to the unlawful processing of your personal data.
In accordance with the Personal Data Protection Law No. 6698, you can exercise your rights regarding your personal data by sending your requests to the communication addresses provided above (Data Controller) or by using any other method specified in the Communiqué on Application Procedures and Principles to the Data Controller.
The application must include:
- Your name, surname and if your application is in writing your signature,
- If you are a citizen of the Republic of Türkiye your T.R. Identification number, if you are a foreign citizen, your nationality, passport number or identification number if any,
- Your residential or workplace address for notification,
- If applicable, please include your electronic mail address, phone number, fax number, and the subject of your request.
Your request will be processed free of charge as soon as possible and within a maximum of thirty (30) days. If your request requires additional costs, a fee may be charged according to the tariff determined by the Board.
8. Duration of Personal Data Processing and Storage
Pursuant to Article 42 of Banking Law No. 5411 and Article 17 of the Regulation on Accounting Practices for Banks and Document Retention Procedures, the Bank is legally required to keep your information and documents for a minimum of ten (10) years. Additionally, relevant legislation may prescribe different retention periods.
Upon the expiration of the maximum duration outlined in the Bank's Personal Data Protection Policy, your personal data will be promptly deleted, destroyed, or anonymized using the methods specified by the Bank.
9. Data Security and Right to Appeal
Dünya Katılım Bankası A.Ş. places great importance on the confidentiality and security of personal data. In this respect, technical and administrative security measures are taken to protect personal data against unauthorized access, damage, loss or disclosure. Required systematic access controls, data access controls, secure transfer protocols, business continuity measures, and other essential corporate controls are enforced.
The measures that data controllers can implement to prevent the unlawful processing of personal data, to avert unauthorized access to personal data, and to ensure the lawful retention of personal data are outlined below. When determining these technical and administrative measures, the nature of the personal data and the environment in which it is stored are taken into consideration.
|
Technical Measures |
Administrative Measures |
|
Authorization Matrix |
Preparation of Personal Data Processing Inventory |
|
Authorization Control |
Corporate Policies (including Access, Information Security, Usage, Storage, and Destruction) |
|
Access logs |
Contracts (between Data Controllers, and between Data Controller and Data Processor) |
|
User Account Management |
Confidentiality Commitments |
|
Network Security |
Internal Periodic and/or Random Audits |
|
Application Security |
Risk Analyses |
|
Encryption |
Employment Contracts and Disciplinary Regulations (incorporating lawful provisions) |
|
Infiltration Test |
Corporate Communication (including Crisis Management, Processes for Informing Boards and Relevant Persons, Reputation Management, etc.) |
|
Intrusion Detection and Prevention Systems |
Training and Awareness Activities (focused on Information Security and Legal Compliance) |
|
Log Records |
|
|
Data Masking |
|
|
Data Loss Prevention Software |
|
|
Back-up |
|
|
Firewalls |
|
|
Updated Anti-virus Systems |
|
|
Deletion, Destruction, or Anonymization |
|
|
Key Management
|
