Evaluations on the Provision Introduced by “The Regulation on Banks’ Information Systems and Electronic Banking Services”, with regard to the Personal Data Protection Law
Significant amendments that are also closely related to the provisions of the Personal Data Protection Law are made by the new Regulation on Banks’ Information Systems and Electronic Banking Services (the “Regulation”) about which the opinions of all the relevant stakeholders were first received and then, submitted to the public opinion as a draft by the Banking Regulation and Supervision Agency (the “BRSA”) and which has been published in the Official Gazette dated 15 March 2020 and numbered 31069 after a long study and whose effective date is decided to be 1 July 2020.
The Regulation aims to set out the principles and procedures to be taken into consideration, as a minimum, in the management of the information systems used by banks while performing their activities, in the provision of their electronic banking services and in the management of the risks related thereto. By the Regulation, it is also aimed to prescribe the controls for the information systems that should be established.
This newsletter addresses the reflection, within the context of the Personal Data Protection Law, of the matter “Data Privacy and Data Sharing” which is the most significant innovation brought by the Regulation in respect of the Information Security Management for banks’ information systems.
What provisions have been introduced recently in respect of customer secrets?
1. The provisions, introduced within the scope of the Banking Law, set out the transfer of customer secrets to foreign countries and the grant of authorization to BRSA.
Before publication of the Regulation, an amendment which is closely related to the provisions of the Personal Data Protection Law was made to the Banking Law No. 5411 by the article 10 of the Law No. 7222 “On Making Amendments to the Banking Law and Certain Laws” on 25 February 2020.
Pursuant to the amendment, new additions were made to the article 73 of the Banking Law. Pursuant to the amendment, the article 73/3, entitled “Confidentiality”, contained in the Banking Law is modified as follows: “… Without prejudice to the mandatory provisions of other laws, any information of customer secret nature shall not be shared with and transferred to third parties in the country and abroad in the absence of a request or an instruction from the customer, even if the customer’s explicit consent is obtained in accordance with the Law No. 6698 of 24/3/2016 on the Protection of Personal Data, other than the cases referred to as an exception to the confidentiality obligation specified by this article…”
The full text of the relevant provision is accessible at .
In addition to the above, the lawmaker/legislative makes the following addition, as the paragraph 5, to the relevant article: “The Board is authorized to determine the scope and the forms of and the principles and procedures for or introduce restrictions on the sharing and transfers of information of secret nature, which sharing and transfers will be performed pursuant to the third and fourth paragraphs”.
In the amendment, the most striking part is that “even if the customer’s explicit consent is obtained”, such information of secret nature shall not be shared with and transferred to third parties in the country and abroad “in the absence of a request or an instruction from the customer”.
As mentioned above, “Customer’s Explicit Consent”, necessary to be obtained in accordance with the Law No. 6698 on the Protection of Personal Data, is no longer deemed to be sufficient and the receipt of “Customer’s Request or Instruction” is made obligatory by the provision.
Furthermore, in addition to the Personal Data Protection Authority (the “PDPA”), a similar authorization is also granted to BRSA with regard to the transfer of the personal data belonging to bank customers.
2. The Regulation prescribes significant matters about Data Privacy and Data Sharing.
Under the new provision introduced by the new Regulation in relation to “Data Privacy and Data Sharing”, it is seen that the new provision aims to draw a parallelism with the amendment made recently to the article 73 of the Banking Law referred to above. Accordingly, the following provision is prescribed:
“ In the absence of the bank customer’s request provable in writing or through a permanent data storage medium, such bank shall not -other than the exceptional cases referred to in the Law- share with and transfer to third parties in the country and abroad the information of customer secret nature, which the bank obtains, stores or processes by means of information systems while performing its activities and in its all kinds of outsourcing.”
The provision specifies that, even in case the customer’s explicit consent is obtained, no sharing shall take place in the absence of the customer’s express instruction or request in this regard, other than the cases indicated as an exception to the confidentiality obligation.
As mentioned above, this provision, which is dealt in parallel to the legal arrangement made recently in the article 73 of the Banking Law, emphasizes particularly that the explicit consent shall not be regulated as a precondition to a service that will be provided to the customer.
Unless there is a request or an instruction from the customer, transfer of customer information to third parties is restricted although the customer’s explicit request is obtained by virtue of the Law on the Protection of Personal Data, if such information is not included in an exception under the Banking Law or in the mandatory provisions of other laws.
For further information, the full text of the relevant Regulation is accessible at .
The legal arrangements made by the lawmaker state that the transfer of personal data is unlawful unless there is an express instruction or request from the bank customer for transfer of such personal data to third parties in the country and abroad, for which the explicit consent mechanism is not considered to be sufficient with regard to the protection of personal data. Given that the new provision authorizes BRSA in addition to PDPA with regard to the supervision of the data transfers, we are of the opinion that it is important to draw attention to the fact that both disciplines of law are violated in case of an unlawful breach by such bank.