Regulation on Sharing of Confidential Information Published

/in /by
Warning: count(): Parameter must be an array or an object that implements Countable in /home/seelegal/public_html/wp-content/plugins/team-showcase/tshowcase.php on line 3993
confidential-information

Regulation on Sharing of Confidential Information Published

On 25 February 2020, the Law on Amending the Banking Law and Certain Other Laws entered into force. Accordingly, the Banking Regulation and Supervision Board were authorised to determine the rules and procedures regarding confidential customer information’s share and transfer and restrictions relating to such. In addition, the law stated that apart from the exceptions, information regarded as customer secrets cannot be shared with, and transferred to, third parties who are resident in Turkey, or abroad, without the customer’s request or instruction, even if the customer’s explicit consent is obtained in accordance with the Personal Data Protection Law.

In June, the Banking Regulation and Supervision Authority published the Regulation on Sharing of Confidential Information (the “Regulation”). Some of the issues included in the Regulation that are worth noting are listed, below: 

  • The definition of pseudonymisation is separated from the definition previously included in the Regulation on Personal Health Data and is expanded to include legal entities, as well as individuals. Pseudonymisation is defined as the processing of customer data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately, and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable individual.
  • The scope of customer secrets is expanded. In addition to the regulations in the Banking Law, when a bank obtains and learns of customer secrets that are held by another bank, this is also regulated within the scope of confidentiality obligations, even if a bank-customer relationship has not been established.
  • With another additional regulation introduced, when the data relating to individuals and legal entities that existed prior to the establishment of a bank-customer relationship, and which do not constitute a customer secret in another bank, are processed alone, or together with the data formed after the bank-customer relationship is established, in a way to show that the relevant person is a bank customer, such information will be regarded as a customer secret.
  • The sharing of information that is not a customer secret, but is information regarded as a bank secret, including only information regarding the bank with third parties under the responsibility of the bank pursuant to a board of directors’ resolution, does not constitute a violation of the confidentiality obligation. Thus, the concept of a bank secret is separated from a customer secret and is clarified.
  • Some additional exceptions are added to the confidentiality obligation exceptions regulated in the Banking Law, provided that a nondisclosure agreement is signed, and the share and transfer of customer secrets are limited to specified purposes.
  • In line with the Banking Law, even if the customer gives explicit consent, customer information cannot be shared with or transferred to third parties who are resident in Turkey, or abroad, without the customer’s additional request or instruction and, in parallel with the decisions of the Personal Data Protection Board, the customer’s explicit consent cannot be determined as a prerequisite for the services to be provided by the bank.

The Regulation forms a framework for the sharing and transfer of confidential information, and it determines the scope of the banks’ obligations regarding this information, as well as the general principles to be followed when sharing such information.

Please contact Kolcuoglu Demirkan Kocakli with any questions regarding this matter.

On 25 February 2020, the Law on Amending the Banking Law and Certain Other Laws entered into force. Accordingly, the Banking Regulation and Supervision Board were authorised to determine the rules and procedures regarding confidential customer information’s share and transfer and restrictions relating to such. In addition, the law stated that apart from the exceptions, information regarded as customer secrets cannot be shared with, and transferred to, third parties who are resident in Turkey, or abroad, without the customer’s request or instruction, even if the customer’s explicit consent is obtained in accordance with the Personal Data Protection Law.

In June, the Banking Regulation and Supervision Authority published the Regulation on Sharing of Confidential Information (the “Regulation”). Some of the issues included in the Regulation that are worth noting are listed, below: 

  • The definition of pseudonymisation is separated from the definition previously included in the Regulation on Personal Health Data and is expanded to include legal entities, as well as individuals. Pseudonymisation is defined as the processing of customer data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately, and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable individual.
  • The scope of customer secrets is expanded. In addition to the regulations in the Banking Law, when a bank obtains and learns of customer secrets that are held by another bank, this is also regulated within the scope of confidentiality obligations, even if a bank-customer relationship has not been established.
  • With another additional regulation introduced, when the data relating to individuals and legal entities that existed prior to the establishment of a bank-customer relationship, and which do not constitute a customer secret in another bank, are processed alone, or together with the data formed after the bank-customer relationship is established, in a way to show that the relevant person is a bank customer, such information will be regarded as a customer secret.
  • The sharing of information that is not a customer secret, but is information regarded as a bank secret, including only information regarding the bank with third parties under the responsibility of the bank pursuant to a board of directors’ resolution, does not constitute a violation of the confidentiality obligation. Thus, the concept of a bank secret is separated from a customer secret and is clarified.
  • Some additional exceptions are added to the confidentiality obligation exceptions regulated in the Banking Law, provided that a nondisclosure agreement is signed, and the share and transfer of customer secrets are limited to specified purposes.
  • In line with the Banking Law, even if the customer gives explicit consent, customer information cannot be shared with or transferred to third parties who are resident in Turkey, or abroad, without the customer’s additional request or instruction and, in parallel with the decisions of the Personal Data Protection Board, the customer’s explicit consent cannot be determined as a prerequisite for the services to be provided by the bank.

The Regulation forms a framework for the sharing and transfer of confidential information, and it determines the scope of the banks’ obligations regarding this information, as well as the general principles to be followed when sharing such information.

Please contact Kolcuoglu Demirkan Kocakli with any questions regarding this matter.

You might also like
New Data Protection Law Discussed at the Serbian Chamber of Commerce
GDPR’s First Two Years – Guideline for Serbia’s DP Practitioners
First GDPR Fines in Romania
BDK Advokati Appointed as Google’s DP Representative in Serbia
NNDKP Launches ”Privacy Out Loud”, a Blog Dedicated to Data Protection and Security
Availability of Domain Name Holders' Data in Europe Limited to a Minimum?