Personal Data Protection Law

What is PDPL?
The Personal Data Protection Law (PDPL) was accepted by the Turkish Grand National Assembly on 24.03.2016 and entered into force by being published in the Official Gazette dated 07.04.2016 and numbered 29677. The Law is based on the compliance of all data processing persons and institutions within the framework of basic purposes such as ensuring the confidentiality of personal data, protecting it and preventing unauthorized use. Our Company, like all organizations, is obliged to comply with this Law and the personal data processed in all processes of our Company are within this scope.

What is Personal Data?
All data or data sets that make a person directly or indirectly identifiable are considered personal data. Examples include identifying information that directly belongs to a person or is created on behalf of a person, such as name, surname, place/date of birth, telephone number, CV, photograph, voice recording. Personally identifiable data, such as customer numbers generated for certain transactions within the application, are also considered Personal Data.

What is Data Processing?
Any operation performed on personal data is considered as “data processing”. Therefore, archiving, storing, changing, reorganizing, disclosing, transferring, analyzing and classifying data are included in the scope of data processing.

Who is the Relevant Person / Data Owner?
One of the terms frequently used in the law and our corporate policies is “related person” or “data owner”. It refers to the real persons whose personal data is processed.

Who is the Data Controller?
The data controller is the natural or legal person who determines the purposes and methods of processing personal data and is responsible for the establishment and management of the data recording system. At this point, our Company becomes the Data Controller for the data of our customers, visitors and employees.

Who is the Data Processor?
Data processors are natural or legal persons who process data on behalf of the data controller. These persons may also be separate natural or legal persons authorized by the data controller to process personal data.

Data Processing Conditions

All data controllers have the right to process data only if the following conditions are met or if the relevant person gives explicit consent:

• It is clearly provided for in the laws (Banking Law, MASAK Legislation).
• It is directly related to the establishment or performance of a contract.
• The data controller is able to fulfill its legal obligation.
• It is made public by the relevant person.
• Data processing is mandatory for the establishment, exercise or protection of a right.
  The legitimate interest of the data controller.

Meeting Data Owner Requests

PDPL grants the relevant persons the right to request which personal data is processed in which processes and the current status of these data. As a company, we are also obliged to respond to requests from data owners within 30 days.

According to Article 13 of the Law No. 6698 on the Protection of Personal Data, which regulates “Application to the Data Controller”, the relevant person/data owner must submit their requests regarding the implementation of the Law in writing to the data controller. Therefore, in order for your request to be evaluated, you must apply in writing to our nearest Directorate or submit a written application through our direct channel that we can reach most quickly.
Institutions and persons who are data controllers or who process data are obliged by the Law to inform data owners about the personal data they process.