İş Kuleleri, Kule 3, Kat:2, 34330,
Levent / Istanbul, Turkey


T: +90 (212) 249 29 39

The Regulation, published on 04.06.2021, will enter into force on 01.01.2022 and determines the scope, form, procedures and principles regarding the sharing and transfer of bank secrets and customer secrets.

In the Regulation reference is made to the Law on the Protection of Personal Data No. 6698 (“PDP Law”) and standards regarding the confidentiality obligation. Exceptions to this obligation and the concept of “customer” secret have been introduced within the scope of the Banking Law No. 5411.

Within the scope of the confidentiality obligation, it is regulated that those who learn the secrets of the banks or their customers due to their title and duties cannot disclose the said secrets to anyone other than the authorities expressly authorized in this regard, and that these obligations continue even after resignation. It has been determined that this obligation is also valid if the customers confidential information is obtained and learned by non-automatic methods or methods that are not part of any data recording system.
In addition, it is regulated by the Regulation that data belonging to real and legal persons, which are formed after establishing a customer relationship with banks, specific to banking activities, become customer secrets and any information showing that a real or legal person customer is a customer of the bank is also within the scope of customer secret.

In this respect, even if a customer relationship has not been established, obtaining and learning the customer secret information held by another bank is also within the scope of the confidentiality obligation.In Article 5 of the Regulation, the exceptions to the obligation to keep secrets and in Article 6 the general principles regarding the sharing of confidential information are listed. It is seen that the provisions regarding the exceptions are regulated in a way to cover the principles of being limited only to the stated purposes and to include the data as much as these purposes require. In addition, the customer's confidential information cannot be shared with third parties in the country and abroad without a request or instruction from the customer. Even if the customer's explicit consent is obtained, except for the cases that are exempted from the confidentiality obligation and the customer's express consent or request or instruction to share their information, it has been determined that it cannot be made a prerequisite for the services to be provided by the bank.

Finally, banks are required to establish an Information Sharing Committee in order to comply with the regulation. At a minimum, this committee will consist of representatives of the business line, internal control unit, compliance unit and legal unit, who request or request information to be shared, and the related asset owners. will be responsible for coordinating and recording the incoming sharing requests by evaluating their suitability. It has been regulated that the job descriptions and working principles of the Information Sharing Committee must be approved by the boards of directors of the banks.