Turkish Data Protection Board Decision: Confidentiality Obligations of Banks

24.01.2024

In its decision dated June 15, 2023 and numbered 2023/1050, the Turkish Personal Data Protection Board (“Board”) evaluated a complaint regarding a bank’s failure to fulfill a customer’s request to provide the transcript of the conversation between the bank’s customer representative and the customer.

In summary, the customer (“Data Subject”) argued that the bank (“Data Controller”) failed to provide information regarding the Data Subject’s stolen personal data, as their virtual card had been copied. In this regard, the Data Subject requested from the Data Controller the voice recording or the transcript of their conversation with the customer representative, in line with the data subject rights under the Personal Data Protection Law No. 6698 (“DPL”). However, in its defense, the Data Controller denied the Data Subject’s request and did not share the voice recording or the transcript of the conversation due to the provisions of the Banking Law No. 5411 (“Banking Law”) and the Regulation on Sharing of Secret Information (“Regulation”).

In this regard, the Board evaluated the facts of the case in line with the provisions of DPL, the Banking Law and the Regulation. While underlining the rights of the data subjects, including the right to demand for information as to if their personal data have been processed, the Board underlined that the data controllers are under the obligation (i) to finalize the data subjects’ requestsfree of charge, as soon as possible and within thirty days at the latest or (ii) to reject the data subjects’ requestsby explaining the reason and notify the data subject in writing or electronically. The Board determined that the Data Controller did not provide any response to the first inquiry by the Data Subject; and provided response to the second inquiry after the thirty day period.

Furthermore, within the framework of the Banking Law and the Regulation, the Board stated that the confidentiality obligation of the Data Controller requires not to provide “customer secrets” (natural and legal persons’ data after the establishment of a customer relationship with banks specific to banking activities) to third parties about the information and events obtained due to the commercial connection with the customer. On the other hand, this obligation does not prohibit disclosing the Data Subject’s own personal data within the scope of the rights of data subjects regulated under the DPL. The Board also mentioned that the data subject right to request information if their personal data have been processed, includes the right of access to such data.

Accordingly, the Board instructed the Data Controller to share with the Data Subject the transcript of the conversation between them and the customer representative by taking measures such as removing/masking the personal data of others,in line with the rights of data subjects regulated under the DPL.

This website is available “as is. Turkish Law Blog is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this website, and in no event shall they be liable for any loss or damages.

The content and materials published on this website are provided for informational purposes only and should not be used as a legal opinion in any way. This website and the information contained are not intended to establish an attorney-client relationship.
th
Ready to stay ahead of the curve?
Share your interest anonymously and let us guide you through the informative articles on the hottest legal topics.
|
Successful Your message has been sent