INFORMATION NOTICE ON THE PROCESSING OF CUSTOMERS’ PERSONAL DATA

As Türk Ekonomi Bankası A.Ş. (the “Bank”), acting with the awareness of responsibility as a bank, we exercise reasonable care and diligence as required to ensure the privacy, confidentiality and security of the personal data processed within the scope of performance of our activities.

This Türk Ekonomi Bankası A.Ş. Information Notice on the Processing of Customers’ Personal Data (the “Information Notice”) has been prepared to inform you within the framework of Article 10 of the Law no. 6698 on Protection of Personal Data (the “Law”) and the Communiqué on Procedures and Principles to be followed for the Fulfilment of the Obligation to Inform.

We act as the data controller while processing your data as our customers with respect to the data processing activities we conduct within the scope of our banking activities. With this Information Notice, we inform you about your personal data processed, our purposes of processing and sharing/transferring your data and our legal reasons constituting the basis for such activities and the retention period of your data.

Which of Your Personal Data Do We Process?

Your data that are listed below are used in the data processing activities conducted by our Bank:

• Identification data (For example; your name, surname, date and location of birth, national identity number)
• Contact data (For example; your home/office address, e-mail address, your phone/mobile phone number)
• Data relating to family situation (For example marital status information)
• Data relating to education and professional life (For example; the school that you graduated from, information relating to your workplace)
• Economic and financial information (For example; information relating to your income, information relating to your credit history, information relating to banking products that you use)
• Marketing data (For example; usage habits, survey results)
• Digital platform usage data (For example; Your records obtained via cookie records and similar technologies)
• Location data (Information relating to your location)
• Data relating to financial transactions at the Bank (For example; credit/debit card expenditure information, account summary)
• Data regarding risk management and financial security (For example, the data required for know-your-customer, know-your-supplier, anti-terrorism and anti-fraud purposes)
• Data on the Bank’s facilities’ physical security (For example; CCTV records, records regarding visitors)
• Data regarding transaction security and the security of the Bank’s cyberspace (For example, user names, passwords, audit trails, logs)
• Requests/complaints and reputation management data (the data that you have provided in the requests, claims or complaints forwarded to the Bank)
• Legal transaction data (For example requests communicated by judicial authorities)
• Visual and audio records (For example; call center conversation records)

Some of your personal data is subject to a higher level of protection; these data are classified as “special categories of personal data” and are listed in the Law. We strive not to process your personal data of special categories in the activities conducted by our Bank. However, in some cases, we may process your sensitive data for example, your religion and blood type information obtained within the scope of mandatory ID card photocopying; If you choose to use a voice signature or fingerprint for authentication in mobile application or call center channels, give your biometric data; information about your conviction within the scope of our legal obligations; If you request to pay association or union membership fees/subscriptions, your special data showing that you are a member of these institutions; information about your disability, which is necessary for the performance of our service obligations towards our disabled customers; such as information about your health that you transmit in order to carry out your insurance transactions as an insurance agent.

During the processes where it is obligatory to have a photocopy of your ID card, the Bank does not process and add blood type and religion information stated in the ID card in the system. It is included in the system only because of the copy of the identity document. We diligently carry out the necessary technical work to delete this information in our systems.

Why Do We Process or Transfer Your Personal Data?

Your personal data is processed and transferred by the Bank for the purposes of carrying out required operations in order to sustain commercial activities of the Bank, leveraging reputation and business relations of the Bank as well as determination of its strategies, management of marketing activities of the Bank, ensuring legal and physical security of the Bank to allow the Bank’s customers to benefit from the banking services.

Following purposes may be considered as samples to the mentioned main purposes: maintaining credit extension processes, carrying out sales process for banking services, carrying out insurance, private pension and investment services, carrying out activities oriented to customer satisfaction, carrying out necessary marketing activities providing that the customers benefit from the products and services of Bank, management of complaints, management of events, forming business processes of the Bank, management of information security, setting up and management of information technologies infrastructure, management of financial security processes (Such as Know Your Customer, Anti-Money Laundering, Anti-Fraud and combating with other unlawful transactions), carrying out audit activities, litigation and execution processes. You may find detailed information relating to these purposes by clicking here.

For Which Legal Reasons Do We Process Your Personal Data?

Under articles 5 and 6 of the Law, your personal data are processed by the Bank under the following circumstances:

• In cases where your explicit consent is obtained
• To exercise or fulfil our rights or obligations specified in the laws or regulations, communiques, decisions of administrative authorities and any other secondary legislation;
• In cases requiring data processing, providing that it is directly related with the conclusion or implementation of the agreement that you have signed with our Bank;
• In cases where data processing is required for the establishment, exercise or protection of a right.
• In cases where it is mandatory for the legitimate interests of the Bank, provided that this processing shall not violate your fundamental rights and freedoms

In addition, your personal data of special categories are processed only if you have given your explicit consent or if it is explicitly stipulated in the laws that the Bank is subject to.

For Which Legal Reasons Do We Transfer Your Personal Data to Third Parties?

We share your personal data with the legally authorized public agencies or private institutions such as the BRSA(Banking Regulation and Supervision Agency), CMB (Capital Markets Board of Turkey), Turkish Financial Crimes Investigation Board (MASAK), the Central Bank of Republic of Turkey, etc.; the Bank’s direct or indirect subsidiaries and shareholders at home and abroad, support service providers, business partners, consultants, suppliers, Mastercard, Visa and the legally authorized public legal entities, private persons or judicial authorities under the following circumstances:

• In cases where your explicit consent is obtained
• To exercise or fulfil our rights or obligations specified in the laws or regulations, communiques, decisions of administrative authorities and any other secondary legislation;
• In cases requiring data processing, providing that it is directly related with the establishment or performance of the agreement that you have signed with our Bank;
• In cases where data processing is required for the establishment, exercise or protection of a right.
• In cases where it is mandatory for the legitimate interests of the Bank, provided that this processing shall not violate your fundamental rights and freedoms

In addition, your special categories of personal data may be transferred only if your explicit consent is obtained or such processing is explicitly envisaged in laws that our Bank subject to.

The transfer of your personal data to abroad is subject to your explicit consent. However, in cases where at least one of the legal reasons for data processing as listed above exists, the party that the data will be transferred to and our Bank take the measures specified in the legislation, and the transfer is approved by the Personal Data Protection Authority, we transfer your data to abroad, providing to be limited with the relevant legal reason.

How and in Which Mediums Do We Collect your Personal Data?

Principally we collect your personal data from 3 different sources in physical or electronic environments: (i) data obtained as per your declaration, (ii) data obtained as a result of your usage of our Bank’s services and products or (iii) data obtained from authorized organizations and institutions.

Within this scope your personal data is collected from our Bank’s Head Office, branches, ATM, internet banking and mobile banking channels, the Bank’s web sites, call center or the Bank’s other contact channels through phone, channels where active sales activities are carried out, face-to-face customer meetings, self-service units with assistant support, CCTV, SMS, e-mails, cookies and similar tracking technologies, subsidiaries and sales offices, unions and associations such as chambers of commerce and artisans, fax, mail, cargo or courier services and from databases (Identity Sharing System, Risk Center of Banks Association of Turkey, Central Civil Registration System etc.) of the institutions and organizations providing support services or having business partnerships to the extent permitted by laws and arrangement, within those limitations and via obtaining your approval if it is required by law.

For How Long Do We Process or Retain Your Personal Data?

We process your personal data during the effective term of the agreement signed by and in effect between you and our Bank.

Following the expiry of this period, we continue to process or store the relevant data if there is any legal provision allowing us to process the relevant data for a longer period, including, the Banking Law in particular, or if there exists any of the legal reasons for such data processing. At the end of these periods, we will immediately delete, destroy or anonymize your personal data.

What Kind of Measures Do We Take to Protect Your Personal Data?

The Bank takes various measures to ensure the security of your personal data. We can classify these measures as organizational measures and technical measures. Organizational measures refer to the measures related to the organization such as employee trainings, access rights restrictions, etc. Technical measures refer to the measures taken relating to our Bank’s systems.

What are Your Rights About Your Personal Data?

Under article 11 of the Law, you have the following rights regarding your personal data:

• To learn whether your personal data is processed or not;
• If any personal data have been processed, to request information about such processing;
• To learn the purpose of processing of personal data and whether your personal data are used for intended purposes or not;
• To know the third parties to whom the personal data are transferred at home or abroad;
• To request the rectification of the incomplete or inaccurate data, if any;
• To request for erasure or destruction of your personal data;
• To request for notification of the relevant actions to the third parties to whom personal data are transferred in case of correction, erasure or destruction of personal data;
• To object to unfavourable consequences arising against the related person through analysis of the processed data exclusively via automated systems;
• To request for compensation of any loss or damages incurred due to unlawful processing of personal data.

As the Bank, we take all the necessary organizational and technical measures in line with the requirements of the legislation to ensure that you can easily exercise your rights granted by the Law to you, i.e. the data subjects.

You can exercise your rights mentioned above by completing the application form that you can obtain from the Bank’s website (published on the link) or our Bank’s branches and forwarding it to our Bank through the following methods:

Form must be filled completely and:

• May be delivered by hand and in writing to our Branches,
• May be sent to our Bank address via registered mail with return receipt or notary public,
• May be sent via an e-mail message to kvkkbasvuru@teb.com.tr with a secure electronic
• signature,
• May be sent through a Registered E-Mail (KEP) account via KEP to turkekonomibankasi@hs03.kep.tr.

In addition, you can send your petition in written stating your requests clearly to our branches or via your e-mail address that you have previously notified to our bank and registered in our systems, or by another method included in the Communiqué on Application Procedures and Principles to the Data Controller published by the Data Protection Authority (KVKK).

Our bank shall conclude your requests regarding your rights listed above as soon as possible and within thirty days at the latest after the transmission date. You may be charged a fee based on the tariffs published by the Personal Data Protection Authority.

Additional information and documentation may be requested by our bank in order to verify your identity as well as to clarify your demand for the purpose of responding to submitted applications. In case of failure to provide such information and documentation, your application may not be responded in order to secure your data.

For further information on the processing of personal data by the Bank, please refer to TEB A.Ş. Personal Data Processing and Protection Policy provided on this link.

Updated on 28 April 2020