Personal Data Protection in Turkish Banking and Financial Services

Introduction

Personal data protection in Turkish banking and financial services is one of the most important compliance areas for banks, participation banks, investment banks, payment institutions, electronic money institutions, fintech companies, portfolio management companies, insurance-related financial service providers, leasing companies, factoring companies, financing companies, and other institutions operating in the financial sector.

Financial institutions process some of the most sensitive and commercially valuable data in the economy. This includes identity information, contact details, bank account numbers, IBANs, credit card information, transaction history, loan applications, credit scores, risk assessments, income data, asset information, investment preferences, authentication records, device data, IP addresses, customer complaints, call center records, biometric verification data, fraud alerts, suspicious transaction data, and open banking data.

In Turkey, financial data protection is regulated through a multi-layered legal structure. The core personal data protection legislation is Law No. 6698 on the Protection of Personal Data, commonly known as KVKK. KVKK sets general principles for personal data processing, legal bases, data subject rights, privacy notices, data security obligations, breach notification, and cross-border transfers. At the same time, banks and certain financial institutions must comply with sector-specific rules such as Banking Law No. 5411, bank secrecy obligations, customer secret rules, Banking Regulation and Supervision Agency regulations, Central Bank of the Republic of Türkiye rules for payment services and open banking, and information systems regulations.

For this reason, data protection in Turkish banking is not limited to preparing a standard privacy notice. Banks and financial institutions must build a comprehensive governance model that combines KVKK compliance, bank secrecy, customer confidentiality, cybersecurity, information systems management, outsourcing controls, customer authentication, fraud prevention, data retention, domestic and international transfers, and regulatory reporting.

Why Financial Data Requires Strong Protection

Financial data can reveal far more than ordinary contact information. A person’s bank transactions may show salary level, spending habits, debt structure, medical expenses, family support payments, subscriptions, religious donations, political donations, travel patterns, business relationships, and personal lifestyle. A credit application may reveal income, assets, liabilities, employment status, marital status, guarantor relationships, and risk profile. Investment data may reveal wealth, financial strategy, risk tolerance, and commercial intentions.

Because of this, financial data must be treated as high-risk personal data even where it is not always classified as a “special category of personal data” under KVKK Article 6. In practice, unlawful disclosure of financial data may cause identity theft, fraud, blackmail, reputational harm, commercial loss, discrimination, social pressure, or serious interference with private life.

Banks and financial institutions also operate within a relationship of trust. Customers provide information because they expect confidentiality, regulatory protection, strong security, and lawful processing. A bank that loses customer trust may suffer not only administrative sanctions but also reputational damage, customer complaints, litigation, regulatory scrutiny, and loss of market confidence.

Legal Framework: KVKK and Banking Law

The general framework starts with KVKK. Under Article 4, personal data must be processed lawfully and fairly, accurately and up to date where necessary, for specified, explicit, and legitimate purposes, in a relevant, limited, and proportionate manner, and only for the period required by legislation or by the processing purpose. These principles apply to all banking and financial services data processing activities.

KVKK Article 5 regulates legal bases for ordinary personal data processing, while Article 6 regulates special categories of personal data such as health data, biometric data, genetic data, criminal conviction data, union membership data, and other sensitive categories. Financial institutions may process special category data in certain contexts, especially biometric identity verification, employee health records, criminal record checks for compliance-sensitive roles, or health-related insurance/loan documentation.

In addition to KVKK, Banking Law No. 5411 imposes strict confidentiality obligations. Article 73 of Banking Law regulates bank secrets and customer secrets. The English version of the Banking Law published by the Banking Regulation and Supervision Agency states that data and information belonging to natural or legal persons collected in the course of banking activities and transactions after the establishment of a customer relationship become customer secrets. It also states that customer secrets may not be disclosed to or shared with third parties in Turkey or abroad without a demand or instruction from the customer, even if explicit consent has been obtained under KVKK, except for legally exempted cases.

This creates a critical distinction. In ordinary KVKK practice, explicit consent may sometimes be sufficient for certain processing or transfer activities. In banking, however, customer secret rules may require a customer demand or instruction in addition to or instead of ordinary KVKK consent, depending on the transfer structure and exemptions. Therefore, banks must analyze not only KVKK but also banking secrecy rules before sharing customer data.

Bank Secrets and Customer Secrets

Turkish banking confidentiality rules are stricter than ordinary commercial confidentiality. Bank secrets generally refer to information belonging to the bank itself, while customer secrets refer to customer-related data obtained after the establishment of a customer relationship. Customer secrets include not only obvious financial records but also information showing that a person is a bank customer.

This is significant because even the fact that a person has a relationship with a bank may be confidential. Account existence, account balance, loan status, credit card usage, transaction history, asset portfolio, investment orders, collateral information, and payment behavior may all fall under customer secrecy.

Banking Law Article 73 also states that confidential information may be shared or disclosed only for specified purposes and limited to the data required for those purposes, in line with proportionality. It further authorizes the Banking Regulation and Supervision Board to determine procedures and principles regarding sharing and disclosure of secret information or to impose restrictions.

For banks, this means that data sharing must be purpose-specific, limited, documented, and legally justified. A bank cannot share a full customer profile where only a limited data element is needed. It cannot transfer customer secrets to group companies, vendors, foreign service providers, marketing partners, or analytics platforms without a careful legal basis and banking secrecy assessment.

Data Controller and Data Processor Roles in Banking

Banks will usually act as data controllers for customer data because they determine why and how customer information is processed. For example, a bank determines the purposes and means of account opening, credit evaluation, transaction processing, fraud prevention, customer authentication, regulatory reporting, customer support, risk management, and financial product offering.

However, banks also work with many third parties. These may include IT service providers, cloud providers, call centers, card processors, payment infrastructure providers, authentication technology vendors, cybersecurity firms, ATM service providers, audit firms, law firms, debt collection service providers, CRM vendors, and open banking technology providers.

Some of these third parties may act as data processors if they process data on behalf of the bank and under its instructions. Others may act as independent data controllers if they process data for their own legal obligations or independent purposes. Correct role classification is essential for data processing agreements, bank secrecy clauses, security obligations, breach notification duties, and cross-border transfer documentation.

Privacy Notices in Banking and Financial Services

KVKK Article 10 requires data controllers to inform data subjects at the time personal data is obtained. The privacy notice must include the identity of the data controller, the purpose of processing, recipients and transfer purposes, the collection method and legal basis, and the data subject’s rights under Article 11.

A banking privacy notice must be more detailed than an ordinary commercial privacy notice. It should cover account opening, identity verification, customer due diligence, credit assessment, deposit and loan transactions, card services, investment services, digital banking, mobile banking, call center operations, ATM transactions, fraud prevention, risk management, legal and regulatory reporting, complaint handling, debt collection, data retention, domestic transfers, international transfers, and customer rights.

Financial institutions should also provide layered notices for digital channels. Mobile banking apps, internet banking platforms, remote onboarding tools, open banking interfaces, digital wallet applications, and investment platforms may require just-in-time notices for specific processing activities such as location access, biometric login, device binding, push notifications, transaction monitoring, and open banking data sharing.

Legal Bases for Processing Banking Data

Not every banking data processing activity requires explicit consent. Many processing activities may rely on contract performance, legal obligation, establishment or protection of a right, express legal provisions, or legitimate interests.

For example, processing identity data during account opening may be required for legal and regulatory obligations. Processing transaction data is necessary for performance of banking services. Processing loan application data is necessary to evaluate and perform credit contracts. Keeping accounting and transaction records may be required by law. Processing fraud alerts and suspicious access signals may be necessary for security and legitimate interests. Processing dispute files may be necessary for the establishment, exercise, or protection of rights.

However, optional activities require careful review. Personalized marketing, behavioral advertising, profiling for non-essential commercial campaigns, sharing data with third-party commercial partners, use of non-essential cookies, and certain cross-selling activities may require consent or a carefully documented legal basis. Banks must also consider bank secrecy rules before relying on KVKK consent alone.

Customer Instruction, Consent, and Confidentiality

A critical feature of Turkish banking law is that customer secrets may not be shared with third parties in Turkey or abroad without a demand or instruction from the customer, even if explicit consent has been taken under KVKK, except for exempted cases.

This means that financial institutions must distinguish between:

1. KVKK explicit consent,
2. customer instruction or request under banking secrecy rules,
3. legal exemptions allowing disclosure, and
4. mandatory disclosures to competent authorities.

A customer’s general privacy consent may not be enough for sharing customer secret information. The bank should identify whether the disclosure falls within a statutory exemption, whether the customer has given a specific instruction, and whether the transfer is limited to the necessary data.

For example, sharing data with a legally authorized public authority may be permitted under law. Sharing limited data with an outsourcing provider may be possible under banking legislation and regulatory rules, but it must be controlled through confidentiality, proportionality, technical measures, and contractual safeguards. Sharing customer data with a third-party commercial partner for marketing purposes requires far stricter analysis.

Information Systems and Electronic Banking Security

The BRSA Regulation on Information Systems and Electronic Banking Services of Banks sets minimum procedures and principles for the management of banks’ information systems and electronic banking services, risk management, and required information systems controls. Its purpose includes regulating the management of information systems used by banks in their activities and operations and in the provision of electronic banking services.

This regulation is highly relevant to personal data protection because most banking data is processed through information systems. The regulation requires banks to manage information systems as part of corporate governance, classify information assets, conduct risk analyses, implement information security management, protect data confidentiality, manage access, maintain logs, and establish controls for electronic banking services.

The same regulation provides that banks must classify information assets and maintain a detailed asset inventory. It also states that the data inventory created for data as part of information assets must include whether the data is personal data. This connects banking information systems governance directly with KVKK compliance.

For banks, data protection is therefore not only a legal department task. It is a board-level governance, cybersecurity, internal control, risk management, and audit issue.

Data Security Obligations Under KVKK

KVKK Article 12 requires data controllers to take all necessary technical and organizational measures to provide an appropriate level of security, prevent unlawful processing, prevent unlawful access, and ensure the protection of personal data. If personal data is processed by another person on behalf of the data controller, the controller is jointly responsible with that person for taking these measures.

For banking and financial services, this obligation must be interpreted strictly. Practical measures should include encryption, strong customer authentication, multi-factor authentication, secure API design, transaction monitoring, fraud detection, access controls, role-based authorization, logging, database segmentation, data loss prevention, privileged access management, secure backups, penetration testing, vulnerability management, incident response, endpoint security, and vendor security audits.

Organizational measures should include information security policies, employee confidentiality undertakings, information security training, data classification, internal audit, third-party risk management, breach response procedures, disciplinary rules, and board-level oversight.

Open Banking and Data Sharing Services

Open banking creates new opportunities and new privacy risks. The Central Bank of the Republic of Türkiye’s guide on payment services data sharing describes open banking as the opening of financial system data to third-party service providers through standardized APIs in accordance with regulations and with the customer’s explicit consent. The guide identifies two main payment-related services: payment initiation service and account information service.

Open banking data sharing may involve account balances, transaction history, payment account identifiers, customer authentication data, payment instructions, and consolidated account information. Such data is highly sensitive and may also qualify as customer secret information depending on the institution and context.

Open banking compliance requires a combination of customer authorization, strong authentication, API security, data minimization, purpose limitation, third-party licensing controls, and transparency. Account information service providers should access only the account information necessary for the service requested by the customer. Payment initiation service providers should initiate only authorized transactions and should not use payment account data for unrelated purposes.

The CBRT guide also states that account information service providers present consolidated information regarding one or more payment accounts held by payment service users with account servicing payment service providers, while payment initiation service providers initiate payment transactions upon the user’s request.

Digital Banking, Remote Identification, and Authentication Data

Digital banking and remote customer onboarding involve significant personal data processing. Banks may process identity documents, facial images, video call records, liveness detection data, signature data, device identifiers, IP addresses, phone numbers, authentication logs, and transaction confirmation data.

Remote identification and digital onboarding must be designed with privacy and security by default. Banks should avoid collecting excessive data, should limit retention of video or biometric-like verification materials, should secure authentication records, and should inform customers clearly about processing purposes, legal bases, retention periods, and transfers.

If biometric data is processed, KVKK Article 6 applies because biometric data is a special category of personal data. The bank must determine whether a valid Article 6 processing condition exists and must implement adequate safeguards. Biometric login, facial verification, voice recognition, fingerprint authentication, and behavioral biometrics require specific legal and technical review.

Credit Scoring, Risk Analysis, and Automated Decision-Making

Banks and financial institutions commonly process personal data for credit scoring, risk assessment, fraud detection, anti-money laundering controls, portfolio monitoring, collection strategies, and customer segmentation. These activities may involve automated systems and algorithmic analysis.

KVKK Article 11 gives data subjects the right to object to a result against themselves arising from analysis of processed personal data exclusively through automated systems.

This right is particularly important in credit rejection, account restrictions, fraud flags, risk scoring, transaction blocking, or automated loan pricing. Financial institutions should maintain human review mechanisms for high-impact decisions, ensure data accuracy, document decision logic at an appropriate level, and provide meaningful responses to customer objections.

Automated decision systems should also be tested for bias, accuracy, proportionality, and explainability. Incorrect financial data may lead to serious consequences for customers, including denial of credit, higher pricing, blocked transactions, or reputational damage.

Cross-Border Transfers of Banking and Financial Data

Cross-border transfers are one of the most sensitive areas in Turkish banking and financial services. Financial institutions may use foreign cloud services, global group systems, international card schemes, overseas support centers, foreign analytics tools, international fraud detection providers, SWIFT-related messaging systems, investment platforms, and global compliance databases.

KVKK Article 9 was amended in 2024. Under the amended rule, personal data may be transferred abroad if one of the processing conditions under Articles 5 or 6 exists and there is an adequacy decision. If there is no adequacy decision, transfers may be possible through appropriate safeguards such as standard contracts, binding corporate rules, or written commitments approved by the Board. Standard contracts must be notified to the Turkish Personal Data Protection Authority within five business days after signature.

In banking, this KVKK transfer analysis must be combined with Banking Law Article 73. The Banking Regulation and Supervision Board is authorized, after an assessment relating to economic security, to prohibit sharing customer secrets or bank secrets with third parties abroad and to require domestic keeping of banks’ information systems and backups used for banking activities.

Therefore, a bank cannot treat international transfer compliance as a purely KVKK standard contract issue. It must also consider customer secret rules, BRSA restrictions, information systems requirements, data localization expectations, and sectoral regulatory approvals or limitations where applicable.

Outsourcing and Third-Party Service Providers

Banks and financial institutions frequently outsource technology, customer support, card operations, payment processing, cybersecurity, call centers, ATM services, archiving, cloud infrastructure, software development, audit, legal services, and debt collection. Each outsourcing arrangement may involve customer data and bank secrecy.

Before transferring data to a vendor, the financial institution should determine whether the vendor is a processor or an independent controller, what data it will access, whether customer secrets are involved, whether the transfer is domestic or international, whether the vendor uses sub-processors, and what security measures apply.

Contracts should include strict confidentiality obligations, purpose limitation, data minimization, access controls, audit rights, breach notification duties, deletion or return obligations, sub-processor restrictions, and compliance with bank secrecy and KVKK. A standard commercial service agreement is not sufficient where customer financial data is processed.

Marketing and Customer Analytics in Banking

Banks often conduct marketing, cross-selling, customer segmentation, campaign management, product recommendations, and financial advisory targeting. However, banking marketing must be handled carefully because customer financial behavior may reveal sensitive lifestyle and economic patterns.

A bank may process certain customer data for existing service management, but this does not automatically authorize all marketing uses. Promotional electronic communications may require separate commercial communication consent. Behavioral advertising and profiling may require explicit consent or a carefully justified legal basis. Sharing customer data with external marketing partners may trigger both KVKK and banking secrecy concerns.

Banks should separate service communications from marketing. A fraud alert, account statement, transaction confirmation, regulatory notice, or card security message is different from a campaign message promoting a new loan, credit card, insurance product, or investment service.

Data Retention in Banking and Financial Services

Banks and financial institutions must retain many records due to banking, tax, accounting, anti-money laundering, consumer, contract, and litigation obligations. However, KVKK still requires personal data to be retained only for the period necessary for the processing purpose or required by law. Once the reasons requiring processing no longer exist, data must be erased, destroyed, or anonymized under Article 7.

A financial institution should define retention periods for account records, transaction logs, loan files, card records, customer due diligence documents, call recordings, complaint records, digital banking logs, authentication records, risk assessment files, marketing permissions, open banking consents, fraud investigation records, and closed customer files.

Retention must be balanced. Deleting records too early may violate banking or legal obligations. Keeping unnecessary data indefinitely may violate KVKK and increase breach exposure.

Data Breach Notification

Financial data breaches can be extremely serious. Examples include unauthorized access to customer accounts, leaked transaction records, stolen identity documents, compromised internet banking credentials, exposed call center recordings, misconfigured cloud storage, card data leakage, ransomware attacks, insider misuse, or API vulnerabilities.

KVKK Article 12 requires the data controller to notify the data subject and the Personal Data Protection Board within the shortest time if processed personal data is obtained by others unlawfully.

Banks and financial institutions must also consider sectoral incident reporting, internal audit, operational risk, cyber incident response, customer fraud prevention, and public communication. Breach response plans should include technical containment, legal analysis, regulatory notification, customer communication, fraud monitoring, credential reset, vendor coordination, evidence preservation, and remediation.

Data Subject Rights in Banking

Customers have rights under KVKK Article 11, including the right to learn whether personal data is processed, request information, learn the purpose of processing, know domestic and foreign transfer recipients, request correction, request erasure or destruction under legal conditions, request notification of correction or deletion to third parties, object to adverse automated results, and claim compensation for unlawful processing.

In banking, these rights must be handled carefully. A customer may request information about data transfers, correction of identity records, deletion of marketing data, details of automated credit decisions, or information about foreign transfers. However, banks may need to retain certain records due to legal obligations, contractual obligations, regulatory duties, or protection of rights. Therefore, deletion requests should be evaluated record by record.

Banks should create clear application channels, identity verification procedures, internal escalation workflows, and response templates. Because banking data is sensitive, identity verification must be strong enough to prevent disclosure to unauthorized persons.

VERBIS and Data Inventory

Banks and financial institutions should maintain a detailed personal data inventory. This inventory should identify data subject groups, data categories, processing purposes, legal bases, recipient groups, foreign transfers, retention periods, and security measures.

Where the financial institution is subject to VERBIS registration, registry entries should be consistent with actual processing activities, privacy notices, retention policies, and transfer documentation. The BRSA information systems regulation also requires banks to maintain data inventories as part of information asset management and to include whether data is personal data.

A data inventory is not only a KVKK formality. In banking, it supports data classification, bank secrecy compliance, cybersecurity, access control, retention management, audit readiness, and regulatory reporting.

Practical Compliance Checklist

A bank or financial services provider operating in Turkey should:

1. Prepare a detailed personal data inventory.
2. Classify customer secrets, bank secrets, personal data, and special categories of data.
3. Identify the legal basis for each processing purpose.
4. Prepare detailed privacy notices for customers, employees, digital users, website visitors, and merchants.
5. Separate KVKK consent, marketing consent, and banking-law customer instructions.
6. Review customer secret sharing under Banking Law Article 73.
7. Implement strong information systems governance.
8. Maintain data confidentiality, access controls, and logs.
9. Apply strong customer authentication in digital channels.
10. Review open banking and API data sharing.
11. Conduct vendor due diligence for outsourcing relationships.
12. Sign strong data processing and confidentiality agreements.
13. Map domestic and cross-border transfers.
14. Apply Article 9 transfer safeguards where required.
15. Review BRSA restrictions and banking secrecy before foreign transfers.
16. Define retention and deletion periods.
17. Establish data subject request procedures.
18. Prepare breach response and notification workflows.
19. Review automated decision-making and credit scoring processes.
20. Train employees on KVKK, bank secrecy, cybersecurity, and customer confidentiality.

Common Mistakes in Banking Data Protection

One common mistake is treating customer consent under KVKK as sufficient for every data sharing activity. Banking Law Article 73 may require customer demand or instruction and may impose stricter rules for customer secrets.

A second mistake is failing to map foreign transfers. Banks may use global vendors, support centers, cloud tools, or group systems without fully analyzing KVKK Article 9 and banking secrecy restrictions.

A third mistake is using broad privacy notices that do not reflect actual banking data flows. Financial institutions must be specific about account data, transaction data, risk assessment, fraud monitoring, digital banking, customer support, and transfers.

A fourth mistake is allowing excessive internal access to customer financial data. Access should be role-based and logged.

A fifth mistake is retaining data indefinitely without distinguishing between legal retention duties and unnecessary legacy data.

A sixth mistake is using automated credit or fraud decisions without sufficient human review, accuracy controls, or customer objection mechanisms.

Conclusion

Personal data protection in Turkish banking and financial services requires a strict and multi-layered compliance approach. Financial institutions must comply not only with KVKK but also with banking secrecy, customer secret rules, information systems regulations, electronic banking controls, open banking requirements, and sector-specific cybersecurity expectations.

The most important compliance areas include lawful processing, privacy notices, bank secrecy, customer instructions, information systems governance, data security, digital banking authentication, open banking data sharing, credit scoring, automated decision-making, outsourcing, cross-border transfers, retention, breach notification, data subject rights, and VERBIS/data inventory alignment.

Banking Law Article 73 makes Turkish banking privacy especially strict by classifying customer data collected after the establishment of a customer relationship as customer secrets and limiting disclosure to third parties in Turkey or abroad except under legally permitted conditions. KVKK Article 9 also imposes structured safeguards for cross-border transfers, while BRSA information systems rules require strong governance, risk management, asset classification, data confidentiality, access controls, logging, and information security management.

For banks and financial institutions, data protection is not merely a compliance document exercise. It is a core part of trust, corporate governance, operational resilience, cybersecurity, customer relationship management, and regulatory risk control. A financial institution that protects personal data effectively protects not only its customers but also its license, reputation, and long-term market position in Turkey.