Personal Data Protection Rules for Fintech and Payment Companies in Turkey

Introduction

Personal data protection rules for fintech and payment companies in Turkey are among the most important compliance issues in the financial technology sector. Fintech businesses process large volumes of highly sensitive information, including identity data, contact details, bank account information, transaction records, payment histories, card-related data, device identifiers, IP addresses, customer authentication data, fraud risk signals, behavioral analytics, merchant data, customer support records, and sometimes biometric verification data. These data are not only commercially valuable; they are also legally sensitive and security-critical.

Turkey’s main personal data protection legislation is Law No. 6698 on the Protection of Personal Data, commonly known as KVKK. KVKK applies to natural persons whose personal data are processed and to natural or legal persons who process personal data wholly or partly by automated means, or by non-automated means forming part of a data filing system. Its purpose is to protect fundamental rights and freedoms, particularly the right to privacy, and to regulate the obligations of persons processing personal data.

Fintech and payment companies are also subject to sector-specific regulation. In Turkey, payment services and electronic money institutions are regulated under Law No. 6493 on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions, together with secondary regulations issued by the Central Bank of the Republic of Türkiye. The CBRT states that regulation and supervision in the payment services area are carried out under Law No. 6493 and relevant secondary legislation.

For fintech companies, compliance requires a layered approach. It is not enough to comply only with KVKK or only with payment services legislation. A payment institution, electronic money institution, open banking service provider, digital wallet provider, payment gateway, fintech app, merchant acquiring platform, remittance service, or account information service provider must consider both privacy law and financial sector rules. This article explains the key data protection obligations for fintech and payment companies operating in Turkey.

Why Personal Data Protection Is Critical for Fintech Companies

Fintech companies operate in a trust-based environment. Users share sensitive financial information because they expect secure, lawful, and transparent services. If a payment company mishandles personal data, the damage may be serious: identity theft, unauthorized transactions, fraud, phishing attacks, financial profiling, reputational harm, regulatory sanctions, loss of customer trust, and contractual liability toward merchants, banks, vendors, or business partners.

Personal data protection is especially important in fintech because financial data can reveal intimate details about a person’s life. Payment records may show medical expenses, political donations, religious spending, travel behavior, income patterns, debt structure, subscriptions, gambling-like activity, family support payments, business relationships, and daily routines. Even if “financial data” is not listed as a special category of personal data under KVKK Article 6, it may still be high-risk personal data requiring strong security and strict purpose limitation.

Fintech companies also tend to use advanced technologies: mobile apps, APIs, AI-based fraud detection, identity verification, device fingerprinting, behavioral analytics, open banking interfaces, cloud systems, and cross-border vendors. These technologies increase efficiency but also create complex data flows. A fintech business must therefore be able to answer practical legal questions: What personal data is processed? What is the legal basis? Is explicit consent required? Is data transferred to third parties or abroad? Are security measures sufficient? Are customers properly informed? Can the company respond to data subject requests? Has it prepared for data breaches?

Personal Data Commonly Processed by Fintech and Payment Companies

Fintech and payment companies may process many categories of personal data. These commonly include identity data such as name, surname, Turkish identity number, passport number, date of birth, nationality, signature, and customer number. Contact data may include phone number, email address, billing address, delivery address, registered address, and notification preferences.

Financial and transaction data may include bank account details, IBAN, payment account identifiers, wallet balance, transaction amount, transaction date, merchant information, payment method, refund records, chargeback records, payment status, invoice records, reconciliation data, card token data, transaction references, and electronic money issuance or redemption records.

Digital and security data may include IP address, device ID, session ID, login records, authentication logs, one-time password records, mobile device information, operating system, browser information, geolocation indicators, fraud signals, risk scores, API logs, and security alerts.

Customer support and compliance data may include call center recordings, support tickets, complaint files, know-your-customer documents, suspicious transaction review notes, regulatory correspondence, merchant onboarding documents, and dispute records.

Some fintech companies may also process special categories of personal data. For example, biometric identity verification may involve biometric data; employee records may include health or criminal record data; certain financial products may indirectly involve health or insurance-related information. Special category data requires stricter legal assessment under KVKK Article 6.

Data Controller and Data Processor Roles in Fintech

A fintech company must first determine whether it acts as a data controller, data processor, or both. Under KVKK, a data controller determines the purposes and means of processing personal data, while a data processor processes personal data on behalf of the controller based on authorization.

A payment institution or electronic money institution will usually act as a data controller for its customer data because it determines why customer identity, transaction, wallet, payment, compliance, and security data are processed. It may also act as a controller for merchant data, employee data, website visitor data, mobile app user data, marketing data, and regulatory compliance records.

However, a fintech infrastructure provider may sometimes act as a data processor. For example, a payment gateway technology vendor may process personal data on behalf of a licensed payment institution under its instructions. A cloud hosting provider, customer support provider, fraud detection vendor, or identity verification software provider may also act as a processor depending on the structure.

Role classification matters because it affects privacy notices, data processing agreements, security obligations, breach notification procedures, cross-border transfer mechanisms, and responsibility for data subject requests. In many fintech structures, a company may be a controller for some data flows and a processor for others. This should be documented clearly in contracts and internal data inventories.

Core KVKK Principles for Fintech Data Processing

KVKK requires all personal data processing to comply with general principles. Personal data must be processed lawfully and fairly, must be accurate and kept up to date where necessary, must be processed for specified, explicit, and legitimate purposes, must be relevant, limited, and proportionate to those purposes, and must be retained only for the period required by law or by the processing purpose.

For fintech companies, these principles have concrete consequences. A payment app should not collect unnecessary location, contact list, camera, microphone, or behavioral data unless a specific feature requires it. A digital wallet should not retain inactive customer data indefinitely. A fraud detection system should not use excessive profiling beyond what is necessary for security and legal compliance. A payment company should not use transaction data for unrelated marketing unless it has a valid legal basis and has properly informed the customer.

The principle of proportionality is especially important. Fintech businesses may have legitimate reasons to process detailed transaction and security data, but this does not justify unlimited collection, indefinite retention, or uncontrolled access. Each data category must be connected to a specific lawful purpose.

Legal Bases for Processing Customer Data

A common misunderstanding is that fintech companies always need explicit consent for every data processing activity. This is not correct. Under KVKK Article 5, personal data may be processed without explicit consent if one of the statutory legal bases applies, such as processing expressly provided by law, necessity for contract performance, necessity for compliance with a legal obligation, necessity for the establishment, exercise or protection of a right, or legitimate interests of the controller provided that fundamental rights and freedoms are not harmed.

For example, a payment company may process identity data to establish a customer relationship, transaction data to execute payment services, invoice data to comply with legal obligations, security logs to prevent fraud, and dispute records to protect legal rights. These activities may not require explicit consent if a proper statutory basis exists.

However, explicit consent may be required for certain optional or non-essential processing activities. Examples may include behavioral advertising, certain marketing profiling activities, optional data sharing with third-party commercial partners, processing of biometric data where no other Article 6 ground applies, or certain exceptional cross-border transfer scenarios.

The key compliance point is that each processing purpose must have a separately identified legal basis. A fintech company should not rely on one general consent form for all processing activities. It should prepare a data inventory matching each data category and purpose with the relevant legal basis.

Privacy Notices for Fintech and Payment Services

Fintech companies must provide clear privacy notices under KVKK Article 10. At the time personal data is obtained, the data controller must inform the data subject about the identity of the controller, processing purposes, transfer recipients and transfer purposes, method and legal basis of collection, and data subject rights.

A fintech privacy notice should be more detailed than a generic website policy. It should explain account creation, customer verification, payment account management, transaction processing, electronic money issuance, merchant services, fraud prevention, risk monitoring, complaint handling, regulatory compliance, customer support, mobile app permissions, device data, cookies or SDKs, data retention, domestic transfers, international transfers, and data subject rights.

The notice should be accessible before or at the time of collection. For mobile apps, this may require layered privacy notices during onboarding, identity verification, payment account creation, open banking consent, device permission requests, and marketing preference screens. For merchant services, the notice should also address business owner, authorized representative, shareholder, and contact person data.

Open Banking and Data Sharing Services

Open banking is one of the most important developments in Turkish fintech. The CBRT’s guide on payment services data sharing describes open banking as the opening of financial system data through standardized APIs to third-party service providers in accordance with regulations and with the customer’s explicit consent. The guide also identifies account information service providers and payment initiation service providers as key actors in payment services data sharing.

Open banking creates significant privacy obligations because account information and payment initiation services involve access to payment account data. Customer consent, authentication, API security, data minimization, access scope, retention, and third-party responsibilities must be managed carefully.

A fintech company offering account information services should collect only the data necessary for the service requested by the customer. It should not access unrelated account information or use account data for hidden marketing purposes. A payment initiation service provider should ensure that payment instructions are processed securely and in accordance with the user’s authorization.

Open banking also requires clear separation between payment services consent and general KVKK explicit consent. Customer authorization for a regulated payment service should be designed in accordance with payment services rules, while the company must still comply with KVKK transparency, lawful processing, security, and data subject rights.

Customer Authentication and Fraud Prevention

Payment companies must protect users from unauthorized transactions, account takeover, phishing, identity theft, and fraud. This often requires processing authentication data, device data, IP addresses, transaction patterns, risk indicators, login attempts, behavioral signals, and suspicious activity records.

Fraud prevention may be based on legal obligations, legitimate interests, contract performance, or protection of rights depending on the specific activity. However, fintech companies should ensure that fraud systems are proportionate and transparent. Excessive monitoring, opaque scoring, or unjustified blacklisting may create privacy and fairness concerns.

If automated systems produce negative results for customers, such as blocking an account, rejecting a transaction, restricting a service, or classifying a user as high-risk, Article 11 rights may become relevant. Data subjects have the right to object to a result against themselves arising from analysis of personal data exclusively through automated systems.

Therefore, fintech companies should implement human review mechanisms, appeal channels, accuracy controls, and documented decision rules for high-impact automated decisions.

Biometric Verification and Digital Onboarding

Many fintech companies use biometric tools for remote identity verification, facial recognition, liveness detection, voice recognition, or secure login. Biometric data is a special category of personal data under KVKK Article 6. This means processing biometric data requires a specific legal basis and adequate safeguards.

A fintech company should not treat biometric verification as ordinary identity data processing. It must assess whether biometric processing is legally permitted, necessary, proportionate, and secure. If explicit consent is used, it must be specific, informed, and freely given. The company should also consider whether alternative verification methods are available, especially where biometric use is optional.

Biometric templates should be encrypted, access should be strictly limited, retention periods should be defined, and vendors providing biometric technology should be contractually controlled. If biometric data is processed through foreign infrastructure or foreign support teams, cross-border transfer rules must also be considered.

Data Security Obligations in the Fintech Sector

Data security is central to fintech compliance. KVKK Article 12 requires data controllers to take all necessary technical and organizational measures to prevent unlawful processing, prevent unlawful access, and ensure protection of personal data. If data is processed by another person on behalf of the controller, the controller is jointly responsible with that person for taking security measures.

For fintech and payment companies, technical measures should include encryption, strong authentication, multi-factor authentication, secure API design, tokenization, access control, transaction monitoring, fraud detection, secure coding, vulnerability management, penetration testing, secure logging, database segregation, endpoint protection, secure backups, network segmentation, key management, and incident detection.

Organizational measures should include employee confidentiality undertakings, role-based authorization, vendor due diligence, information security policies, staff training, internal audits, breach response plans, disciplinary rules, data retention schedules, and board-level risk governance.

Payment companies are also subject to sector-specific information systems requirements. The CBRT has stated that the Payment Services Regulation and the Communiqué on Information Systems of Payment and Electronic Money Institutions and Data Sharing Services of Payment Service Providers were published in the Official Gazette dated 1 December 2021, and that they regulate activities, information systems, and data sharing services in the payment services field.

Cloud Use and Community Cloud Requirements

Cloud use is a major issue for fintech companies. Many payment and electronic money institutions rely on cloud infrastructure, SaaS tools, analytics systems, customer support platforms, monitoring tools, and foreign technology providers. However, payment sector rules may impose stricter requirements than ordinary commercial sectors.

The CBRT’s community cloud guidance refers to the Information Systems Communiqué and notes that payment and electronic money institutions may use cloud computing services established domestically for processing, storing, and transmitting data. It also highlights sensitive customer data, competition-sensitive data, personal data, and similar data categories in the cloud context.

This means fintech companies must assess cloud use from both KVKK and payment services perspectives. A cloud solution may be technically convenient but legally problematic if it does not satisfy sector-specific requirements, data localization expectations, security controls, or cross-border transfer rules. Before adopting cloud services, a payment company should review data categories, server location, backup location, remote access, encryption, sub-processors, audit rights, and regulatory expectations.

Cross-Border Data Transfers

Cross-border data transfers are one of the most important privacy issues for fintech companies. Many fintech businesses use foreign cloud providers, international fraud detection tools, global KYC vendors, foreign identity verification APIs, analytics platforms, CRM systems, email providers, payment infrastructure, and overseas group company systems.

KVKK Article 9 was significantly amended in 2024. Under the amended rule, personal data may be transferred abroad if one of the processing conditions under Articles 5 or 6 exists and there is an adequacy decision for the relevant country, sector, or international organization. If no adequacy decision exists, transfer may be possible through appropriate safeguards such as standard contracts, binding corporate rules, or written commitments approved by the Board. Standard contracts must be notified to the Turkish Personal Data Protection Authority within five business days after signature.

The Turkish Authority announced in August 2024 that English translations of the By-Law on the Procedures and Principles for the Transfer of Personal Data Abroad and standard contract texts were available, including controller-to-controller, controller-to-processor, processor-to-processor, and processor-to-controller modules.

For fintech companies, this means that international transfer mapping is essential. A company must identify whether personal data is stored abroad, accessed by foreign support teams, processed by foreign vendors, replicated in foreign backups, or transferred to international group companies. Financial data, identity data, biometric data, transaction logs, and fraud data should be assessed carefully because they may create high risk if transferred unlawfully.

Data Processing Agreements and Vendor Management

Fintech companies rely heavily on vendors: cloud providers, KYC vendors, biometric verification providers, fraud detection tools, cybersecurity companies, call centers, card processors, payment infrastructure providers, customer support platforms, SMS providers, email services, audit firms, legal advisors, and software developers.

Where a vendor processes personal data on behalf of the fintech company, a data processing agreement should be signed. This agreement should regulate processing instructions, data categories, confidentiality, security measures, sub-processors, breach notification, deletion or return, audit rights, cross-border transfers, and liability.

Vendor due diligence is critical. A fintech company should ask whether the vendor stores data abroad, whether it uses sub-processors, whether it has information security certifications, whether it encrypts data, whether it provides breach notification commitments, whether it can support deletion requests, and whether it uses customer data for its own analytics or AI training.

Data Breach Notification

Data breaches in fintech can be extremely serious. Incidents may include compromised customer accounts, unauthorized access to transaction records, leaked identity verification documents, exposed API keys, fraudulent access to payment accounts, ransomware, phishing attacks, misconfigured cloud storage, or vendor security incidents.

Under KVKK Article 12, if processed personal data is obtained by others through unlawful means, the data controller must notify the data subject and the Personal Data Protection Board within the shortest time.

In practice, fintech companies should have a breach response plan that includes technical containment, forensic investigation, regulatory assessment, customer communication, vendor coordination, evidence preservation, fraud monitoring, and remediation. Because payment incidents may also involve sectoral regulatory obligations, legal teams should assess both KVKK notification and payment services regulatory reporting duties.

A processor or vendor should be contractually required to notify the fintech company immediately after discovering a suspected or confirmed breach. Delayed vendor reporting may prevent the fintech company from meeting its own regulatory timeline.

Retention and Deletion of Financial Data

Fintech companies must retain certain records for legal, regulatory, accounting, tax, fraud prevention, dispute resolution, and financial compliance purposes. However, KVKK requires personal data to be erased, destroyed, or anonymized when the reasons requiring processing no longer exist.

A payment company should define retention periods for customer identity files, transaction records, wallet records, merchant onboarding documents, fraud alerts, customer support tickets, call recordings, device logs, authentication records, consent logs, marketing records, and inactive accounts.

The company should distinguish between legally required retention and optional business use. For example, transaction records may need to be retained for statutory and regulatory purposes, while marketing segmentation data may not have the same retention justification. Old logs, outdated device data, abandoned onboarding files, and inactive marketing leads should be reviewed periodically.

Data Subject Rights

Customers, merchants, authorized representatives, employees, and users have rights under KVKK Article 11. These include the rights to learn whether personal data is processed, request information, learn processing purposes, know domestic and foreign transfer recipients, request correction, request deletion or destruction under legal conditions, object to adverse automated results, and claim compensation for unlawful processing.

Fintech companies should create clear request channels and internal procedures. A user may ask: “Why was my transaction rejected?”, “Which companies received my payment data?”, “Delete my account,” “Correct my identity information,” “Stop marketing messages,” or “Explain whether my data was transferred abroad.” Customer support teams should be trained to recognize these as possible KVKK requests.

Because financial services often require retention of records, deletion requests must be evaluated carefully. A fintech company may lawfully retain data required by law or necessary for disputes, but it should explain the legal basis clearly and delete unnecessary data where possible.

VERBIS Registration

Fintech and payment companies should assess their VERBIS obligations. VERBIS is the Data Controllers’ Registry Information System. The By-Law on Data Controllers Registry states that it applies to natural and legal persons who determine the purposes and means of personal data processing and are responsible for establishing and managing the data filing system.

Payment companies often process large-scale customer and transaction data and may not fall within exemptions depending on their size, balance sheet, main activity, and data categories. VERBIS entries should reflect actual processing purposes, data subject groups, data categories, recipient groups, foreign transfers, security measures, and retention periods.

VERBIS records should be consistent with privacy notices, data inventories, retention policies, vendor contracts, and cross-border transfer documentation.

Marketing, Profiling, and Customer Analytics

Fintech companies may use customer data for marketing, cross-selling, loyalty campaigns, product recommendations, customer segmentation, risk-based offers, and personalized notifications. These activities require careful legal review.

Processing transaction data for unrelated marketing can be risky because transaction data may reveal sensitive lifestyle patterns. If marketing relies on profiling, behavioral analysis, or third-party advertising tools, explicit consent or another strong legal basis may be required. Commercial electronic message rules and İYS requirements may also apply to promotional SMS, email, and calls.

Fintech companies should separate service notifications from marketing messages. A security alert or transaction confirmation is different from a promotional campaign. Marketing consent should not be bundled with mandatory service use unless legally justified.

Practical KVKK Compliance Checklist for Fintech and Payment Companies

A fintech or payment company operating in Turkey should:

1. Prepare a detailed personal data inventory.
2. Identify all customer, merchant, employee, vendor, and user data categories.
3. Determine data controller and processor roles for each data flow.
4. Identify legal bases under KVKK Articles 5 and 6.
5. Prepare clear privacy notices for customers, merchants, app users, employees, and website visitors.
6. Separate explicit consent from privacy notices.
7. Review open banking consent and API data sharing structures.
8. Assess biometric verification and digital onboarding tools.
9. Implement strong technical and organizational security measures.
10. Review compliance with payment services information systems rules.
11. Map cloud systems and server locations.
12. Identify all cross-border transfers.
13. Implement Article 9 safeguards where required.
14. Notify standard contracts within five business days after signature where applicable.
15. Sign data processing agreements with vendors.
16. Monitor sub-processors and foreign support access.
17. Prepare breach response procedures.
18. Define retention and deletion periods.
19. Establish data subject request workflows.
20. Review VERBIS obligations and entries periodically.

Common Mistakes in Fintech Data Protection Compliance

One common mistake is treating financial transaction data as ordinary low-risk data. Even if it is not a special category under KVKK, it can reveal sensitive personal patterns and should be strongly protected.

Another mistake is using foreign cloud or fraud detection tools without Article 9 transfer analysis. A third mistake is relying on broad consent forms instead of matching each processing purpose with the correct legal basis.

Fintech companies also sometimes fail to distinguish service messages from marketing messages. They may send promotional content through channels originally collected for security or transaction notifications. This creates both KVKK and commercial communication risk.

Another frequent mistake is weak vendor governance. Payment companies may rely on KYC, biometric, cloud, call center, analytics, or AI vendors without strong data processing agreements, breach notification clauses, or sub-processor controls.

Finally, many fintech companies underestimate retention obligations. They either keep all data indefinitely or delete data without considering regulatory and evidentiary duties. Both approaches can create legal risk.

Conclusion

Personal data protection rules for fintech and payment companies in Turkey require a sophisticated compliance approach. Fintech businesses process high-value and high-risk personal data, including identity information, transaction records, financial behavior, device data, authentication logs, fraud indicators, customer support records, and sometimes biometric data. These activities must comply with KVKK and sector-specific payment services rules.

The most important compliance areas include lawful processing, privacy notices, explicit consent, open banking data sharing, authentication and fraud prevention, biometric verification, data security, cloud use, cross-border transfers, vendor management, breach notification, retention, data subject rights, VERBIS, marketing, and profiling.

The 2024 amendments to KVKK Article 9 are particularly important for fintech companies because many payment and fintech platforms rely on foreign cloud infrastructure, identity verification tools, fraud detection systems, analytics providers, AI APIs, and international support services. Cross-border transfers must be mapped and supported by a lawful mechanism such as adequacy decisions, standard contracts, binding corporate rules, or approved commitments where applicable.

For fintech and payment companies in Turkey, data protection compliance is not only a regulatory requirement. It is also a trust mechanism. Customers entrust fintech companies with financial information because they expect security, transparency, and lawful processing. A company that protects personal data properly reduces regulatory risk, strengthens customer confidence, supports licensing and audit readiness, improves investor due diligence outcomes, and builds a sustainable fintech business in Turkey.