| Personal Data Category | Purpose | Legal Basis |
Identity Information, Contact Information, Customer Transaction Information, Professional Experience Information | To perform account opening transactions; execute contracts signed/to be signed with the Bank and establish/maintain legal and commercial relations; conclude contracts with third parties to provide products/services to you; organize and conduct legal and commercial relations between the Bank and the customer, ensuring the accuracy and currency of your information. To fulfill our obligations regarding the products and services provided to you, make necessary evaluations for the service provided; determine the owner, authorized person, and addressees of business and transactions. | Article 5/2-c of the PDPL: Processing personal data of the parties involved in a contract is necessary if it is directly related to the conclusion or performance of that contract. Article 5/2-ç of the PDPL: It is mandatory for the data controller to fulfill their legal obligations. |
Identity Information, Contact Information, Customer Transaction Information, Financial Information, Transaction Security, Audiovisual Information | Providing services under Article 4 of the Banking Law No. 5411, including but not limited to banking services, foreign trade services, brokerage services, insurance, pension, and other agency services; managing operational processes related to these services; and performing activities ensuring the sustainability and continuity of audits, valuations, ratings, and independent audit activities. | Article 5/2-a of the PDPL: Explicitly stipulated by law. Art. 5/2-c: Processing personal data of the parties involved in a contract is necessary if it is directly related to the conclusion or performance of that contract. Article 5/2-ç of the PDPL: It is mandatory for the data controller to fulfill their legal obligations. |
Identity Information, Contact Information, Customer Transaction Information, Financial Information, Transaction Security, Audiovisual Information | Reporting to the Risk Center of the Banks Association of Türkiye or entities established by at least five banks or financial institutions, anti-fraud agencies, and other organizations and authorities.
In accordance with Article 42 of the Banking Law and Article 17 of the Regulation on Procedures and Principles Regarding Banks' Accounting Practices and Document Retention, as well as other applicable legislation, retaining your information and documents, preparing and preserving all records and documents foundational to transactions conducted electronically or on paper within the prescribed legal retention periods, and transmitting legal information required to be shared with you via your contact information. | Article 5/2-ç of the PDPL: It is mandatory for the data controller to fulfill their legal obligations. Article 5/2-a of the PDPL: Explicitly stipulated by law. |
Identity Information, Contact Information, Customer Transaction Information, Financial Information | Keeping records of your notifications—such as complaints, objections, suggestions, requests, and feedback—within our notification management system to enhance our service; executing necessary follow-up and management procedures; resolving your notifications and keeping you informed. | Article 5/2-ç of the PDPL: It is mandatory for the data controller to fulfill their legal obligations. Article 5/2-e of the PDPL: It is essential for the establishment, exercise, or protection of a right. |
Identity, Communication, Finance, Customer Transaction, Audiovisual Records | Improving our Bank's processes, managing applications, improving the quality of the products and services offered to you, and conducting customer satisfaction studies. | Article 5/2- f of the PDPL: It is necessary for the legitimate interests of the data controller, provided it does not infringe upon the fundamental rights and freedoms of the data subject. |
Identity Information, Contact Information, Customer Transaction Information, Financial Information, Transaction Security, Audiovisual Information, Physical Location Security | Pursuing legal remedies, filing lawsuits, and initiating enforcement proceedings to protect all interests of our Bank; obtaining legal advice; conducting litigation and enforcement proceedings in which our Bank is involved; collecting debts owed to our Bank; safeguarding and exercising property rights and other legal rights. | Article 5/2-e of the PDPL: It is essential for the establishment, exercise, or protection of a right. |
Identity Information, Contact Information, Customer Transaction Information, Financial Information, Legal Action Information, Location, Process Security. | Adhering to risk monitoring and disclosure obligations; planning risk analysis and financial risk processes; fulfilling the control responsibilities stipulated by legislation, particularly those related to internal systems, and sharing necessary information with relevant authorities when required.
Execution and planning of information security processes, including the establishment, management, supervision, and implementation of information systems infrastructures. | Article 5/2-a of the PDPL: Explicitly stipulated by law.
Art. 5/2- ç: It is mandatory for the data controller to fulfill their legal obligations. Article 5/2- f of the PDPL: It is necessary for the legitimate interests of the data controller, provided it does not infringe upon the fundamental rights and freedoms of the data subject. |
Identity Information, Contact Information, Customer Transaction Information, Financial Information, Physical Location Security, Location, Audiovisual Information, Process Security. | Designing our Bank's business operations and activities, planning, executing, and ensuring the security of procurement operations; managing relationships with support service providers, business partners, or suppliers; executing support services following service sales; managing finance and accounting transactions; preparing consolidated financial statements; and handling processes related to payment services. | Article 5/2-e of the PDPL: It is essential for the establishment, exercise, or protection of a right. Article 5/2- f of the PDPL: It is necessary for the legitimate interests of the data controller, provided it does not infringe upon the fundamental rights and freedoms of the data subject. |
Identity Information, Financial Information, Customer Transaction Information | Managing processes related to the buying and selling of foreign currency, precious metals, stocks, mutual funds, initiating payment orders, and providing all types of payment services. | Article 5/2-c of the PDPL: Processing personal data of the parties involved in a contract is necessary if it is directly related to the conclusion or performance of that contract. |
Identity Information, Financial Information, Customer Transaction Information, Audiovisual Information, Process Security, Location | CCTV recording in our Bank's service units, Head Office, Regional Directorate, and ATMs as part of workplace security practices; ensuring quality standards, security, fraud prevention, and dispute resolution; auditing communication and transactions; and ensuring transaction security for cardless transactions made using QR codes. | Article 5/2-ç of the PDPL: It is mandatory for the data controller to fulfill their legal obligations. Article 5/2- f of the PDPL: It is necessary for the legitimate interests of the data controller, provided it does not infringe upon the fundamental rights and freedoms of the data subject. |
Identity Information,
Customer Transaction Information,
Professional Experience | Establishing a risk profile within the framework of the investment services offered to you. | Article 5/2-ç of the PDPL: It is mandatory for the data controller to fulfill their legal obligations. |
Identity Information, Contact Information, Customer Transaction Information, Financial Information, Risk Management | Executing transactions related to products and services within the investment process, developing service processes offered within this scope, and managing capital market products as an intermediary for order transmission. Conducting operational processes related to investment activities; fulfilling requirements under the contract/agreements with our Bank for the relevant processes. | Article 5/2-c of the PDPL: Processing personal data of the parties involved in a contract is necessary if it is directly related to the conclusion or performance of that contract. |
Identity Information, Contact Information, Customer Transaction Information, Financial Information, Risk Management | Meeting monitoring and disclosure obligations within the scope of investment processes. | Article 5/2-ç of the PDPL: It is mandatory for the data controller to fulfill their legal obligations. |
Identity Information, Contact Information, Customer Transaction Information, Financial Information, Legal Transaction Information, Professional Experience Information, Audiovisual Information, Process Security, Physical Location Security | In accordance with Law No. 6415 on the Prevention of Financing Terrorism and Law No. 5549 on the Prevention of Laundering Proceeds of Crime, our institution ensures compliance with all obligations and activities set forth by both national and international legislation. This includes fulfilling identification and Know Your Customer (KYC) requirements. | Article 5/2-a of the PDPL: Explicitly stipulated by law. Article 5/2-ç of the PDPL: It is mandatory for the data controller to fulfill their legal obligations. |
Identity Information, Contact Information, Customer Transaction Information, Financial Information, Legal Action Information, Process Security, Physical Location Security. | We comply with obligations under the Banking Law, the Law on Bank Cards and Credit Cards, the Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions, and related regulations. This includes obtaining approval for commercial electronic messages as per the Law on the Regulation of Electronic Commerce and the Regulation on Commercial Communication and Commercial Electronic Messages, using the Commercial Electronic Message Management System (IYS) to manage the right to refuse and handle complaints, and cooperating with regulatory bodies and law enforcement agencies. To comply with the requirements of the Banking Regulation and Supervision Agency, Central Bank of the Republic of Türkiye, Capital Markets Board, Financial Crimes Investigation Board, Banks Association of Türkiye, Revenue Administration, Undersecretariat of Treasury, Social Security Institution, Central Registry Agency Inc, KOSGEB, Republic of Türkiye Ministry of Treasury and Finance, Credit Bureau, Risk Center, and other authorities, we adhere to information retention, reporting, and disclosure obligations as specified by the Undersecretariat of Treasury and other authorities. We fulfill the requirements of the Regulation on Banks' Information Systems and Electronic Banking Services, maintain logs of traffic information in case of internet access as required by the Law on Regulation of Publications on the Internet and Combating Crimes Committed through These Publications, and record and audit communications and transactions. | Article 5/2-a of the PDPL: Explicitly stipulated by law. Article 5/2-ç of the PDPL: It is mandatory for the data controller to fulfill their legal obligations. |
Identity Information, Contact Information, Customer Transaction Information, Financial Information, Process Security | Pursuant to Article 73/4 of the Banking Law, execution, evaluation and risk management of relations with the main shareholder within the framework specified in the Banking Law and the relevant legislation, execution of risk, audit, operational services, custody and archive activities carried out together with the subsidiaries; execution of budget and financial reporting processes, execution of the preparation of the consolidated financial statements of the main shareholder. | Article 5/2-a of the PDPL: Explicitly stipulated by law. Article 5/2-ç of the PDPL: It is mandatory for the data controller to fulfill their legal obligations. |
Identity Information, Contact Information, Customer Transaction Information, Financial Information, Audiovisual Information, Process Security | Conducting planning and statistical activities required by the Bank, organizing events, managing sponsorships, and implementing social responsibility initiatives. Additionally, carrying out strategy and segmentation efforts; monitoring transactions and instructions; communicating with you regarding our services; and continuously improving our processes to elevate the internet and mobile banking experience. | Article 5/2- f of the PDPL: It is necessary for the legitimate interests of the data controller, provided it does not infringe upon the fundamental rights and freedoms of the data subject. |
Identity Information, Contact Information, Customer Transaction Information, Audiovisual Information, Financial Information, | Using and recording Call Center call records to improve our banking processes. | Article 5/2- f of the PDPL: It is necessary for the legitimate interests of the data controller, provided it does not infringe upon the fundamental rights and freedoms of the data subject. |
Identity Information, Contact Information, Customer Transaction Information, Audiovisual Information, Professional Experience Information, Location, Financial Information, | Improving the quality of our products and services through promotional activities, marketing campaigns, and outreach efforts. This includes making calls for advertising and campaign purposes, sending SMS notifications, gathering your feedback through surveys and other methods, utilizing call records from the call center to enhance service quality, conducting analyses based on behavioral modeling, and providing you with tailored offers, products, and services | Article 5/1 of the PDPL: Having explicit consent. |