Skip to nav Skip to main content

Clarification Text on the Processing of Personal Data in Financing and Credit Card Processes

  • Home/
  • Clarification Text on the Processing of Personal Data in Financing and Credit Card Processes

​​​​​​​​​​​​​​​​​​I- Purpose and Scope

This text details your personal data processed in relation to all individual financing and credit card transactions conducted by our bank in accordance with the Personal Data Protection Law No. 6698 ("PDPL"). It outlines the methods for collecting your personal data, the legal basis and purposes for processing it, the reasons for transferring your personal data, the third parties involved, the duration of processing, storage and destruction of your personal data, as well as your rights.

Türkiye Finans Katılım Bankası A.Ş. (the “Bank”) conducts personal data processing activities by implementing necessary security measures to safeguard fundamental rights and freedoms, especially the right to privacy.

II- Data Controller

Below is the information regarding our Bank in its role as Data Controller.

​​Title

Türkiye Finans Katılım Bankası A.Ş.

TIN

0680063870

Address

İnkılap Mahallesi Sokullu Caddesi No:6/3 Ümraniye/İstanbul

III- Processed Personal Data

The data categories and examples of personal data included in these categories are listed in the tables below.

Data Category

Personal Data


Identity Information

Name, surname, TR ID no, nationality, gender, date of birth, place of birth, marital status, identity card volume number, identity card serial number, signature, mother's name, father's name, place of registration

Contact Information

Home address, work address, legal residence, email, registered email address, mobile phone number

Professional Experience Information

Occupation, educational information, educational background, work experience, diploma information

Location

Current location information

Audiovisual Information

Call center records, video call records

Customer Transaction Information

Customer number, safe deposit box number, credit card and debit card information, information related to requests/orders, loan payment information, forms, contracts, and other similar documents obtained during the loan facilitation process

Legal Action Information

Case file information, enforcement information, foreclosure information, criminal status, information in correspondence with judicial authorities

Financial Information

Account information, financial statements, asset-related information, credit amount information, IBAN number, product information, currency

Physical Location Security

Camera recordings

Process Security

IP address, device ID, log records, password and password information, website entry-exit information

Risk Management

Credit debt information, information obtained through Risk Center, CBRT, KKB, KPS (Identity Sharing System), indebtedness information, score, etc. from KKB, appraisal information on collateral, vehicle information (value, model, brand) in vehicle financing processes

IV- Purpose and Legal Basis

The purposes and legal grounds for processing your personal data are grouped and listed in the table below.

Your personal data will be processed in accordance with the procedures and principles stipulated by the Law and the relevant secondary legislation. The circumstances under which we may process your personal data without your explicit consent are regulated in paragraph 2 of Article 5 of the Law.

Personal Data Category

Purpose

Legal Basis

Identity Information, Contact Information, Customer Transaction Information, Professional Experience Information

Meeting identification and know-your-customer requirements by recording details such as address, occupation, income status, and the purpose of transactions.

Article 5/2-a of the PDPL: Explicitly stipulated by law. Article 5/2-ç of the PDPL: It is mandatory for the data controller to fulfill their legal obligations.

Identity Information, Contact Information, Customer Transaction Information, Financial Information, Professional Experience Information

Processing and evaluating financing applications, assessing creditworthiness, and reviewing the financing history and credit conditions of the individual owners, partners, and managers of commercial customers. This includes handling information processes related to the banking products you utilize, as well as providing services and transactions through mobile applications and/or internet banking,
Conducting collateral evaluations, managing collateral processes, and performing information research related to lending. This involves overseeing and controlling credit monitoring, follow-up, intelligence, and collection processes, drafting and finalizing pledge contracts, and restructuring debt when necessary.

Article 5/2-a of the PDPL: Explicitly stipulated by law.
Article 5/2-c of the PDPL: Processing personal data of the parties involved in a contract is necessary if it is directly related to the conclusion or performance of that contract.
Article 5/2-ç of the PDPL: It is mandatory for the data controller to fulfill their legal obligations.

Identity Information, Contact Information, Customer Transaction Information, Financial Information, Professional Experience Information

Handling and evaluating credit card applications, measuring creditworthiness, and managing the allocation and operational processes of credit cards. This includes fulfilling the contractual obligations, managing collateral processes related to the card, conducting post-product operational tasks, delivering your card, and providing services and transactions related to your credit card via mobile applications and/or internet banking.

Article 5/2-c of the PDPL: Processing personal data of the parties involved in a contract is necessary if it is directly related to the conclusion or performance of that contract.

Identity Information, Contact Information, Customer Transaction Information, Financial Information

Conducting processes for detecting and reporting suspicious transactions.

Article 5/2- f of the PDPL: It is necessary for the legitimate interests of the data controller, provided it does not infringe upon the fundamental rights and freedoms of the data subject.

Identity, Contact. Finance, Professional Experience, Risk Management

Monitoring and reporting financial and accounting work, making improvements to the products offered to you.

Article 5/2- f of the PDPL: It is necessary for the legitimate interests of the data controller, provided it does not infringe upon the fundamental rights and freedoms of the data subject.

Identity Information, Contact Information, Customer Transaction Information, Financial Information, Process Security

Managing legal processes related to outstanding debts, conducting control activities, overseeing litigation and enforcement proceedings, collecting debts owed to the Bank, protecting and exercising property and other rights, and selling movable and immovable properties acquired as offsets for debts.

Managing contracts, initiating legal proceedings, and following legal processes for debt collection through contracted law firms and/or transferring receivables to asset management companies.

Managing the Bank's legal, financial, commercial, compliance, and reputation risks; taking necessary actions to protect our rights in disputes; developing our restructuring policy for debt collection; and conducting risk monitoring and analysis processes.

Transferring your information to any company to which your debt is or may be transferred, following the assignment of our receivable from you.

Article 5/2-e of the PDPL: It is essential for the establishment, exercise, or protection of a right.
Article 5/2- f of the PDPL: It is necessary for the legitimate interests of the data controller, provided it does not infringe upon the fundamental rights and freedoms of the data subject.

Identity Information, Contact Information, Customer Transaction Information, Financial Information, Legal Action Information, Location

Conducting valuation efforts for the sale of the Bank's assets or securities based on them; performing valuation, rating, and support services; and conducting independent audit activities and service procurements.

Analyzing, developing, and maintaining the application management operations of Bank systems; conducting and planning information security processes; and establishing, managing, auditing, and implementing the information systems infrastructure,

Conducting segmentation for improving the products and services offered to you

Article 5/2- f of the PDPL: It is necessary for the legitimate interests of the data controller, provided it does not infringe upon the fundamental rights and freedoms of the data subject.

 

Identity Information, Contact Information, Customer Transaction Information, Financial Information, Legal Transaction Information, Professional Experience Information, Audiovisual Information, Process Security, Physical Location Security

In accordance with Law No. 6415 on the Prevention of Financing Terrorism and Law No. 5549 on the Prevention of Laundering Proceeds of Crime, our institution ensures compliance with all obligations and activities set forth by both national and international legislation.

Exchanging information with institutions, organizations, banks, potential buyers, and the risk center as required by the provisions of the Banking Law No. 5411; preparing consolidated financial statements for parent companies; and conducting risk management and internal audit practices.

Article 5/2-a of the PDPL: Explicitly stipulated by law.
Article 5/2-ç of the PDPL: It is mandatory for the data controller to fulfill their legal obligations.

Identity Information, Contact Information, Customer Transaction Information, Financial Information, Legal Action Information, Process Security, Physical Location Security.

We comply with obligations under the Banking Law, the Law on Bank Cards and Credit Cards, the Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions, and related regulations. This includes obtaining approval for commercial electronic messages as per the Law on the Regulation of Electronic Commerce and the Regulation on Commercial Communication and Commercial Electronic Messages, using the Commercial Electronic Message Management System (IYS) to manage the right to refuse and handle complaints, and cooperating with regulatory bodies and law enforcement agencies.

To comply with the requirements of the Banking Regulation and Supervision Agency, Central Bank of the Republic of Türkiye, Capital Markets Board, Financial Crimes Investigation Board, Banks Association of Türkiye, Revenue Administration, Undersecretariat of Treasury, Social Security Institution, Merkezi Kayıt Kuruluşu A.Ş., KOSGEB, Republic of Türkiye Ministry of Treasury and Finance, Credit Bureau, Risk Center, and other authorities, we adhere to information storage, reporting, and disclosure obligations as specified by the Undersecretariat of Treasury and other authorities, and fulfill the requirements of the Regulation on Banks' Information Systems and Electronic Banking Services.

Adhering to risk monitoring and disclosure obligations; planning financial risk processes; fulfilling the control responsibilities stipulated by legislation, particularly those related to internal systems, and sharing necessary information with relevant authorities when required.

Fulfilling information storage, reporting, and disclosure obligations as required by authorized persons, institutions, and organizations.

Article 5/2-a of the PDPL: Explicitly stipulated by law.

Article 5/2-ç of the PDPL: It is mandatory for the data controller to fulfill their legal obligations.

Identity Information, Contact Information, Customer Transaction Information, Audiovisual Information, Professional Experience Information, Location, Financial Information,

Improving the quality of our products and services through promotional activities, marketing campaigns, and outreach efforts. This includes making calls for advertising and campaign purposes, sending SMS notifications, gathering your feedback through surveys and other methods, utilizing call records from the call center to enhance service quality, conducting analyses based on behavioral modeling, and providing you with tailored offers, products, and services

Article 5/1 of the PDPL: Having explicit consent.



Sensitive Personal Data CategoryPurpose

Legal Basis

Health Information

Making banking services suitable for access and use by disabled customers

Article 6/3-d of the PDPL: It is essential for the establishment, exercise, or protection of a right.

Health Information

Performance of the insurance processes in which we operate as an intermediary/agency

Article 6/3-a of the PDPL: Explicit Consent

Biometric Data

Identification in remote customer acquisition, and password determination processes

Article 6/3-a of the PDPL: Explicit Consent

Criminal Conviction and Security Measures

Pursuant to Article 2 of the Check Law, applications for opening a checking account should be processed according to the criminal record

Article 6/3-b of the PDPL: Explicitly stipulated by law


V- Methods of Personal Data Collection

Your personal data, within the framework of the legal reasons listed, the information you provide through the Bank's Head Office, Regional Directorates, Branches and other service units, real and legal persons with whom the Bank cooperates / receives and provides services / has a business relationship, such as support service organizations, companies that we carry out their activities in the capacity of intermediary / agency, correspondent / correspondent banks, contracted dealers, customer interviews, member merchants and POSs, SSI records, national and international authorities / authorities / institutions, system integrations between public institutions and organizations within the limits permitted by the legislation (Identity Sharing System, Address Sharing System, Trade Registry Gazette, Land Registry and Cadastre Information System, Risk Center, Credit Registration Bureau, electronic pledge, etc.), ATMs, websites, media, social media, internet banking, mobile banking, telephone banking, call center, mobile applications, security cameras of the Head Office, regional directorates, branches and other service units, media, social media, internet banking, mobile banking, phone banking, call center, mobile applications, security cameras of the Head Office, regional directorates, branches and other service units. ) ATMs, websites, media, social media, internet banking, mobile banking, telephone banking, call center, mobile applications, security cameras of the Head Office, regional directorates, branches and other service units, registered electronic mail, electronic notification, electronic mail, mail, fax, SMS, international money transfer such as SWIFT, all kinds of notifications made to the Bank, applications, interviews and similar / other channels, in whole or in part, automatically or non-automatically, in written, verbal, visual, electronic, physical or other ways.

VI- Transfer of Personal Data

Your personal data may be transferred in a limited and measured manner, in connection with fulfilling the following processing purposes in compliance with Articles 8 and 9 of the PDPL. This transfer is necessary for our banking activities and adheres to the provisions of the applicable legislation.

The parties to whom your personal data is transferred by our Bank, along with the purposes of such transfers, are outlined in the table below.


Receiving Party

Purpose of Transfer

Legally authorized public institutions and organizations, as well as other persons, institutions, and/or organizations.

Fulfillment of our legal obligations.

Support service providers, collaborating organizations, payment service providers, risk centers, and other third parties from whom services are received.

Utilizing suppliers and support service organizations for credit card printing and delivery processes and other services necessary to carry out our banking activities within the limits and obligations set by the Banking Law and other regulations, as required by business processes.

Individuals, institutions, and/or organizations for whom we act as intermediaries or agents.

Fulfillment of obligations arising from our brokerage or agency law.

Judicial authorities, law firms, asset management companies.

Monitoring and managing legal affairs.

Independent audit companies

Auditing the compliance of our activities with applicable legislation.

Correspondent banks and domestic/foreign financial institutions.

Meeting the obligations related to the identification of transaction parties, as necessitated by the nature of the transaction.

Credit Bureau, Interbank Card Center, Risk Center, institutions established by at least five banks or financial institutions.

Conducting risk monitoring and risk management activities.

Asset Management Companies, other third parties within the scope of receivable valuation processes

Managing the sales processes of our Bank's receivables.

Card institutions, payment service providers, and domestic/international member merchants.

Facilitating credit card and payment processes due to the nature of the transaction.

VII- Duration of Processing, Storage, and Destruction of Personal Data

We affirm that Türkiye Finans Katılım Bankası A.Ş. conducts its activities in accordance with the relevant legislation, particularly the Banking Law and the PDPL, with a strong commitment to the secure protection of personal data.

The Bank implements all necessary technical and administrative measures to ensure an appropriate level of security to prevent unlawful processing and/or access to your personal data and to guarantee its protection.

If all conditions necessitating the processing of your personal data cease to exist, your personal data will be deleted, destroyed, or anonymized at the conclusion of the legal retention periods established by the Banking Law No. 5411 and other applicable legislation.

VIII- Rights of the Data Subject and Application to the Data Controller

Pursuant to Article 11 of the PDPL, you may exercise the following rights by applying to our Bank:

  • Learn whether or not her/his personal data have been processed;
  • Request information as to processing if your data have been processed,
  • Learn the purpose of processing of your personal data and whether data are used in accordance with their purpose,
  • Know the third parties in the country or abroad to whom your personal data have been transferred,
  • Request rectification in case personal data are processed incompletely or inaccurately, Request the deletion or destruction of personal data,
  • In case of rectification, deletion or destruction of personal data, request notification of these transactions to third parties to whom personal data are transferred,
  • Object to occurrence of any result that is to her/his detriment by means of analysis of personal data exclusively through automated systems,
  • Request compensation for the damages in case you  incur damages due to unlawful processing of your personal data.

In accordance with the PDPL, you may exercise your rights regarding your personal data in the following ways:

  • By creating a ticket at https://mmm.turkiyefinans.com.tr/,
  • By calling our Bank's Communication Center at 0850 222 22 44,
  • By submitting your request to turkiyefinans@hs03.kep.tr using your registered e-mail address,
  • By going to our branches in person,
  • By completing the Data Subject Application Form in full and sending it to our headquarters at İnkılap Mahallesi Sokullu Caddesi No:6 Ümraniye/Istanbul via registered mail or notary public.
  • By any other method specified in the Communiqué on the Procedures and Principles of Application to the Data Controller.

We would like to remind you that your application must include the following elements as stipulated in Article 5 of the Communiqué on the Procedures and Principles of Application to the Data Controller:

  • Name, surname and signature if the application is in writing,
  • TR ID number for citizens of the Republic of Türkiye, nationality, passport number or ID number, if any, for foreigners,
  • Residential or workplace address for notification,
  • E-mail address, telephone and fax number for notification, if any,
  • Subject of the request.

We will respond to your request free of charge as soon as possible and within 30 days at the latest depending on the nature of your request However, if the request necessitates an additional cost, you may be charged as per the fees specified in Article 7 of the Communiqué on Application to the Data Controller.

​​
TOP