Personal Data Protection Law

I. PURPOSE OF THIS PRIVACY STATEMENT 

This privacy statement is issued to give information to real person customers of Hayat Finans Katılım Bankası A.Ş. (“Bank”) about the protection of their personal data under the Personal Data Protection Law No. 6698 and to explain for what purposes the Bank collects personal data and sensitive personal data, the methods used for collecting and processing such data, transferring such data to third parties in cases where such transfer is allowed by the applicable law, the security measures taken, and their rights on protection of their personal data.

II. DATA CONTROLLER

Data Controller is Hayat Finans Katılım Bankası A.Ş. The Bank acts as Data Controller to process its customers’ personal data for purposes limited to the purpose of process and to the extent of the purpose, in accordance with the laws and the integrity rule, by maintaining their truthfulness and latest version.

III. PERSONAL DATA COLLECTED BY THE BANK

In general the Bank collects the data described below to the extent needed for the products and services to be provided to the customers and in accordance with the laws and the integrity rule (to access the Data Controllers Registration System (VERBIS), please visit https://verbis.kvkk.gov.tr and go to the Registration Inquiry page): 

Identity Details: First and last name, Turkish or foreigner identity number, blue card number, tax number, passport number, place of birth, date of birth, gender, marital status, spouse and children, nationality, citizenship, criminal record, Identity Sharing System (KPS) data. 

Banking and Financial Data: Prices offered by the Bank, credit card numbers, account numbers, IBAN, all kinds of financial data on collections and payments, salary details, asset and income details, demographic data, Credit Registration Office (KKB) data, the Banks Association of Turkey (TBB) Risk Center data, debt details, being overdue, duration of overdue, maturities, data on related parties, assets (real estates and vehicles). 

Education, work and professional life data: Profession, title, career, education. 

Transaction data: Credit data, participation fund account data, credit card limits and balances, bank statements, credit card transactions.

Audio-visual records: Audio recorded by call centers, video recorded by cameras, other audio-visual data including photographs.

Legal data: Records kept by the Turkish Central Bank (TCMB) and stare decisis for correspondences with judicial and governmental authorities, case files, data on alternative solutions for disputes, checks issued, check accounts opened.

Communication details: Address, e-mail address, registered e-mail address, cell phone number, land telephone number, fax number. 

Transaction security data: Customers’ details to access the electronic banking channels, IP addresses, passwords, codes, location data for security applications of the channels and for legal obligations, biometric data processed upon consent of customers.

Marketing data: Cookies, pages visited using this bank’s application, shopping history, questionnaires, data collected from marketing campaigns, etc.

Business data: Data on real persons named in business tax certificate, articles of association, certificate of authorization, certificate of qualification, certificate of signatory, certificate of good standing and similar documents, taxpayer status and details of real person taxpayers.

Sensitive personal data:  Blood group and gender data received from a customer under the applicable law or upon his/her consent or from his/her identity card, criminal record, Turkish Central Bank (TCMB) or court order prohibiting the person from writing out checks and opening a check account, health data in case healthcare costs are financed, information about membership to a club, association or foundation, fingerprints and face recognition data entered while using the mobile baking application, etc. 

Cookies: Data collected from cookies used for your visits to websites during your sessions, recognizing you, uses for security purposes, browsers and applications you prefer, remembering them, correct operation of the website, using the website as it is intended, improving its security and performance, recording your searches, starting a session, similar functions, advertisement and marketing activities, increasing the functionality of the website, making visits easier, improving the experience, setting a language, order or color, special campaigns and products, classifying your Internet habits, etc.

Anti-malware software: Data collected, stored and used by this bank through software installed or made available in the customer’s telephone, computer, mobile devices, etc. to meet its legal obligations and to improve its applications; data on indicators of malware in the above mentioned devices and on such malware.

IV. METHODS TO COLLECT PERSONAL DATA

Your personal data are collected in verbal, written or visual format in electronic medium by automatic or non-automatic methods.

Your personal data are collected while you receive banking services from us online  (i.e. the mobile banking application, website, customer communication center, IVR, AT, etc.), remote identity proofing (i.e. biometric facial data), face-to-face discussions at our head office, physical offices and other service units; ATM, call center; support service providers, third party service providers. brokers, agents, banks and dealers with whom we cooperate; discussions with customers, member businesses, POS, domestic and international institutions.

• Website, electronic banking channels (i.e. online branch, mobile branch, telephone banking), e-mail, digital messaging platforms, security cameras of service units, social media.
• All kinds of correspondence with, application to and discussions with this bank through registered e-mail, electronic notice, e-mail, mail, fax, short message service, SWIFT, etc. 
• Shared systems of public institutions and agencies (i.e. Identity Management System, Address Management System, Business Registration Journal, Land Registration and Survey Information System, Risk Center, Credit Registration Office, etc.).
• Risk Center of the Banks Association of Turkey or companies started by minimum five banks or financial institutions i.e. Interbank Card Center, Credit Registration Office, etc.
• Open banking channels i.e. other banks or payment institutions subject to receiving prior consent from you.

V. PURPOSE AND LEGAL GROUND OF PROCESSING PERSONAL DATA

Your personal data may be processed basically to provide secure, efficient and quality services to you upon your demand or after receiving explicit consent or instruction from you, or in case of any of the legal grounds described below without having to receive explicit consent or instruction from you. 

Legal grounds

• A law requiring such processing
• Processing directly related with entering into or performing a contract
• Necessity to process the personal data of the parties to a contract
• Necessity to process to fulfill a legal obligation
• Necessity to process to create, use or protect a right
• Necessity to process to protect this bank’s lawful interests, provided that your basic rights and freedoms must be protected.

Process Purposes

• Providing the services described in Section 4 of the Banking Law No. 5411 including banking services, foreign trade services, financing (credit) transactions, insurance services, agent services and broker services; performing operations, sustainable and continuous audit activities, fulfilling the internal systems and risk tracking and briefing obligations; performing the contracts you signed with this bank. 
• Fulfilling the obligations stipulated in the applicable legislation; fulfilling the internal systems and risk tracking and briefing obligations.
• Assessing and auditing the services provided; determining the beneficiaries, officers and addressees of transactions.
• Completing the investment process; creating all records and documents on which electronic or paper transactions are based.
• Investigating credit transactions, receiving information from Credit Registration Office, credit history, credibility, guarantee; analyzing other necessary data, following collection of credit debts from borrowers.
• Storing complaints, objections, demand, suggestions and satisfaction notices in this bank’s management system to give you better services; ensuring the present data to be updated and verified.
• Performing planning and statistical works, organization and event management, sponsorship and social responsibility activities. 
• Analyzing and improving this bank’s systems; performing application management operations; planning and taking information safety measures; installing, managing, inspecting and implementing substructure for information systems; security applications. 
• Ensuring security of cardless transactions made using QR codes.
• Determining this bank’s business processes and activities; planning and performing operational processes and purchasing operations; managing the relations with support service providers, third party service providers, business partners and suppliers; giving after-service support.
• Securing transactions made by online banking applications; protecting customers, this Bank and the overall banking system from fraud, counterfeiters and attacks; keeping a log of accesses to the Internet.
• Recording the users’ experience and preferences (especially the language they preferred) in this Bank’s website to use them in subsequent visits; recording the users’ statistical data to increase the performance of the website. Storing the data entered in the calculation tools of the website. 
• Recording data on your visits to the website to estimate the banking products you may prefer and to be able to offer customized products to you; limiting the number of advertisements to be shown; showing relevant and customized advertisements; measuring the efficiency of advertising campaigns. 
• Determining whether requests sent to the website are reliable, confirming the Cookies Privacy Statement was read and the use of cookies was accepted.
• Detecting malware in the telephones, computers, websites and mobile devices etc. used; collecting data on indicators of malware in the above mentioned devices and on such malware; using software to fulfill this Bank’s obligations; improving the applications. 
• Using personal data to make promotions, offer products and services and perform marketing, advertising and campaign activities; developing suitable services and products for you; analyzing the use of the website and applications and behavior pattern; conducting customer satisfaction studies, receiving appreciation and assessment information from customers through questionnaire forms and other means; managing customer relations; improving the serve quality; advertising and marketing third parties’ products; all subject to receiving explicit consent from you, 
• This Bank may record video and photos taken by the cameras installed at its head office, physical offices, other service units upon your explicit consent or  in connection with a transaction being made or for legal and physical security or under a law, and may process the biometric photo in your identity card.
• Upon your explicit consent, the addresses of the ATMS nearest to your present location may be notified to you.

VI. PURPOSE OF PROCESSING PERSONAL DATA OF PERSONS IN THE SAME RISK GROUP

The banking law and regulations order that even if you are not a customer of this bank, if you in the same risk group as a customer of this bank, your personal data may be processed to assess creditworthiness and to determine, define, monitor and report the risk group, and to check the loans lent to the risk group.

 “Risk Group” refers to legal persons for which you or your spouse, child or parent acts as a member of the Board of Directors or Managing Director, control or co-own, including but not limited to bond, guarantee or similar relations which will cause such legal person to be in default. Rules governing the determination of the Risk Group are updated under the banking legislation. 

VII. TRANSFEREES OF PROCESSED PERSONAL DATA, PURPOSES OF TRANSFER

Your personal data stored by this Bank may be transferred to domestic and international third parties for the purposes described below under sections 8 and 9 of the Personal Data Protection Law.

• Banking Regulation and Supervision Agency, Capital Market Board, Turkish Central Bank, Inland Revenue Department, Financial Crime Investigation Board, Credit Registration Office, Interbank Card Center, Social Security Agency, Association of Financial Institutions, other persons, entities and/or authorities authorized to receive such information, and Turkish Central Bank Risk Center.
• Third party support service providers, service providers and business partners to the extent set by the applicable law and required by the relevant business processes.
• Persons, entities and businesses acting as a broker or agent.
• Courts of law, bailiff’s offices, bankruptcy offices, prosecutor’s office, mediator’s office, arbitration court, arbitrator, other alternative settlement offices, law offices, asset management companies.
• Independent audit service providers auditing whether the activities comply with the applicable laws.
• Business partner banks, correspondent banks, domestic and international financial institutions 
• Payment system companies and card companies including Europay Int. SA, Western Union, Mastercard Int. INC, Visa INC, JCB Int. Co., Maestro, and Electron, and domestic and international member businesses , and for credit card and money transfer transactions.
• Management executive of the company or legal person we authorized to perform banking transactions and to verify the customers’ details while they use online banking services and mobile banking channels.

VIII. MAXIMUM TERM FOR PROCESSING AND STORING PERSONAL DATA

Your personal data will be processed and stored needed for the purpose of process, but for a maximum term of 10 (ten) years, in accordance with the banking legislation, unless a law or legal ground requires a longer term. Your persona data will be deleted, destroyed or anonymized at the end of the said term.

IX. SAFETY MEASURES FOR PERSONAL DATA 

All kinds of technical and administrative measures are taken to prevent your personal data from being processed or accessed in an illegal way and to protect them. 

X. YOUR APPLICATION RIGHTS 

Section 11 of the Law gives you the following rights:

• Asking whether your personal data were processed, and if they were, asking for information,
• Asking the purpose of processing your personal data and whether they were processed for that purpose.
• Asking the names of the domestic and international third parties to whom your personal data were transferred, if any.
• Asking for correct processing of your personal data if they were processed incomplete or incorrect.
• Asking for deletion or destruction of your personal data in accordance with the conditions set in the Law.
• Asking for notification of the above mentioned matters to the third parties to whom your personal data were transferred,
• Objecting the negative results of analyzing your personal data by means of an automatic system, if any.
• Claiming compensation if you suffer a loss because of a processing of your personal data by the Bank in violation of the Law. 

You can notify your above mentioned rights sending it:

• By mail, registered mail or a notary public  to the head office of this Bank; or
• To the registered e-mail address of this bank hayatfinanskatilimbankasi@hs03.kep.tr with a safe electronic signature.

This Bank will meet your demand as soon as possible, but within maximum thirty days. If a cost incurs in meeting your demand, this bank may ask you to pay the fee shown in the tariff issued by the Personal Data Protection Board.