Turkey’s new data storage and transfer requirements for banks

With the amendments to the Turkish Banking Act No. 5411 in February 2020, important provisions were introduced for the handling of banks with confidential customer data. On the basis of these provisions, the banking regulator and supervisory authority introduced secondary regulation, the regulation on information technology and electronic banking services for banks, which was completed in March. This regulation contains binding provisions for data processing and transmission by bank customers.

Definition of the client’s confidential information

According to Article 73 of the Banking Act, confidential customer information is defined as data generated by “real and legal” persons who have a customer relationship for banking activities with a bank.

As can be noted in this definition, customer relationships that are established in accordance with services provided by banks other than banking activities are excluded from the scope of the customer’s confidential information. In addition, the data that banks receive in cases where they provide services without indirectly establishing a customer relationship are also excluded from this definition.

Confidential customer information can contain both personal and non-personal data. Therefore, it is important to identify separately whether the data is personal data in accordance with the Personal Data Protection Act and remains within the scope of the customer’s confidential information.

The transmission of confidential information of the customer

Based on an assessment based on economic security, BRSA is entitled to prohibit the disclosure of confidential customer information or banking secrets to third parties abroad and to make decisions about information systems used by banks and their backups.

It is important to emphasize that the conditions according to Article 9 PDPL (authorization of the data protection authority, explicit consent, list of safe countries) and the binding company rules announced by the data protection authority could not be used for the disclosure of confidential customer information to third parties abroad without the specific instruction or Customer’s request.

In this context, there are two aspects to consider when transmitting confidential customer information abroad: receiving the instruction or request from the customer in accordance with the Banking Act and compliance with the requirements of Article 9 of the PDPL.

The only exceptions to the restrictions on data transfer are mandatory legal requirements in other laws, audits, judicial motions, mergers and acquisitions, and information that must be communicated to certain ministries.

Regardless of whether they fall within the scope of the exceptions or not, confidential information of the customer can only be passed on if it is restricted to specified purposes and is restricted solely to the achievement of these goals.

System localization

As noted above, BRSA has been empowered to choose to maintain the primary and secondary systems used by banks in conducting banking activities within the country.

According to Article 11 (4) of the Regulation on the Assessment of Banks Internal Systems and Internal Capital Adequacy, issued by BRSA before the amendments were published, banks had to keep their primary and secondary systems in the country. Article 25 of the regulation, issued after the changes, also stipulates that banks must keep their systems in the country regardless of how many backups there are. If you receive an outside service or cloud computing service for an activity under primary or secondary systems, the information systems used by any of the services that carry out the activities must also be installed within the country.

In addition to the localization requirements, there are additional requirements to approve the external service provider for services and products that are provided in the areas of critical information systems and security. According to Article 29 of the Regulation, an important selection criterion is that the products / services related to security and critical information systems are manufactured in Turkey or that the manufacturers must have a research and development center in the country.


Pursuant to Article 159 of the Banking Act, persons who do not meet the conditions for submitting confidential customer information under Article 73 can face a prison sentence of up to three years. According to Article 148 of the Banking Act, BRSA is also authorized to impose fines on banks that fail to comply with the Banking Act or the regulations made under the Banking Act. On the other hand, the incomplete transmission of personal data within the scope of the PDPL can be punished with fines according to the PDPL and criminal sanctions according to the Turkish criminal law.


When assessing the changes along with the provisions of the Regulation, banks must define the data they store in accordance with the definition of confidential customer information under the Banking Act and the definition of personal data under the PDPL. The transmission method must then be determined according to the requirements specified for each data record. In addition, there are still uncertainties regarding the transfer of personal data abroad. It would therefore be appropriate to take into account different dimensions of data transmission in the context of personal data and confidential information of the customer.

First published by IAPP – Privacy Tracker on September 24th, 2020

Comments are closed.