On 11 April 2025, the Personal Data Protection Authority (“Authority”), in cooperation with the Turkish Payment and Electronic Money Institutions Association, published the Guide on Good Practices for the Protection of Personal Data in the Payment and Electronic Money Sector (“Guide”).
The Guide has been prepared for payment institutions and/or electronic money institutions (“Institutions”) that provide services regulated under Law No. 6493 on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions (“Law No. 6493”). It addresses, in detail, the procedures and principles that Institutions must observe on a sector-specific basis while carrying out various activities, in compliance with the Law on the Protection of Personal Data No. 6698 (“DP Law”).
1. Identification of Role-Specific Qualifications Based on the Service Provided
The Guide evaluates that, under Law No. 6493, institutions may assume the role of either a data controller or data processor depending on the nature of the service they provide. In various digital service models such as electronic money issuance, money remittance, POS services, bill payment intermediation, and mobile payment, responsibilities regarding personal data processing are classified on a service-specific basis among different actors such as payment institutions, electronic money institutions, mobile operators, merchants, or banks.
Depending on the structural characteristics of the payment service, it is noted that in some cases, the same actor may act both as a data controller and a data processor. Moreover, the role of data processor may also be assumed by representatives of the service provider. Especially in operational areas such as customer support services, call centers, marketing, or IT operations, such parties should be considered data processors, and it is emphasized that these relationships must be explicitly governed by written agreements.
The Guide defines individuals who directly share their personal data with institutions during payment service processes as “data subjects,” and links processing activities related to such individuals with the general principles of the DP Law. On the other hand, a separate assessment applies to individuals whose data is processed indirectly during the execution of a payment transaction but who are not direct customers of the service provider. Referring to the European Data Protection Board’s (EDPB) Guideline 06/2020, the Guide labels such individuals as “silent parties” and states that their data may only be used to the extent necessary for the execution of the transaction and strictly limited to the initial processing purpose. Any further processing of such data for different purposes is only permissible if a valid and explicit legal basis exists.
2. Personal Data Processed and Legal Basis for Processing
The categories of personal data processed by data controllers operating in the payment and electronic money sector vary depending on the nature of the service provided. These generally include identity data (e.g., name, surname, national ID number, date of birth), contact information (e.g., phone number, email, address), financial data (e.g., IBAN, bank account details, card information), transaction security data (e.g., IP address, passwords, login/logout information), professional experience, customer transaction records, visual-audio recordings, and biometric data.
The processing of these categories of personal data is driven not only by technical requirements of the services but also by sector-specific and legal obligations imposed on the institutions. For example, institutions may be required to process certain personal data for identity verification and transaction security under Law No. 5549 on the Prevention of Laundering Proceeds of Crime (“Law No. 5549”) and the Regulation on Measures Regarding the Prevention of Laundering Proceeds of Crime and Financing of Terrorism (“Measures Regulation”). Additionally, regulations under the Financial Crimes Investigation Board (MASAK) Communiqué No. 5 set out in detail the conditions under which personal data must be collected through representatives, and how such data must be stored and shared, especially in services offered via anonymous prepaid instruments.
The Guide also contextualizes the personal data processing conditions outlined in Articles 5 and 6 of the DP Law with examples specific to the payment and electronic money sector. For instance, the processing of unusual transaction patterns, location data, or technical data relating to devices used by service users or merchants may be considered lawful under the “legitimate interest” ground, particularly for fraud prevention purposes. In doing so, the Guide offers institutions practical direction on which legal bases may be relied upon for specific types of processing activities.
3. Sector-Specific Transfers of Personal Data
The Guide comprehensively addresses the obligations related to personal data transfers in the payment and electronic money sector, based on the data processing conditions set forth under Articles 8 and 9 of the DP Law. In this context, notifications to be made by institutions to the MASAK, as required under Law No. 5549 and the Measures Regulation, and the transfer of information and documents requested within the scope of the supervisory activities conducted by the Central Bank of the Republic of Türkiye (CBRT), are considered as data transfers carried out on the legal ground of the “data controller’s legal obligation” under Article 8 of the DP Law.
With respect to international data transfers, the Guide evaluates practices based on three main transfer mechanisms in line with the recently amended Article 9 of the DP Law: adequacy decisions, appropriate safeguards, and exceptional circumstances. It is noted that in certain sector-specific business models—such as those involving joint provision of payment services with legal entities based abroad—personal data transfers may be required. In such cases, institutions must comply with the requirements of both data protection and financial services regulations.
As an example of a sector-specific regulation regarding international data transfers, the Guide refers to cross-border money transfers and states that the payment service provider must meet the applicable transfer conditions outlined in Article 9 of the DP Law. Such transfers are categorized as “exceptional transfer cases” and may therefore be carried out based on the explicit consent of the data subject. Furthermore, under Article 21 of the Communiqué on Information Systems of Payment and Electronic Money Institutions and Data Sharing Services in the Field of Payment Services by Payment Service Providers (“Communiqué”), it is stipulated that if one of the parties to a payment transaction is located abroad, the personal data necessary for the successful execution of the transaction may be shared with third parties abroad—strictly limited to that purpose and in accordance with the principle of proportionality. Nevertheless, it remains mandatory for these data to be stored within Türkiye in compliance with the “primary system” requirement imposed on institutions by the Communiqué.
4. Data Security and Auditing
The Guide addresses the obligation of institutions to implement technical and administrative measures for data security in accordance with Article 12 of the DP Law, considering sector-specific characteristics. As an example, Article 23 of Law No. 6493 imposes a data localization requirement, obligating institutions to host all information systems and their backups within Türkiye, and to securely retain relevant documents for a minimum of ten years.
In parallel with the Data Security Guide published by the Authority, this Guide outlines applicable technical and administrative measures based on the sector’s risk profile, organizational structure, and technological infrastructure; these include technical measures such as antivirus systems, backups, encryption, access logs, deletion/anonymization practices, as well as administrative measures such as risk assessments and contractual safeguards.
Lastly, the Guide places specific emphasis on audit mechanisms; it underscores that institutions must keep all transaction records, documents, and system access logs in an audit-ready state, particularly in light of the CBRT’s supervisory authority. In addition to audits conducted by the CBRT pursuant to Article 21 of Law No. 6493, institutions are also subject to independent audits where deficiencies in personal data protection are identified, institutions are expected to promptly implement the necessary technical and administrative corrections.
You can access the full text of the Guide here (only avaliable in Turkish).
