On 4 June 2021, a new Regulation on Disclosure of Confidential Client Information drafted by the Banking Regulatory and Supervisory Authority, (“Regulation”) has been published in Official Gazette numbered 31501. The Regulation will be effective as of 1 January 2022.
The Regulation governs confidentiality and non-disclosure of confidential client information under article 73/3 of Banking Law numbered 5411.
The Regulation refers to Law on the Personal Data Protection Law numbered 6698 but defines the concept of “anonymization” differently. In addition, in the same vein, the Regulation adds a new definition of “de-identification”.
Notable provisions include the followings:
- Pursuant to the Regulation, unless otherwise provided therein or authorized by law:
- Confidential bank and client data shall not be disclosed to third parties rather than authorized parties by law.
- Confidential client data obtained by a bank either through non-automated means or means other than a data recording system shall not be disclosed to third parties.
- Client data belonging to real persons and legal entities are confidential and shall not be disclosed to third parties.
- A bank’s obligation to preserve the confidentiality of confidential client data extends to client data obtained from other banks.
- Pursuant to article 5/1 of the Regulation, confidential client data may under exceptional circumstances be disclosed to third parties if (i) a confidentiality agreement is in force between the bank and the client which recites with specificity the purpose(s) of the disclosure, and (ii) the disclosure is strictly limited to the purpose(s) stated therein.
- Exceptions to confidentiality and non-disclosure obligations do not apply to client health or sex life information, whether confidential or not, and under no circumstance shall same be disclosed to third parties within or outside of Turkey.
- Except as otherwise provided in the Regulation or authorized by law, confidential client information may be disclosed to third parties only upon client’s request or instruction. The explicit consent of the client does not suffice for such disclosure.
- Where a client initiates or orders initiation of a transaction including, but not limited to, a domestic or international funds transfer, foreign letter of credit, letter of guaranty, or reference letter, either directly or through electronic banking services, client’s authorization of the bank to transfer confidential data is implied if (i) the transaction requires interaction with the bank, payment service provider, securities settlement, or messaging systems in order to be completed, and (ii) disclosure is necessary to complete the transaction.
The full text of the Regulation is available at this link. (Only available in Turkish)