Protection of Personal Data

Dear customers,


We, as T. Garanti Bankası A.Ş., have respect for security of your personal data and for your right of privacy, and make account of confidentiality and protection of your personal data. Now, we are hereby presenting to your attention this public disclosure text prepared in order to inform you about your rights regarding processing, transfer, storage and destruction of your personal data shared by you with our Bank at any time in the course of banking services offered by T. Garanti Bankası A.Ş. to you, and regarding use and protection of your personal data under the Personal Data Protection Law no. 6698 (“KVKK” or “Law”).  
As will be described in this Public Disclosure Text, your personal data and sensitive personal data may be recorded, archived, updated, transferred, classified and processed pursuant to and under KVKK and other applicable laws and regulations appertaining thereto. 

I. Data Supervisor

This public disclosure text is published by T. Garanti Bankası A.Ş., as and in the capacity of data supervisor, in accordance with the pertinent provisions of KVKK no. 6698, the Banking Law no. 5411, the Debit Cards and Credit Cards Law no. 5464, and other applicable laws and regulations in relation therewith. As per the Law, “Data Processing” refers to all kinds of transactions effected on personal data, such as acquisition, recording, storage, updating and classification of personal data, fully or partially, by automatic means and ways or by non-automatic means and ways, providing that it is a part of any data registration system, and sharing of data with third parties or transfer to them to the extent permitted by the applicable laws and regulations.

We, as data supervisor, are keeping and safeguarding all kinds of personal data, shared by you with us, in strict compliance with the applicable laws and regulations, and by taking all kinds of the technical and administrative actions and measures required for protection of your personal data under an appropriate security level.

II. Personal Data Collected by Us

Personal data, varying according to the type, nature and past of the relations between our Bank and the related person and depending on the method of acquisition of data and the following purposes, to be collected in the course of relations to be established by us with you in tandem with the products and services you are going to receive from our Bank, and to be processed in compliance with the principles set down in the Law and in our Bank’s Personal Data Processing and Protection Policy, are generally as listed below, without however being limited thereto:

  • Identity Data and Information: Name, surname, T.R. identity number, passport number, place of birth, date of birth, sex, marital status, information on spouse/children, status of citizenship, nationality, and civil registry information
  • Visual Records: Photograph
  • Communication Data: Together with such communication data as address, electronic mail, registered electronic mail address, mobile phone, fixed phone and facsimile number, all and any communication records relating to phone conversations, video conversations and electronic mail correspondences, and other audio and video data
  • Transaction Security Data: Customer information, IP addresses, codes and passwords needed for entry to electronic banking channels, and positioning data processed for such purposes as security applications used in said channels and as performance of legal obligations, and biometric data processed in reliance upon consent received from the related persons
  • Marketing Data: Data on past shopping activities, public surveys, cookie records, and data obtained through campaigns, in line with a consent to be received from our customers, prospective customers and other natural persons who may be related thereto
  • Data on Commercial Life: Data on natural persons in such documents regarding legal entities as tax chart, trade registry gazette, certificate of authorization, trade registry documents, certificates of competency, signature circular and certificates of activity, and various other demographic information introducing data subject, such as tax liability status and other personal information
  • Banking and Finance Data: Pricing, account reconciliation and customer information, and uniform numbers relating to products and services bought by the customer from our Bank, and credit reference numbers, credit card numbers, account numbers, IBAN, and all kinds of detailed financial data regarding collection and payment activities, as generated by our Bank
  • Data About Your Education, Business and Professional Life: Profession, job title, past work experience, education level, and curriculum vitae information
  • Legal Information: Information contained in correspondences with juridical authorities, information contained in case files, and information kept in the course of proceedings relating to alternative dispute resolution ways, acquired by our Bank due to the legal disputes involved in by our Bank, and data contained in writs and subpoenas of any kind relating to administrative and juridical authorities sent and delivered to our Bank,
  • Camera and Entrance – Exit Records: Such data as entrance and exit records and camera views relating to employees and visitors, kept for the sake of physical security in premises and offices of our Bank and its affiliates

III. Personal Data Collection Method

Your personal data are acquired during the banking services provided by T. Garanti Bankası A.Ş. to you, and may be collected either during face-to-face interviews, or via call centre, internet website, e-mail, digital messaging platforms and social media channels. Your personal data may be stored in verbal, written or electronic media through Head Offices, Branch Offices, kiosks placed in branch offices for your banking transactions, ATMs, Customer Communication Centre, Garanti BBVA Mobile and Internet Branch and similar other channels, as well as through system integrations (like Identity Sharing System) shared via public entities and authorities.

Your personal data may be acquired by the following methods:

  • Personal data may be obtained by non-automatic methods through face-to-face servicing channels (head offices and branch offices, direct sales teams and support service / external service providers, companies to which we serve as an intermediary/agency, and contracted dealers).
  • Personal data may also be obtained by non-automatic methods from corporations (Interbank Card Centre, Credit Reference Agency, etc.) founded by the Risk Centre of the Banks Association of Turkey or by at least five banks or financial institutions

IV. Personal Data Processing Purposes and Legal Reasons

Your personal data acquired by T. Garanti Bankası A.Ş. are basically processed for the following purposes and legal reasons, particularly provision of safe, effective and top quality banking services to you:

Our Processing Purposes

Legal Reasons

  • Know-your-customer processes, customer identity determination and confirmation, and recording the identity, address and other required information of our customers for the transactions to be executed by our customers

  • It is a legal requirement for performance by our Bank of its legal liabilities.
  • It is clearly stipulated in the applicable laws.
  • Data processing is required for establishment, use or protection of a right.
  • In case of receipt of an explicit consent thereinfor.
  • For provision of banking, insurance and finance products, particularly banking, foreign trade, crediting and lending, insurance, pension and other agency services, and for performance, execution and development of the transactions related thereto, and for conduct of operational processes, and for compliance with internal systems, and risk monitoring and information obligations, and for performance of our obligations arising out of the agreement/agreements signed by you with our Bank.
  • Processing of personal data belonging to parties of an agreement is required, providing that it is directly related to establishment or performance of an agreement.

     

  • Data processing is required for legitimate interests of the Bank, providing that the fundamental rights and freedoms of the related person are protected.

  • For performance of our obligations arising out of the Banking Law, the Debit Cards and Credit Cards Law, the Law on Prevention of Laundering of Crime Revenues, the Law on Payment and Securities Settlement Systems, Payment Systems and Electronic Money Corporations, and other applicable laws and regulations appertaining thereto
  • It is clearly stipulated in the applicable laws.
  • It is a legal requirement for performance by our Bank of its legal liabilities.
  • For analysis and further development of bank systems, and conduct of information security processes, and installation, management and application of infrastructures for information systems
  • It is a legal requirement for performance by our Bank of its legal liabilities.
  • Data processing is required for legitimate interests of the Bank, providing that the fundamental rights and freedoms of the related person are protected.
  • For building the Bank’s business processes and activities, and for planning and conduct of operational processes and purchasing operations

  • Processing of personal data belonging to parties of an agreement is required, providing that it is directly related to establishment or performance of an agreement.
  • Data processing is required for legitimate interests of the Bank, providing that the fundamental rights and freedoms of the related person are protected.
  • For management of relations established with support service providers, business partners or suppliers, and for provision of support services after sales of services
  • Processing of personal data belonging to parties of an agreement is required, providing that it is directly related to establishment or performance of an agreement.
  • Data processing is required for legitimate interests of the Bank, providing that the fundamental rights and freedoms of the related person are protected.
  • For protection of reputation of our Bank, and development of its business relations, and determination of its strategies, and planning and performance of its business activities and operational processes, and management of its corporate communication activities
  • It is a legal requirement for performance by our Bank of its legal liabilities.

  • Data processing is required for legitimate interests of the Bank, providing that the fundamental rights and freedoms of the related person are protected.
  • For management of legal and execution proceedings, and follow-up and handling of other legal processes involved in by our Bank
  • It is a legal requirement for performance by our Bank of its legal liabilities.

  • It is clearly stipulated in the applicable laws.
  • For handling and management of relations and business affairs of our Bank with its controlling shareholder and its domestic and foreign branches and subsidiaries
  • It is a legal requirement for performance by our Bank of its legal liabilities.
  • Processing of personal data belonging to parties of an agreement is required, providing that it is directly related to establishment or performance of an agreement.
  • For protection of transaction security in the course of use of electronic banking channels, and for protection of our customers, Bank and banking system as a whole against fraud, swindling and other attacks that may be incurred by our customers in all types of physical or electronic media and environments, and for keeping the logs in the case of use of internet access
  • It is a legal requirement for performance by our Bank of its legal liabilities.

  • Data processing is required for legitimate interests of the Bank, providing that the fundamental rights and freedoms of the related person are protected.
  • For storage and safeguarding of information requested by juridical and administrative authorities like the Banking Regulation and Supervision Authority, the Central Bank of the Republic of Turkey, the Financial Crimes Investigation Board, the Turkish Revenue Administration, the Capital Markets Board, the Risk Centre of the Banks Association of Turkey to which we are obliged to give information, and for reporting and information to these authorities
  • It is a legal requirement for performance by our Bank of its legal liabilities.
  • It is clearly stipulated in the applicable laws
  • To offer through all available channels, also including electronic banking channels, all our products and services, especially deposit, crediting, payment services, insurance, private pension and investment services, involved in by our Bank as an intermediary or an agency, pursuant to and under the Banking Law and all other applicable laws and regulations pertaining thereto
  • It is a legal requirement for performance by our Bank of its legal liabilities.
  • Processing of personal data belonging to parties of an agreement is required, providing that it is directly related to establishment or performance of an agreement.
  • It is clearly stipulated in the applicable laws.
  • To keep all of the required records, documents and certificates, also including the processing of positioning information, for the sake of completion of banking transactions on paper and via verbal environments and electronic banking media (internet banking, mobile banking, ATM and telephone banking).
  • It is a legal requirement for performance by our Bank of its legal liabilities.
  • Processing of personal data belonging to parties of an agreement is required, providing that it is directly related to establishment or performance of an agreement.
  • For planning and implementation of product, service and offering activities specifically for our customers, and for preparation of product, service and business model offers, and for the associated profiling and segmentation works and activities for the sake of improvement and updating of banking products and services and renewal of them with the developed and advanced technologies

In case of receipt of an explicit consent thereinfor.

Data processing is required for legitimate interests of the Bank, providing that the fundamental rights and freedoms of the related person are protected.

  • For the sake of legal and physical security, and as a proof for the banking transactions executed by using the services, and as a requirement of our legal obligations, recording of camera views and photographs in our Bank’s headquarters building and additional service units, ATMs and branch offices, and processing of your biometric photographs on your T.R. identity cards for security and identification purposes
  • It is clearly stipulated in the applicable laws.
  • It is a legal requirement for performance by our Bank of its legal liabilities.
  • Data processing is required for legitimate interests of the Bank, providing that the fundamental rights and freedoms of the related person are protected.
  • For planning, supervision and implementation of our corporate sustainability, corporate governance, strategic planning and information security processes
  • It is clearly stipulated in the applicable laws.
  • It is a legal requirement for performance by our Bank of its legal liabilities.
  • Data processing is required for legitimate interests of the Bank, providing that the fundamental rights and freedoms of the related person are protected.

Your personal data are collected and acquired in all types of verbal, written, visual and electronic media for the purposes tabulated hereinabove and for provision of the banking services within the legal framework specified herein and for full, complete and smooth performance by T. Garanti Bankası A.Ş. of all of its legal and contractual obligations. Legal reasons underlying the collection of your personal data are KVKK (Personal Data Protection Law) and other applicable laws and regulations appertaining thereto. Your personal data are processed by T. Garanti Bankası A.Ş. by automatic and non-automatic methods and ways in case of receipt of your explicit consent pursuant to article 5/1 of KVKK or alternatively in reliance upon certain legal motives pursuant to and under article 5/2 of KVKK.

Your sensitive personal data may be processed only in case of receipt of your explicit consent pursuant to article 6/1 of KVKK. T. Garanti Bankası A.Ş. may process your sensitive personal data only with your prior explicit consent. And as per article 6/3 of KVKK, personal data relating to health and sexual life may be processed by authorized institutions and entities or by persons under secrecy obligations for the sake of protection of public health, and for preventive medicine, medical diagnosis, treatment and care services, and for planning and management of healthcare services and their financing, without an explicit consent of the data subject. Accordingly, in accordance with article 6/3 of KVKK, in cases or events stipulated in the applicable laws, personal data not related to health and sexual life may be processed without an explicit consent of the data subject. This means to say that in cases or events stipulated in the applicable laws, your personal data not related to health and sexual life may be processed by T. Garanti Bankası A.Ş. without an explicit consent of you.

Furthermore, as per article 6/3 of KVKK, your personal data relating to health and sexual life may be processed for the sake of protection of public health, and for preventive medicine, medical diagnosis, treatment and care services, and for planning and management of healthcare services and their financing.

V. Transfer of Personal Data

Where required by the applicable laws and regulations or where permitted by you, your personal data may be shared with third party persons or entities for the purposes and motives set forth in Section III of this Public Disclosure Text by taking all kinds of technical and administrative actions and measures required for establishment of an appropriate level of security pursuant to KVKK and other applicable laws and regulations. These persons or entities may vary depending on the probable changes in pertinent laws, but are nevertheless the following parties in general.

Your personal data are transferred to the following parties for the following purposes and legal reasons:

Transferees

Our Purposes of Transfer

  • Public entities and authorities and juridical authorities who are legally authorized to get information
  • For legal reporting purposes, regulation and supervision activities, management of complaint and legal processes, etc. legal reasons
  • Local and foreign banks
  • Persons and entities, entities deemed as financial institutions and other third parties permitted by the Banking Law and other applicable laws and regulations, and such public legal entities as the Banking Regulation and Supervision Authority, the Central Bank of the Republic of Turkey, the Financial Crimes Investigation Board, the Turkish Revenue Administration, the Capital Markets Board, the Risk Centre of the Banks Association of Turkey due to the legally required reporting processes
  • For management of banking activities and for performance of our legal obligations
  • Our controlling shareholder
  • Solely for the exceptional cases enumerated in the Banking Law no. 5411 

  • Our affiliates and third parties to which we serve as an intermediary or agency (For instance: Garanti Emeklilik ve Hayat A.Ş., Eureko Sigorta A.Ş., Garanti Konut Finansmanı Danışmanlık Hizmetleri A.Ş., Garanti Faktoring A.Ş., Garanti Finansal Kiralama A.Ş., Garanti Ödeme Sistemleri A.Ş., Garanti Bilişim Teknolojisi ve Ticaret T.A.Ş., Garanti Yatırım Menkul Kıymetler A.Ş. and Garanti Portföy Yönetimi A.Ş.), and our program partners from which we receive services or with which we enter into cooperation for performance of our banking activities.  
  • For management of activities and relations with our affiliates and support services in the course of provision of banking services

 

VI. Your Rights Relating to Protection of Personal Data

Whenever you like, you may apply to our Bank, and:

  1. May ask whether your personal data are processed or not, and if so, for which purposes, and whether your personal data are used for the intended purposes or not, and if processed, may request detailed information thereabout; and
  2. May learn the identity of third parties with whom your personal data are shared within Turkey or abroad in accordance with the laws; and
  3. If you think your personal data are processed incompletely or inaccurately, may request completion or correction of them, as the case may be; and
  4. May request deletion or destruction of your personal data within the frame of conditions stipulated in article 7 of the Law; and
  5. May request the transmission of your requests stated in subparagraphs (c) and (d) hereinabove to third parties to whom your personal data are transferred, so that such third parties also take the same actions in connection therewith; and
  6. May raise an opposition against any consequences in your disfavour due to analysis of your personal data by automatic systems, or if you think that your personal data are recorded or used unlawfully, and if you have actually incurred damages due to that reason, may claim indemnification of your damages.

If and when you use any one of your rights to learn whether your personal data are processed or not, and if your personal data are processed, to request information thereabout, and to access to and request your personal data, and to learn the purpose of processing of your personal data and whether your personal data are used for the intended purposes or not, and to learn the identity of third parties to whom your personal data are transferred in Turkey or abroad, then and in this case, the information requested by you will be given to you in writing via electronic media or by using the communication data designated by you.

VII. Data Security and Application Rights

Your personal data are carefully protected within the reach of available technical and administrative means, and the required security actions and measures are taken at a level  appropriate for the probable risks by also considering the technological opportunities.

You may transmit your requests under KVKK:

  • By delivering the same in writing and by hand to our Head Offices or Branch Offices, or
  • By sending via a notary public, or
  • By delivering the same with secure electronic or mobile signature to our Registered Electronic Mail Address of garantibankasi@hs02.kep.tr, by using your registered electronic mail address or your electronic e-mail address registered in our systems.

If any application filed by you for the aforementioned purposes requires an additional cost, you may need to pay a fee as specified in the tariff to be designated by the Personal Data Protection Board. Your requests in your application will be responded as soon as possible and in any case within no later than 30 (thirty) days, depending on the kind of your request.

* In case of any change in the personal data inventory, our Bank is going to update this information text.

T. Garanti Bankası A.Ş.