Regulation on Sharing Confidential Information entered into force

The Regulation on the Sharing of Confidential Information (“Regulation”) published by the BRSA in the Official Gazette dated 04.06.2021, which is based on Article 73 of the Banking Law No. 5411 (“Law”) regarding the obligation to keep secrets, entered into force as of 01.07.2022.

In summary, the Regulation regulates the sharing and transfer of bank secrets and customer secrets arising from banking activities. When it comes to secrets, the Regulation frequently refers to the Law on the Protection of Personal Data (“LPPD”) and defines basic concepts such as personal data, explicit consent, data anonymisation, de-identification and data processing activities.

The Regulation stipulates that persons who learn information belonging to customers or banks due to their titles and duties may not disclose this information to other persons even if they leave their duties, except for the authorities expressly authorised by law, the cases exempted from the obligation to keep secrets within the framework of the Regulation and the request or instruction of the customer.

Within the scope of the Regulation, it is regulated that the data belonging to real and legal persons and all kinds of information indicating that the person is a customer of the bank after the customer relationship is established with the banks specific to banking activities are customer secrets.

In this context, it should be kept in mind that banks should act as data controllers in accordance with the KVVK regulations within the scope of personal data shared by real persons who are prospective customers without establishing a customer relationship. For example, personal data provided by real persons who are not bank customers during personal loan application processes are processed by banks in the capacity of data controller.

In addition, although it is not included in the definition in the Law, even if a customer relationship has not been established pursuant to the Regulation, obtaining and learning the customer secret information of the person at another bank is also considered within the scope of the confidentiality obligation. For example, the sender’s IBAN information processed in the EFT or swift message received from another bank is an example that can be counted within this scope.

Another issue that needs to be discussed in accordance with the Regulation is whether it is possible to include this fact within the scope of customer secret in the Regulation, although the concept of “without establishing a customer relationship” does not exist in the Law. This is because, as a rule, regulations should not be able to expand the limits set by the laws according to the hierarchy of norms.

The general principles regarding the sharing of confidential information regulated by Article 6 of the Regulation also cover the sharing to be made within the scope of the exception, and these principles are regulated in parallel with the principles specified in the LPPD.

In the Regulation, the definitions of de-identification and aggregation of customer data are included and if the purpose of sharing can be achieved in case of the application of these methods, the application of these methods is mandatory.

The difference between the definitions of anonymisation and de-identification, which are within the scope of methods that completely eliminate or greatly complicate the connection of personal data with the data subject, but constitute sub-concepts of the same cluster, is important in terms of determining whether the data will be included in the scope of protection of the law by changing the personal data characteristics of the data.

De-identification is a definition that did not exist until the announcement of the Regulation within the scope of personal data protection legislation, and it is defined for the first time in the Regulation, and it is similar to the methods such as encryption, coding, blurring, pseudonymisation, which are regulated in the Regulation on Personal Health Data and GDPR (European Data Protection Regulation).

In our opinion, the said regulation supports and parallels the regulations introduced by the LPPD and has been very useful in terms of drawing the limits of banks’ and financial institutions’ field of action.

The fact that the LPPD is referred to when regulating the provisions on confidentiality in general terms in the laws, and the inclusion of evaluation criteria such as proportionality and purpose limitation, which are general principles, is an indication that a step forward is being taken at the point of harmonisation with the current legislation.

As long as the PDPL is not supported by the legislation on the horizontal axis and does not spread into each new legislation, there is a risk that it will never achieve the purpose it seeks to serve.

The finance and banking sector undoubtedly has the power to pioneer many innovations and shape legislation. Therefore, it can be interpreted that the beginning and continuation of the steps taken in this field is inevitable, and it is a promising innovation for all stakeholders who have scrutinised the Personal Data Protection legislation.