Privacy Notice Regarding Personal Data Processing

The main purpose of the Personal Data Protection Law no. 6698 ("KVKK"), which was published in the Official Gazette and entered into force on April 7, 2016, is to protect the fundamental rights and freedoms of individuals, especially privacy, in terms of personal data processing.

As data controller, Yapı ve Kredi Bankası A.Ş. (the “Bank”) attaches utmost importance to the fundamental rights and freedoms of individuals and shows utmost sensitivity to the processing of all personal data relating to natural persons associated with the Bank, including those benefiting from our products and services, in accordance with KVKK and to ensuring privacy and security.

Purposes for Processing Personal Data

Your personal data will be processed for the Purposes specified in this Privacy Policy pursuant to your relationship with our Bank. In all cases, processing of your personal data by our Bank will be relevant, limited and proportionate to the purposes for which they are processed in accordance with the principles set out in Article 4 of KVKK.

Within this scope, you may find detailed information on personal data processing activities carried out in accordance with the provisions of KVKK and related legislation and the rights of data subjects from the Yapı ve Kredi Bankası A.Ş.Corporate Policy on Protection and Processing of Personal Data.

Method and Legal Ground for the Collection of Personal Data

Your personal data will be collected by means of one of the following methods which you use to communicate with us: via Bank's call center, branch, ATM, fax, text message (SMS), business partner dealers, internet banking, mobile banking, tablet, our websites, DST (form or tablet) our business partners, companies which we conduct their activities in the capacity of brokerage / agency, identity sharing systems, address sharing systems, PTT General Directorate (Turkey Postal Service), the Banks Association of Turkey Risk Center and other lawful relevant channels.

Your personal data will be collected and processed for the following purposes and legal grounds pursuant to the relation which you will establish with our Bank.

Based on the legal ground that processing of personal data is necessary for compliance with the legal obligation of the Bank as a data controller and it is expressly provided for by the laws;

  • Planning or execution of activities carried out with the main shareholders
  • Ensuring the accordance of the Bank's operations with the Bank's procedures or respective legislation
  • Ensuring the security of the Bank system and operations
  • Ensuring the safety of Bank premises or facilities
  • Planning or execution of audit or ethical activities of the Bank
  • Planning or execution of the financial risk processes of the Bank
  • Planning or execution of necessary operational activities regarding the unethical conduct or abuse cases of employees
  • Planning or execution of internal audit / internal control / investigation / ethics activities upon complaint or ex officio
  • Planning/execution of risk management processes related to the offered products or services
  • Execution of risk, audit and operational activities along with subsidiaries in accordance with Banking Law
  • Planning or execution of operational risk processes
  • Carrying out the transactions of corporate and corporations law and legislation
  • Ensuring that the data is accurate and up-to-date
  • Providing information to authorized persons and/or organizations due to the legislation
  • Planning, auditing or conducting of information security processes
  • Establishment or management of the information technologies infrastructure
  • Planning or execution of employee's authority to access to information
  • Follow-up of finance or accounting procedures
  • Loan monitoring (follow-up of credit payment)
  • Planning or exercise of the information access rights of business partners or suppliers

Based on the legal ground that processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract and it is necessary for compliance with a legal obligation to which the data controller is subject;

  • Planning or execution of investment processes
  • Establishment or execution of the credit application process
  • Establishment or execution of the credit evaluation and allocation process
  • Establishment or execution of the credit granting process
  • Planning or execution of customer relations management processes
  • Execution or follow-up of the insurance process of customers
  • Planning or execution of the activities regarding after-sales support services
  • Follow-up of contractual procedures or legal demands
  • Planning or conducting the processes of providing the customer with tools or information suitable for the channels that the customer will use or access to the products or services
  • Conducting activation processes of products or services
  • Establishment or follow-up of application processes of products or services
  • Establishment or follow-up of utilization procedures of the products or services
  • Planning or execution of the sales processes of the products or services
  • Establishment or follow-up of the allocation or evaluation processes of the products or services
  • Planning or execution of procurement processes
  • Planning or execution of supply chain management processes
  • Planning or follow-up of building or construction activities
  • Planning and carrying out of the processes regarding the products and services offered together with organizations which cooperate with the Bank/are affiliates of the Bank/renders brokerage services to the Bank and which are agencies of the Bank
  • Planning or execution of sales activities of the products or services offered by the subsidiaries of our Bank to the extent permitted by the legislation

Based on the legal ground that processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing will not violate the fundamental rights and freedoms of the data subject;

  • Planning or execution of emergency or incident management processes
  • Ensuring the security of the fixtures or resources of the Bank
  • Execution of compliance process resulting from foreign legislation
  • Formation or follow-up of visitor registrations
  • Planning or conducting of market research activities
  • Planning or execution of social responsibility or civil society activities
  • Planning or conducting sponsorship activities
  • Planning and execution of printed or visual or audio communication activities to be shared with internal or external shareholders
  • Planning or execution of the activities regarding the efficiency/productivity or appropriateness analysis of business activities
  • Planning or conducting business activities
  • Planning or conducting of activities regarding the provision of business continuity
  • Planning or conducting of corporate communication activities
  • Planning or conducting of corporate management activities
  • Planning or conducting logistic activities
  • Planning or execution of operation or productivity processes
  • Planning or conducting of the projects in line with the objectives of the Bank
  • Management of the relationships with business partners or suppliers
  • Conducting strategic planning activities
  • Carrying out or exercising works on budget
  • Managing and/or controlling the relationships with subsidiaries

Based on the legal ground that data processing is necessary for the establishment, exercise or protection of any right;

  • Follow-up of the legal affairs
  • Finalizing/follow-up of customer demands or complaints

Based on your explicit consent,

  • Planning/conducting the marketing processes of the products or services
  • Planning or conducting of activities towards customer satisfaction and experience
  • Designing or conducting customized marketing or promotional activities
  • Conducting of data analytics activities for marketing purposes
  • Planning or execution of the process of establishing or increasing loyalty to the products or services offered by our bank
  • Designing or conducting marketing and advertising/promotional activities in digital or other media
  • Planning or conducting campaigns or promotional processes
  • Planning or execution of cross-selling activities for products offered by our Bank
  • Planning and conducting the activities aimed at promoting and increasing the use of products and services offered together with the organizations which are the subsidiaries of the Bank / cooperates with the Bank/ renders brokerage services to the Bank and which are agencies of the Bank
  • Planning and carrying out of the marketing activities of the products and services of the organizations which are the subsidiaries of the Bank / cooperates with the Bank/ renders brokerage services to the Bank and which are agencies of the Bank

Recipient Parties and Purposes for Transferring Personal Data

Collected personal data may be transferred to our shareholders domestic or abroad, our subsidiaries, judicial authorities and similar legally authorized public/private institutions and organizations, correspondent banks, our business partners, and our vendors in accordance with the basic principles envisaged under KVKK and pursuant to the rules regarding the transfer of personal data specified in Articles 8 and 9 of the KVKK and the legal reasons for the processing of personal data stipulated in Articles 5 and 6 of the KVKK.

Your Rights as Envisaged Under Article 11 of KVKK

We hereby declare that you are entitled to the following rights in accordance with Article 11 of the Law:

  • To learn whether your personal data are being processed,
  • To request information if your personal data have been processed,
  • To learn the purpose of the processing of your personal data and whether they have been used accordingly,
  • To learn which third parties domestic or abroad your personal data has been transferred to,
  • To request rectification in case your personal data has been processed incompletely or inaccurately and to demand the operations in this regard be reported to third parties your personal data has been transferred to,
  • To demand the erasure or destruction of your personal data in case the reasons necessitating the processing have disappeared even though it was processed in accordance with the Law and other relevant provisions and to demand the operations in this regard be reported to third parties your personal data has been transferred to,
  • To object the occurrence of any consequence that is to your detriment by means of analysis of personal data solely through automated systems,
  • To demand compensation for the damages that you have suffered as a result of an unlawful processing of your personal data.

You may convey your requests concerning your rights listed above, to our Bank. Depending on the nature of your request, your application will be concluded as soon as possible, within 30 days at the latest and free of charge.

Information on the Processing of Personal Data of Individuals in the Risk Group

Partnerships in which you, your spouse, your children and the relevant persons are board members or general managers or which they or a legal person directly or indirectly control jointly or severally or participate with unlimited liability; and partnerships which qualified shareholders, board members and general manager of a bank directly or indirectly control jointly or severally or participate with unlimited liability or in which they are board members or general managers and natural and legal persons with surety, guarantee or similar relationships to the extent that would result insolvency of one or more than one in case one of them becomes insolvent, constitute a risk group (the “Risk Group”). In addition, other natural and legal persons to be included in the risk group are determined by the Banking Regulation and Supervision Agency of Turkey.

You may find detailed information on the personal data processing activities carried out by our Bank in accordance with the Personal Data Protection Law numbered 6698 regarding the persons that are considered in the Risk Group from the Risk Group Privacy Notice.