Privacy Policy

  • PRIVACY POLICY
  • COOKIES POLICY
  • POLICY FOR PROTECTION AND PROCESSING OF PERSONAL DATA
  • PERSONAL DATA STORAGE AND DESTRUCTION POLİCY

Your privacy is important to us. Our Privacy Policy describes the basic rules we have adopted to protect the confidentiality of the information you provide when you visit or use the online services provided by our Bank, such as tskb.com.tr, TSKB Online and Apex Banking (hereinafter referred to as the "Website").

* You can visit TSKB site pages without providing any personal data, receive information about our products and services, read our reports, and benefit from our human resources and other detailed services.

* Our Bank is under a legal obligation with the clear regulation of the Banking Law to ensure the confidentiality and security of our customers' data and exercises the necessary maximum sensitivity.
In order for all of our Bank's employees to exercise the necessary sensitivity in this regard at the highest level, detailed arrangements are made in this regard in our Bank's legislation, and the issue of protecting customer data in all applications and processes is taken into consideration.
It our basic approach to protect all information regarding the Bank and our customers from unauthorized access, misuse and alteration, corruption and destruction and to ensure the confidentiality, integrity and usability of information.

* In order to protect our customers' personal data, our Bank's system and internet infrastructure have been kept at the most reliable level and necessary measures have been taken. You can find our Bank's information about the protection of personal data here.

* The information of our customers will not be shared with a third party or company without the approval of the customer or unless there is a legal obligation otherwise.

* In case our Bank works with different organizations in order to receive support services, our Bank will ensure that these companies comply with the privacy standards and conditions of our Bank.

* Our website provides links and routers to other websites. Our commitments in our Privacy Policy apply only to our website and do not cover other websites. The contents of these sites are not controlled by TSKB, and TSKB does not give any guarantee against any damages that may arise from the use of these sites.

* The records of all transactions carried out by our employees and customers in our Bank are kept in a safe media, fully and accurately, in accordance with the legal legislation. If requested by legal authorities, this information is not shared with third-parties in any way, without informing the customer.

* Our Bank reserves the right to make changes without prior notice in order to keep our Privacy Policy up to date and to comply with the relevant legislation. If changes are made to the Privacy Policy, the updated policy will be posted on our website. This policy was last updated on 03.01.2018.

* Click for the "BRSA Communiqué Regarding Principles for Information Systems Management in Banks".

Authorized Audit Agency: BRSA-Banking Regulation and Supervision Agency.

Mail Address: Büyükdere Caddesi No:106 Şerbetçi İş Merkezi Esentepe Şişli/İstanbul

Phone: (212) 214 50 00

Fax: (212) 216 09 92

Web Address: www.bddk.org.tr

A cookie is information that is stored on your computer or mobile device by the websites you visit. Today, almost every website uses cookies. In order to provide you with better services, TSKB uses cookies, like most websites.

The types of cookies we use on our website include the following:

Functionality cookies are the cookies used to facilitate the visit to the website and improve your browsing experience. They allow to remember certain settings, such as your preferred language, layout or colour scheme.

No confidential information, including personal data of customers / users, is stored in the cookies we use. If you do not want cookies to be stored, you can change your cookie usage preferences in the settings section of your browser. However, we would like to remind you that if you delete cookies and prevent future cookies from being downloaded onto your computer, you will not be able to access some of our features.

To turn off cookies;

You can use the "Settings / Privacy / Content Settings / Turn Off Cookies" option in your browser settings in Chrome.

For Internet Explorer users: You can use the "Options / Internet Settings / Privacy / Settings" option.

For Firefox users: You can use the "Tools / Options / Privacy / Cookie Acceptance Method / Until Firefox is closed" option.

You can find more information about turning off cookies on the following sites:



TSKB uses cookies under the Privacy Policy and reserves the right to change the cookie policy.

POLICY FOR PROTECTION AND PROCESSING OF PERSONAL DATA

1. INTRODUCTION

The purpose of this policy is to determine the principles for the protection and processing of personal data in Türkiye Sınai Kalkınma Bankası.


2. SCOPE

The scope of this Policy is the process of processing and protecting all kinds of data (“Personal Data”) that is provided to our Bank or obtained by our Bank regarding an identified or identifiable natural person.


3. PRACTICES AND MEASURES TAKEN REGARDING PROTECTION AND PROCESSING OF PERSONAL DATA

In this context, TSKB provides training to its employees and takes technical and administrative measures in line with technological opportunities in order to ensure that the personal data is processed and protected in accordance with the law. Those whose personal data are processed are informed as provided for in the legislation. Utmost care is exercised to keep the obtained personal data confidential and the personal data of those who share their personal data electronically or verbally / in writing with our Bank are shared with third-parties only to the extend consented by the relevant person or permitted by the legislation. Necessary mechanisms are established in order to effectively conclude the demands directed to our Bank by those whose personal data are processed. Necessary efforts are exercised to determine, and to establish proper control mechanisms for, any personal data in written, printed or electronic media received by TSKB through various channels as personal data, to prepare the required safe environments for the storage of such data and, most importantly, to ensure that such data is accessible only by limited number of authorized persons. A Personal Data Protection Committee has been established within our Bank in order to ensure the confidentiality and security of personal data and to carry out the transactions arising from the legislation. The Personal Data Protection Committee tasked and responsible for performing all kinds of procedures related to the protection, processing and destruction of personal data and preparing all related procedures.


4. BASIC PRINCIPLES REGARDING PROTECTION AND PROCESSING OF PERSONAL DATA

The basic principles followed in the processing of Personal Data are as follows:


a) Personal data is processed in accordance with law and rules of honesty.

b) Attention is paid to the proper processing of personal data and the data is updated when necessary.

c) Purposes for which personal data will be processed are determined and clear, and those purposes are legitimate. The relevant person is informed about the purposes for which personal data can be processed.

ç) Personal data processed is related to, limited to, and restrained for, the purpose for which it is processed.

d) Personal data is kept for the time period necessary for the purposes for which it is processed. In this context, personal data shall be stored during this time period, if required by the relevant legislation. If no time period has been set out in the relevant legislation regarding how long the personal data should be stored, the relevant data will be stored for the time period that requires storage in accordance with the practices of our Bank and its business life, in connection with the activity carried out, and then will be deleted, destroyed or anonymized based on its nature.


Regarding the processing of personal data, personal data may be processed without the express consent of the person concerned in the following cases:


a) If it is clearly provided for in the law;

b) If it is mandatory to protect life or body integrity of any person, who is unable to disclose his/her consent due to actual impossibility or whose consent is not considered legally valid, or any other person;

b) If it is mandatory to protect life or body integrity of any person, who is unable to disclose his/her consent due to actual impossibility or whose consent is not considered legally valid, or any other person;

ç) If it is mandatory for the data controller to fulfil its legal obligation;

d) If the personal data has been publicized by the person concerned;

e) If the processing is mandatory in order to establish, exercise or protect a right;

f) If the processing is mandatory for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the person concerned are not damaged.


5. PURPOSE OF PERSONAL DATA PROCESSING

Taking into account the basic principles mentioned above, the personal data is processed in order for concluding the contract and fulfilling the requirements therein, preparing all records and documents that will serve a basis for the transactions provided for in the contract and the relevant legislation, our Bank communicating with the relevant persons, the provision of the services provided for in the Banking Law and other legislation, obtaining identity, address details and other necessary information to identify the information of the transaction owner or guests of our Bank, carrying out any intra-bank communication in accordance with the relevant procedure, complying with the regulations in the Banking Law, the Capital Markets Law and other relevant legislation, fulfilling information storage, reporting, disclosure and other obligations required by the BRSA, CMB, CBRT and other official organizations and providing the Bank's products and services.

6. PERSONS AND ORGANIZATIONS THAT PERSONAL DATA CAN BE SHARED WITH

Personal data can be transferred for the purposes specified in the Article above to the relevant Bank employees, persons or organizations permitted by the provisions of the Banking Law and other legislation, Takasbank, Investor Compensation Centre (YTM), Credit Bureau (KKB), BRSA, SPK, CBRT, courts, enforcement offices and other official institutions and organizations, the Bank's shareholders, direct / indirect domestic affiliates, and persons and program partner organizations from whom services are received, with whom cooperation is made and training programs are organized in order to carry out the Bank's activities, persons and organizations abroad to which the Bank is related, and any relevant persons and organizations as required by the foreign legislation that the Bank is obliged to comply with, within the scope of the Bank's activities.

7. RIGHTS OF PERSONS WHOSE PERSONAL DATA IS PROCESSED

Those whose personal data is processed by our Bank shall have the right a) to figure out whether their personal data is processed, b) if processed, to request for information related thereto, c) to know about the purpose of such processing and whether their personal data is used properly, ç) to know about third-parties to whom their personal data is transferred home and abroad, d) to request for correction if their personal data is processed in an incomplete and/or incorrect manner, e) to request for deletion and/or destruction of their personal data under the conditions provided for in Article 7 of the Personal Data Protection Law, f) to request for notification to third-parties to whom their personal data is transferred of processes carried out pursuant to paragraphs (d) and (e) above, g) to appeal to occurrence of any result against them due to analysis of their personal data exclusively by automated systems and ğ) demand compensation if they incur any loss due to processing of their personal data unlawfully, by applying to our Bank. Our Bank reserves its rights arising from the legislation related thereto. Except for demands which are unreasonably repetitive, require disproportionate technical efforts and jeopardizing the privacy of others, maximum effort is exercised to ensure that such rights are effectively provided.

Please click here to access the data subject application form..

1. PURPOSE AND SCOPE

The purpose of the Personal Data Storage and Destruction Policy is to determine the maximum time periods during which personal data, processed within Türkiye Sınai Kalkınma Bankası A.Ş., will be kept as necessary for the purpose for which it is processed, and the processes of deleting, destroying or anonymizing the same to define the role and responsibilities of persons who will take part in these processes.

The scope of this Policy is the maximum storage periods of personal data and the technical and administrative measures taken to store and destroy personal data in accordance with the law, those who take part in carrying out the relevant processes within TSKB and the recording media listed below.

  • Electronic Recording Media: Any server used by TSKB, such as TSKB Database Server, Backup Media, as described in TSKB's related procedures.
  • Physical Recording Media: Media where personal data is physically stored such as archives, department cabinets.


2. DEFINITIONS

TSKB: refers to Türkiye Sınai Kalkınma Bankası A.Ş.

Law: refers to the Personal Data Protection Law No. 6698.

Personal Data:refers to any information relating to an identified or identifiable real person.

Processing of Personal Data: refers to all types of actions carried out on data such as obtaining personal data through means that are fully or partially automated or that are non-automated, subject to being part of any data recording system, recording, storing, maintaining, altering, rearranging, disclosing, transferring, taking over, making obtainable, classifying or preventing the use of personal data.

Data Controller: refers to Türkiye Sınai Kalkınma Bankası A.Ş. as legal person.

PDP (Personal Data Protection) Committee: refers to the committee to be created to monitor administrative processes established within the scope of the Personal Data Protection Law and any sub-regulations thereof as appointed by the Data Controller.

Data Subject: refers to the unit that is responsible for the data at the database and application levels of the TSKB systems where personal data is processed, is obliged to prevent unauthorized access to relevant data by restricting access to the same and assists other employees to comply with the procedures.

Board: refers to the Personal Data Protection Board.

Anonymization:refers to rendering personal data impossible to associate with a specific or identifiable natural person, even if it is paired with other data.

Destruction: refers to the deletion, disposal or anonymization of personal data.

Recording Media: refer to any kind of media containing personal data processed through means that are fully or partially automated or that are non-automated, subject to being part of any data recording system.

Personal Data Processing Inventory:refers to the inventory that is created by associating the personal data processing activities with the purposes of processing of personal data, data categories, group of data subjects and explains in details the maximum times periods necessary for the purposes for which personal data is processed, personal data required to be transferred and measures taken in relation to data security.

Personal Data Storage and Destruction Policy (the "Policy"): refers to this policy which is used by data controllers as the basis for the process of determining the maximum time period necessary for the purpose of processing, destroying and anonymizing personal data,

Periodic Destruction:refers to the process of deleting, destroying or anonymizing, specified in the Personal Data Storage and Destruction Policy, which will be carried out ex officio at certain intervals in the event that the conditions for processing personal data, as defined in the Law, completely disappear.

Data Recording System:refers to the recording system in which personal data is configured and processed by certain criteria.

Principles for Protection and Processing of Personal Data: refer to the principles prepared by TSKB, which lay down the general principles regarding the protection and processing of personal data.

Personal Data Storage and Destruction Procedure: refers to the procedure to be established by the PDP Committee in order to set out the transaction rules in detail as specified in the Personal Data Storage and Destruction Policy.

Related User: refers, except for the person or department responsible for the technical storage, protection and back-up of personal data, to the persons who process personal data within the organization of the data controller or in accordance with the authorization and instructions received from the data controller.


3. RESPONSIBILITY

In order to publish, keep up-to-date and monitor the implementation of this Policy, the Board of Directors of TSKB will establish a PDP Committee and authorize the PDP Committee in relation to all these matters. The PDP Committee will consist of the Information Technologies Assistant General Manager, Human Resources Manager, Legal Affairs Manager and Corporate Compliance Manager. The PDP Committee will carry out the following duties and responsibilities:

  • to ensure that personal data is stored for the storage period;
  • to manage the personal data destruction process in the periodic destruction period;
  • to review the policy on a minimum annual basis;
  • to prepare and publish the Personal Data Storage and Destruction Procedure that will set out the transaction rules in detail based on the Policy, and any other procedures deemed necessary;
  • to prepare and publish the Personal Data Storage and Destruction Procedure that will set out the transaction rules in detail based on the Policy, and any other procedures deemed necessary;
  • to follow up, and plan auditing, the implementation of any and all technical and administrative measures taken in accordance with Article 12 of the Law;
  • to determine the actions to be taken to ensure compliance with the law and relevant legislation, to monitor the implementation thereof and to provide the necessary coordination;
  • to follow up the processes related to applications and requests of real persons whose personal data is processed and to take necessary actions to solve the problems that may arise regarding the implementation of the Law and / or the Policy and procedures; and
  • to manage relations with the Board.

4. SAFETY PRINCIPLES FOR THE STORAGE OF, AND THE PREVENTION OF ILLEGAL PROCESSESING OF AND ACCESS TO, PERSONAL DATA.

Data received by TSKB pursuant to the Personal Data Protection and Processing Policy is classified within the framework of the rules listed in the Personal Data Processing Inventory and specified in the Law. In this framework, the personal data definitions in the Law were used as the classification methodology that forms the basis of the Policy. In this context;

  • Group 1/Personal Data refers to any information relating to an identified or identifiable real person.
  • Group 2/Special Categories of Personal Datarefers to data on a person's race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, costume and attire, membership to any association, foundation or trade union, health, sexual life, criminal conviction and biometric and genetic data.
  • Group 3/Other Data refers to data that is not covered by the personal data definition.

In order to safely store, prevent illegal processing of and access to the data listed in Group 1 and Group 2, any and all technical and administrative measures, including, but not limited to, access authorization limitation, encryption / masking, taking confidentiality and information security measures, preparation of Personal Data Processing Inventory, training of employees, preparation of corporate policies and procedures and keeping them up to date regarding personal data, must be taken.


5. REASONS REQUIRING STORAGE AND DESTRUCTION OF DATA

Taking into account the basic principles in the Personal Data Protection Law, personal data is stored in order for concluding the contracts to which TSKB is a party and fulfilling the requirements therein, preparing all records and documents that will serve a basis for the transactions provided for in the contracts and the relevant legislation, TSKB communicating with the relevant persons, the provision of the services provided for in the Banking Law and other legislation, obtaining identity, address details and other necessary information to identify the information of the transaction owner or guests of TSKB, carrying out any intra-TSKB communication in accordance with the relevant procedure, complying with the regulations in the Banking Law, the Capital Markets Law and other relevant legislation, fulfilling information storage, disclosure and other obligations required by the Banking Regulation and Supervision Agency, the Capital Market Board, the Central Bank of Turkey and other official organizations and any persons and organizations abroad to which TSKB is related, and providing TSKB's products and services. In the event that the purpose of processing disappears or the relevant legislation and/or storage periods determined by TSKB expire, personal data will be destroyed in accordance with the principles set out in this Policy.


6. STORAGE TIME OF DATA WITHIN RELEVANT LEGISLATION

Storage periods shall be determined for all personal data stored within TSKB. When determining the storage periods, the relevant legislation shall be taken into account and if no time period is provided for in the relevant legislation, then the time period required for the purpose of personal data processing shall be taken into account. The relevant time periods shall be included in the Personal Data Inventory.

The personal data mentioned in the Personal Data Processing Inventory shall be stored in accordance with the legal regulations in the table below and destroyed on the first periodic destruction date following the storage period, unless there is any legal situation that discontinues or suspends the prescription period.

In accordance with the Banking Law and BRSA regulations 10 Years
Other relevant legislative requirements For the time period provided for in the relevant legislation
After the expiry of 10-year period which is required by the Banking Law and BRSA regulations, pursuant to Article 146 of the Code of Obligations which sets out the general expiry period 10 Years
In accordance with Articles 66 and 68 of the Turkish Penal Code, if the relevant personal data is subject to a crime or is related to a crime within the scope of the Turkish Penal Code or legislation introducing other penalties As long as the limitation of action and prescription of crime/penalty

7. SAFETY PRINCIPLES FOR DESTRUCTION OF DATA

If the purpose of processing of the personal data, provided by TSKB under the Personal Data Protection and Processing Policy and stored as specified in the Personal Data Inventory, has expired or the retention periods of such data specified in the relevant legislation and/or the Policy have expired, such data will be destroyed upon the request of the real person whose personal data has been processed, the request of the data subject unit or ex officio, in accordance with the recording environment, by subjecting the same to the deletion, destruction or anonymization processes to be determined by the PDP Committee in accordance with the nature of the personal data and as shown in the Personal Data Storage and Destruction Procedure, the details of which are determined by the PDP Committee.

The methods of destruction used by TSKB are as follows.


7.1. DELETION OF DATA
It refers to the process of making personal data inaccessible and re-useable for the users concerned.

7.2. DESTRUCTION OF DATA
It refers to the process of making personal data inaccessible, non-retrievable and re-useable by any person in any way.

7.3. ANONYMIZATION OF DATA
It refers to rendering personal data impossible to associate with an identified or identifiable natural person, even if it is paired with other data. Anonymization is that the distinguishability of the person concerned within a group or crowd be eliminated in such a way that he/she cannot be associated with a real person by removing or modifying all direct and/or indirect identifiers in the relevant data set and preventing the relevant person from being identified. Data that does not indicate a particular person as a result of blocking or loss of these features is considered anonymized data. Any bond breaking procedures carried out using methods, such as automated or non-automated grouping, masking, derivation, generalization, randomization applied to the records in the data recording system where personal data is kept are referred to as anonymization. It must be investigated whether there is any risk of anonymized personal data being reversed by various interventions and risk of anonymized data becoming re-identifying and re-distinguishing any real persons, and actions must be taken accordingly.


8. OPERATING DESTRUCTION PROCESS

Personal data stored within TSKB is subjected to the destruction process at the end of the storage period and the privacy of the data is protected during such destruction.

  • It is the responsibility of the PDP Committee to operate the destruction process when the reasons requiring the processing of data listed in Group 1 and Group 2 disappear. The destruction method to be determined for such data shall be determined by the PDP Committee.
  • The destruction process of data listed in Group 1 and Group 2 shall be initiated by the PDP Committee. The PDP Committee shall inform the Data Subject about operating the destruction process.
  • All actions taken relating to the deletion, destruction and anonymization of personal data shall be recorded, and such records shall be kept for at least three (3) years, with the exception of other legal obligations.

The following time periods shall be taken into account as part of the obligation to delete, destroy or anonymize personal data.

  • Personal data shall be deleted, destroyed or anonymized during the first Periodic Destruction process following the date on which the obligation arises within the scope of the storage period specified in the Data Inventory.
  • The period of time for the Periodic Destruction is maximum six (6) months.

Persons whose personal data is kept within TSKB shall have the right to request for the destruction of their data through the “TSKB Contact Form” published on the TSKB website. If this right is exercised:

  • if all the requirements for personal data processing have disappeared, the personal data will be deleted, destroyed or anonymized. The deletion or destruction requests of the persons concerned will be concluded by the Data Controllers within thirty days at the latest, and persons requesting the deletion of their personal data will be informed about the deletion.
  • If all the requirements for personal data processing have disappeared and the data requested to be deleted has been transferred to third-parties, TSKB will inform and require the relevant third-parties to carry out the deletion immediately and no later than thirty days and require such third-parties to provide information that the necessary actions have been taken.
  • If all the requirements for personal data processing have not completely disappeared, the request will be rejected by explaining the justification thereof and the rejection will be notified to the person concerned in writing or electronically within 30 days at the latest.

Türkiye Sınai Kalkınma BankasıTurkey’s comprehensive environmental portal cevreciyiz.com is supported by TSKB.