Data Protection Requirements of Foreign Banks Having Representative Offices in Turkey
The Turkish Personal Data Protection Board (the “Board”) has published the summary of its decision dated 23.06.2020 and numbered 2020/471 on the status of foreign banks having representative offices in Turkey.
The Board has responded to the application of a foreign bank having a representative office in Turkey and concluded the following: As per Article 9 of the Communique on Procedure and Principles on the Activities of Representative Offices operating in Turkey (published in the Official Gazette dated 01.04.2008 and numbered 26834), a representative office is not entitled to collect or receive deposit or participation funds on behalf of its affiliated bank or any other bank or financial institution, grant any credit facilities or engage in any activity stated under Article 4 of the Turkish Banking Law. The representative office might promote the services provided by its affiliated bank, enhance the relationship with banks and financial institutions established in Turkey, carry out market researches and share the relevant information with the affiliated bank. Therefore, the foreign bank having a representative office in Turkey is processing the personal data of Turkish residents and the activities of representative offices are inseparable from the activities of its affiliated foreign bank.
The Board has concluded, by making a reference to geographical field of application of the GDPR, that the argument that the affiliated bank is established abroad and personal data processing activities are carried out abroad is not acceptable and compatible with the purpose of the data protection legislation by taking into account that the affiliated bank has a continuing presence in Turkey through its representative office. Within this respect, the foreign banks having representative offices in Turkey are subject to the Turkish Data Protection legislation for any personal data processing and are also under the obligation to be registered to the Data Controllers’ Registry Information System (VERBIS).
The Board also underlined that the data controller is also under the obligation to notify the Board in case of any personal data breach caused by the data controller located abroad if such breach does affect Turkish residents benefiting from the products and services of the relevant data controller.
The Board’s decision is available on https://www.kvkk.gov.tr/Icerik/6772/2020-471 (Turkish only).
