On the 25th of February 2020, confidentiality obligation related to customer secrets and bank secrets when conducting banking operations was added to Law No. 5411 Banking Law Article 73 under the heading of conserving confidential information. BRSA has been authorized to determine procedures and principles for sharing and transferring information deemed confidential with this addition. When there is a term for personal data, the addition of a term of customer secret has been criticized and the need for certainty has been raised.
The regulation coming into force on the 1st of January 2021 is going to update some concepts and bring light to several dark spots as you can find the details about it below.
What is the scope of the BRSA Regulation?
Regulation brings light to confidentiality obligation and its exceptions; principles and procedures of sharing information; terms of customer secrets and banking secrets.
The regulation contains terms related to the coordination of sharing customer and banking secrets and an obligatory Information Share Committee to be founded which will conduct operations such as evaluation and recording of sharing demands.
Customer secret could be defined as data that is produced after the subject of the information has become a customer. Also, the customer secret of another bank is deemed to be the customer secret of the bank that acquired it from another bank. Data acquired before such a person becomes a customer could be deemed customer secret when processed with the data that has been produced afterward of being a customer. On the other hand, a banking secret could be defined as information belonging to the bank which is not related to any customer.
Sharing processes of confidential information need to be proportionate and methods of being proportionate are under the terms. Pseudonymization and consolidation methods and other methods mentioned under the terms of KVKK shall be applied and sharing must be done by methods requiring the least amount of data copy. Attribution to Article 4 of KVKK processing within the boundaries, proportionate and related processing with the processing reason shall also be applied to the customer secret which is also personal data. The distinctive term of this regulation is even the existence of the explicit consent sharing of such a secret has to depend on demand or instruction from the customer herself.
Under the terms of Article 5, there are 9 exceptions. These exceptions are criticized when they are quite in conflict with the proportionate sharing principle of KVKK.
See also, Who Is DPO and What Are His/Her Rights