lighted bridge over water at night time

Data protection: Key points financial institutions need to consider in 2021

April 27, 2021
Cem Tecimer
Cem Tecimer
Posted in Banking and finance Data protection and cybersecurity

Turkey’s Data Protection Authority (the “DPA”) and its ultimate decision-making body, the Data Protection Board (the “Board”), handed down a series of noteworthy decisions concerning financial institutions and how they processed client data during 2020.

The Board, which is the entity responsible for resolving complaints lodged by data subjects against data controllers, made it abundantly clear that financial institutions must take into consideration the following:

1) Credit scores, a crucial factor in determining whether a bank should provide or withhold credit, contain highly confidential information pertaining to an individual’s personal finances and may not be disclosed to third parties without the client’s express consent.

The Board confirmed this in decision 2020/43 rendered on January 16, 2020, in which the loan request of a data subject’s father was denied because his son, also the bank’s client, had issues with making timely loan payments. The grounds for denial of the loan was communicated to the father in writing. Subsequently, the data subject’s son objected arguing that disclosure of his financial issues to his father amounted to a breach of privacy and unlawful disclosure of personal data. The bank’s defense was grounded in Article 49 of the Banking Law, which expressly states that the finances of a person’s spouse and children are relevant factors in determining credit eligibility. As such, the bank argued, the son’s explicit consent was not necessary. The bank further argued that there was no breach of privacy when it shared the son’s credit information when fulfilling its legal obligation to inform the credit applicant as to the grounds for denial because, in this case, the father and son maintained the same residence.

The Board rejected the bank’s defense holding that the Banking Law, in its numerous provisions, underlines the importance of disclosing personal data only to authorized entities. In this case, the absence of explicit consent means that the data subject’s father is not considered an authorized entity. As such, the Board ruled, from a data protection perspective, the bank acted unlawfully by disclosing the son’s financial situation to an unrelated third party. The Board also referred the case to the Banking Regulation and Supervision Agency to determine whether criminal liability had been triggered under both the Banking Law and the Criminal Code.

2) Financial institutions monitor and train personnel with access to confidential client information.

Financial institutions handle confidential client information on a daily basis and typically control the scope of employee access based on seniority and expertise. It is essential to have a program of periodic monitoring to ensure compliance and effectively deal with possible exposure. Additionally, financial institutions are required to promptly and adequately attend to breach incidents.

Decision 2020/344 rendered on May 5, 2020, involves a bank that notified the DPA after a routine internal compliance review uncovered suspicious access to client and non-client data on the Turkish Credit Bureau centralized database by three bank employees.

The Board, which ultimately issued a TL 1,000,000 (approx. US$ 124,000) administrative fine against the bank, noted that although the bank self-reported, the suspicious activities in question were only detected 18 months after the first incident. This significant length of time pointed to a failure on the bank’s part and a lack of effective internal compliance mechanisms. In leveling the fine, the Board noted that the bank not only failed to limit employee access to the Credit Bureau database but also failed to provide training to personnel in handling confidential client data in compliance with current data protection legislation.

This decision is crucial in at least two ways: (i) internal compliance audits and data sensitivity training should be frequent, regular, and rigorous; and (ii) measures to control and limit employee access to personal data must be put in place and regularly reviewed prior to any exposure.

3) Legal teams must be trained and monitored.

In addition to frontline banking personnel, routine data privacy training and compliance monitoring programs should include a bank’s in-house and external legal counsel. Two decisions in 2020 illustrate the importance of this.

Decision 2020/429 rendered on May 28, 2020, relates to a case where a bank’s lawyer sent text messages to various phone numbers disclosing that a customer was behind on loan payments and urging payment. Among the recipients of these text messages were the customer’s brother and several close friends. The customer complained to the Board that personal data relating to his finances had been disclosed to third parties without consent. The bank responded by stating that because the customer had contacted the bank using multiple phone numbers, it was deemed necessary to send the messages to multiple phone numbers to assure receipt. As proof that the customer was associated with these multiple phone numbers, the bank’s lawyer submitted to the Board a list of phone numbers obtained using the customer’s Turkish ID number provided in his petition to the Board.

The Board rejected this argument and issued a fine against the lawyer in the amount of TL 125,000 (approx. US$ 15,000). The Board found that the merely using multiple phone numbers cannot be construed as permission to send sensitive information to those same phone numbers, especially without vetting whether those phone numbers indeed belong to the customer. Further, the Board ruled that the lawyer had committed a second and separate violation by using the customer’s Turkish ID number to generate the list of phone numbers. The Board reasoned that information disclosed in a petition to the Board was made with the intent to satisfy a technical identification requirement and not with the intent of having the ID number used to run searches of phone numbers.

A similar issue is addressed by the Board in Decision 2020/26 rendered on January 14, 2020, in which a bank’s lawyer sent a text message to a customer’s brother disclosing the customer’s name, the name of the creditor bank and other information pertaining to an enforcement action for failure to meet credit payment deadlines pending against the customer.

The bank’s lawyer invoked three defenses against the customer’s petition to the Board claiming disclosure of personal data relating to his finances to third parties without consent. First, the lawyer vaguely, and without pointing to any specific provision, argued that the Banking Law gave him the right to try to contact the customer using alternative means because the customer was not responsive to text messages sent to his mobile device. Second, the lawyer argued that the phone number to which the text message was sent had been provided by a person who claimed to be the petitioner’s relative. Third, the lawyer argued that as an attorney these actions fall squarely under an exception in the data protection legislation allowing legal authorities to process personal data without consent in the course of investigations, prosecutions, proceedings and enforcement actions.

The Board, which rejected all three defenses and issued a fine of TL 50,000 (approx. US$ 6,000) against the lawyer, reasoned that the inability to contact a customer does not permit the use of alternative methods of communication. Although a relative provided the phone number to which the text message was sent, the data subject had not given explicit consent for use of the phone number for bank communications. As a general rule, consent to process personal data must be provided by the person whose data is being processed. Finally, although lawyers are legal authorities per the Attorneyship Law, application of the exception in the present case is inapplicable since the lawyer is not engaged in an investigation or any comparable judicial proceeding.

In both of these cases, fines were issued against the lawyers personally, and not against the banks. Whether it be in-house counsel or law firms, banks must do their own “due diligence” to ensure that their lawyers are aware of and adhere to the DPA’s data protection standards.

4) Financial institutions must ensure that all client data is accurate and up-to-date.

Outdated client data, especially client contact information, can lead to disclosure of confidential information to unrelated third parties. This is exactly what happened in the Board Decision 2020/32 rendered on January 16, 2020.

This case revolves around the delivery of a newly-issued credit card to a secondary, out-of-date customer address. The second address, provided by the bank was, was in fact the customer’s past work address. The delivery of the credit card to an unintended third party resulted in a data exposure, including credit card number, expiry date and CCV number.

The Board issued a TL 50,000 (approx. US$ 6,000) fine against the bank reasoning that even though the customer neglected to update the secondary contact address, the bank is under an obligation to take all reasonable measures to ensure that customer contact information is accurate and up-to-date.

5) Financial institutions should not unreasonably deny client requests to access their own data.

While this may seem like an obvious point, an interesting fact pattern arose in case 2020/13 rendered on January 14, 2020. Although the data controller in this particular case was a financial brokerage entity, the facts of the case can easily be applied to other financial institutions including banks. The case concerns a data subject’s request to access several phone conversations had with an employee of the brokerage. It is important to note that in Turkey most verbal communications with banks and other financial institutions are recorded. The request was denied on the grounds that if recordings of conversations were delivered to clients, the recordings run the risk of being tampered with or otherwise subjected to technological alterations.

While noting the broker’s concern, the Board ultimately decided that the broker had acted unreasonably by denying the client’s request. The client’s right to request information, the Board held, unquestionably includes access to the contents of that information. “Access,” the Board continued, does not necessarily mean obtaining data in its original medium, in this case, in recorded format. The broker could have, for example, easily complied with the client’s request by providing a written transcript of the phone conversation. Such transcript would both satisfy the client’s right to access personal information and address the broker’s concern about tampering. Because the broker failed to consider this more conciliatory option, the Board reasoned, it had acted unlawfully, and therefore ordered the broker to provide a written transcript of the phone conversation with the client.

This case perfectly illustrates that data access requests can be fulfilled in ways that are considerate of both data subject rights and institutional concerns and that do not further antagonize a potentially already negative situation. Banks should therefore constantly think of innovative ways to respond to client needs while preserving their institutions’ own integrity and wellbeing.

6) Financial institutions should strike the right balance between marketing and privacy.

A marketing technique used by one bank that failed to strike the right balance was the subject matter of the Board decision 2020/103 rendered on February 6, 2020. In this case, a prospective client wanted to open a bank account but was informed that an account already existed under his name at another branch. After launching an investigation into the client’s claim that the account was opened without consent, the bank concluded that the account in question had indeed been created without the (prospective) client’s intent or consent and that the necessary information to set up the account had been procured through a third party marketing agent.

In its defense, which was quickly dismissed by the Board, the bank argued that the account in question was not and could not have been activated without written consent in the form of a signed banking service agreement from the client. The absence of such agreement precluded any potential fraud, the bank claimed, because there could be no transactions concerning the account in question. The Board held that even if that were true, it did not detract from the obvious breach of personal privacy. That the bank had obtained an intended client’s ID information without his consent amounted to a breach in and of itself. Accordingly, the bank was fined in the amount of TL 210,000 (approx. US$ 26,000).

While this case is no doubt an extreme example, it highlights the fact that banks must be conscious of data breaches that may occur in the course of routine advertising and promotion efforts.

7) Representative offices of foreign banks still need to register with the Data Controllers’ Registry (VERBİS).

In decision 2020/471 rendered on June 23, 2020, the Board announced its advisory opinion that a foreign bank with a representative office and no branches in Turkey was required to register with VERBİS. Briefly reviewing the domestic law regulating bank representative offices, the Board concluded that although representative offices cannot engage in regular banking transactions, they are nevertheless able to engage in marketing and business development research and report back to the headquarters. Such research, in turn, means that representative offices can and do collect and process the personal data of Turkish residents thereby triggering the application of Turkish data protection rules.

8) Financial institutions need to be aware of what the Board is and isn’t.

The Board is able to hand down non-compliance decisions and issue administrative fines as a consequence of non-compliance. In multiple decisions throughout 2020, the Board noted various factors that determined the fine amount issued. The most salient are:

  • the duration of the breach, and relatedly, how quickly data controllers respond to the breach;
  • the number of affected parties;
  • whether procedural requirements (such as notifying the Board and the affected parties) are complied within a timely fashion; and
  • whether necessary technical and administrative measures have been taken to protect data, including company personnel being adequately trained to approach personal data with sensitivity.

The Board is able to follow-up on its decisions to ensure strict compliance. In one case (number 2020/766 rendered on October 8, 2020), the Board issued an additional fine of TL 120,000 against a bank that failed to make adequate changes to its privacy statement after a previous Board ruling required the bank to do so. In the original ruling, the Board held that the bank’s privacy statement contained vague phrases indicating that the Bank could process data for purposes other than those mentioned in the text and failed to specifically identify and pair the type of data that would be collected and processed with specific banking transactions.

The Board is not a court and many decisions it issues are cognizant of this fact. Specifically, while the Board can and does issue administrative fines for various instances of non-compliance, it lacks jurisdiction to rule on damages. In such cases, it must direct aggrieved parties to general jurisdiction courts, which may or may not consider the Board’s decisions as persuasive evidence in adjudicating on damages.