YapiKredi
Download Yapı Kredi Mobile
Nearest ATMs and
Branches BSRA Notifications

Personal Data Protection and Processing

Personal data processing is a series of processes performed on personal data, including personal data collection, recording, storage, modification, rearrangement, disclosure, transfer, receipt, classification, and blocking use.

Yapı Kredi exercises the utmost care to ensure full compliance with the Personal Data Protection Law No. 6698 ("Law"), which was ratified on March 24, 2016, and entered into force upon its publication in the Official Gazette on April 7, 2016, as well as the regulations governing its implementation. Committed to the highest standards in customer experience and satisfaction, Yapı Kredi attaches great importance to the rights and liberties of its customers. The Bank endeavors to ensure full compliance with the Law on the Protection of Personal Data (LPPD) when processing personal data of all individuals who are in a commercial relationship with the Bank, including users of its products and services, and is committed to confidentiality and the security of any such data.

The LPPD Compliance Department was established by the Board of Directors as a result of the Bank's emphasis on confidentiality and building confidence in its actions, and it reports to the Audit Committee. The Bank's efforts in this context include ensuring compliance with the provisions of "Yapı ve Kredi Bankası Anonim Şirketi Corporate Policy on Personal Data Protection and Processing" "Yapı ve Kredi Bankası Anonim Şirketi Corporate Policy on Employee Personal Data Protection and Processing," and other regulations on personal data protection. As part of its activities, the Bank conducts a risk-based evaluation of issues related to data processing and confidentiality with respect to the collected data. The Bank determines its personal data protection strategy, internal controls and measures, operational rules, and internal responsibilities based on this approach. The Bank also carries out activities to raise awareness of personal data subjects and employees.

The Bank's personal data policies include protecting and processing the personal data of:

  • existing and potential customers,
  • customer representatives and shareholders,
  • natural person guarantors,
  • employee and intern candidates,
  • potential business partners,
  • employees, shareholders, and executives of partners,
  • potential contractors/suppliers/service providers,
  • employees, shareholders, and executives of contractors/suppliers/service providers,
  • marketing campaign/competition participants,
  • members of the press,
  • family members and relatives of data subjects, and other relevant third parties.

Personal data is transferred to the following for reasons specified in the relevant laws and legislation and policies: legally authorized public agencies, partners, suppliers, shareholders, and affiliates. Yapı Kredi also ensures that contracts with third parties include provisions for ensuring compliance with statutory obligations under the LPPD. Furthermore, the Bank acts in accordance with the Banking Regulation and Supervision Agency (BRSA) obligations regarding data protection and processing when outsourcing services.

Personal data subjects may contact Yapı Kredi in writing or through any channel that allows verification of the data subject's identity, such as registered email, secure email, secure e-signature, mobile signature, or the data subject's e-mail address that is already registered in the Bank's systems to exercise their rights listed below:

  • Inquire about whether their personal data has been processed,
  • If their personal data has been processed, request information on the processing,
  • Learn the purpose of the processing of their personal data and whether their data is used in accordance with the specified purpose,
  • Request information on domestic and foreign third parties with whom their data has been shared,
  • Request correction in case the personal data processed is inaccurate or incomplete, and that the action taken in this context be notified to the third parties to whom the personal data is transferred,
  • Request deletion or destruction of personal data that is lawfully processed under the law and other applicable legislation in case the reason for processing is no longer applicable, and that the action taken in this context be notified to the third parties to whom the personal data is transferred,
  • Object to any result that is to their detriment as a result of an exclusively automated analysis of their personal data,
  • Claim compensation for the damages they might have suffered in the event their personal data is processed in an unlawful manner.

Data security constitutes a major aspect of the Bank's obligations concerning the personal data it processes. Accordingly, the Bank takes necessary technical and administrative measures to prevent unlawful processing of, and access to, personal data and to establish a sufficient level of security to protect personal data. The Bank has also included effective and responsive solution mechanisms against data breaches in its corporate plans and procedures to inform and direct the necessary and adequate action in the event of a breach. In the event of policy changes and revisions, the up-to-date policies are communicated to the public via the Bank's corporate websites. All Yapı Kredi employees, including the employees of Yapı Kredi affiliates, are given annual training to ensure compliance with the Law and to raise awareness about personal data protection practices.