On 15 March 2020 the Regulation on Banks' Information Systems and Electronic Banking Services ("Regulation") prepared by the Banking Regulation and Supervision Agency ("BRSA") has been published in the Official Gazette. The Regulation, which sets out the procedures and principles regarding the information systems of Banks, will enter into force on 1 July 2020.
The Regulation sets out new procedures like network security, data privacy and cyber security, while the new principles introduced about outsource services will become an important topic in the next days. In the sixth part of the Regulation, the process regarding the outsourcing procurement will play a guiding role about third party management for the business world.
As per the Article 29 of the Regulation's important topics are explained below;
The Bank's executive management is responsible for establishing a mechanism about the outsource services and managing the risk factors in the process. In this context, considering risk management in the organization, paying attention on the choosing of outsource service providers and audit procedures are only few of the regulations introduced in the Article. 1
Providing such a role for management is also important for all information security and data privacy processes. Because the support of the organization's top management will be the key point of this process.
One of the topics that draw attention within the Regulation is the rules regarding the contract between the parties. The Regulation determines the minimum elements of the contract to be signed with third-party providers regarding outsourced service procurements.
In the contract, especially confidentiality, data breach and measures are accepted as high point topics. Since many of these subjects and more have been emphasized within the scope of KVKK2, which has been in force since 2016.
Standardizing of agreements will also be important for the management of third parties and post-contract procedures. Since now, contracts with the outsource service providers will become standardized and any possible dispute or other processes between the parties will be more manageable for the Banks.
According to The Regulation banks from now on should act in accordance with their information security policies while working with third parties and and they are also responsible for preparing updated procedures in accordance with these policies.
Thus, Banks establish the standards and guidelines for all employees and contractors who work with third-parties. Third Party Management Procedures is also important to the Banks because it enables the organization to control the risks associated with outsourced relationships. One of the important point of this obligation is to identify a responsible person for all these works. For a sustainable third-party management, it is important to make clear who is responsible for this process.
Banks are obliged to take all necessary measures while working with third parties. In addition, they should pay attention to sharing information by acting in accordance with the principles specified in KVKK.3
Access Control which is also counted in the guidelines prepared by Turkish Data Protection Authority i4s one these measures. It is an important point that the Regulation includes similar topics with the data protection law.
With the Regulation, it has been emphasized that some internal services can not be outsourced due to importance and risk of these subjects. İnternal audit and critical issues are given as an example.
The Regulation aims to reduce the the risk of outsourcing critical and important services and indicate to provide these services by Bank employees.
One of the most important topics brought under the Regulation is undoubtedly the regulation for the use of local outsource services and products. According to the Regulation, critical information systems and the production of goods should outsource locally.
Especially in these days transfering the personal data abroad is a very problematic topic according to KVKK so the Regulation's local outsourcing rule will be mentioned a lot.
Consequently, outsource services are an important topic due to unpredictable risks for most of the companies. For this reason, third party management has become a serious topic for many organizations. This Regulation is an important step to minimize all these risks for the Banks but it is also significant for many institutions and organizations in the coming days. Today, when there are so many data breachs due to outsourcing services, the Regulation is undoubtedly important in many respects.
Footnotes
1 Article 29 (1), The Regulation on Banks' Information Systems and Electronic Banking Services
2 The Personal Data Protection Law No:6698
3 Article 4, The Personal Data Protection Law No:6698
4 https://kvkk.gov.tr/SharedFolderServer/CMSFiles/7512d0d4-f345-41cb-bc5b-8d5cf125e3a1.pdf
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
About the Website
The website www.kavlak.av.tr/ (“Web Site”) was launched by Fırat Barış Kavlak ve Ortağı Aygen Kavlak (hereinafter referred to as “Kavlak Law Firm” or “Kavlak”). All of the natural persons or legal entities (“User”) who access and/or use and/or make use of the Website (“User”) are required to carefully read these Privacy Policy (“Policy”) applicable to any use of the Site.
By reading this Policy, users are informed that the necessary information about the usage and sharing of information within the scope of the Website is made to them in accordance with the Turkish Code of Commerce (Turkish Commercial Code No. 6102, Turkish Code of Obligations No. 6098, Personal Data Protection Law No. 6698) and general ethical principles. Protection and confidentiality of the information you provide to us is very importance for us. Due to the many possibilities and risks offered by the Internet, we would like to inform you about the following issues regarding the protection of your information about the use of our Site.
1. What is Personal Data?
In the KVKK, personal data is defined as any kind of information related to a natural person who is either identified or identifiable. In this regard, your name, last name, e-mail address, and phone number that you share with us are defined as personal data.
2. What Personal Data Are We Collecting?
During your visit to the Website, two types of data can be collected;
Users of the Website accept and declare that all commercial and/or personal information (“Information”) they share with us within the Website or in any other way with their express consent is correct and up-to-date. In the event that such information belongs to another third party (“Third Parties”), Kavlak shall accept that the user shares such third party information with Kavlak as required as a result of the necessary information and consent in accordance with the relevant Law and legal arrangements and we, as Kavlak shall not assume and accept any legal and/or criminal liability thereof.
Kavlak, within the scope of your information collected through the website, we will provide you gradual information, in accordance with the relevant Law and legal regulations and we will provide detailed information about our legal reason in keeping your information, the purposes for which we use your information, and the persons and/or organizations that we transfer your information to.
3. What is the consequence of not providing personal data to Kavlak?
You do not have to provide all personal data contained in this Privacy Policy in order to use the Website or to contact us in any other way, but if certain personal data are not provided, you may not be able to fully respond to your requests or use legal services.
You may end your e-bulletin subscription or any other subscriptions you have started by using the Web Site at any time by using the methods specified in the relevant messages.
4. What is the purpose of personal data collection by Kavlak?
As Kavlak, we collect your personal data with an aim to provide you with services, fulfill our legal obligations, make the Website more functional, sent you our e-bulletin via e-mail in case you subscribe to our e-bulletin service, and inform you on new services, and recent developments within Kavlak and we process your personal information in this regard.
5. Why and to whom do we transfer your personal data?
We may share your personal data with our affiliates based in Turkey that we collaborate to improve our advisory services as well as institutions and organizations collectively representing us during the period of our business relationship with them and/or our business partners that we cooperate to conduct our activities. In addition, we may share your personal data with courts and other public institutions to fulfill our legal obligations provided that such personal data sharing shall be limited thereof.
6. How do we keep your personal data?
Your personal data shared with Kavlak are kept with proportionate administrative and technical measures taken in compliance with the applicable legal regulations, provisions of the KVKK, and Kavlak Law Firms standards.
However, even though we have taken necessary information security measures, if personal data is damaged or if it gets received by third parties as a result of attacks to the Website and/or Kavlak, the institutions and organizations required by the law and you will be immediately notified and and necessary measures will be taken.
7. How long do we keep your personal data?
As Kavlak, we keep your personal data in compliance with the KVKK. We will delete or destroy your personal data, or otherwise make your personal data anonymous to continue to use when the purpose of processing personal data is no longer in effect as per Article 7/f.1 of the KVKK and/or upon expiry of the period of limitation under which we are obliged to process your personal data as per the applicable legislation.
8. What are your rights pursuant to the KVKK?
Pursuant to Article 11 of the KVKK, you are entitled to make the requests listed below by submitting an application to us via our application form regarding your personal data:
– Request to learn about whether your personal data are processed,
– Request for information on your personal data if such personal data are processed,
– Request to learn about the purpose for processing your personal data and whether such personal data are used in compliance with their intended purpose,
– Request to learn about third parties to which such personal data are transferred in Turkey or abroad,
– Request for correction of your personal data in case of incomplete or inaccurate processing of such personal data,
– Request for deletion or destruction of personal data,
– Request for notification to third parties, to which such personal data are transferred, of the processes for correction and/or deletion or destruction of your personal data in case such personal data are processed in an incomplete or an inaccurate manner,
– Raise an objection to any result against the person arising out of any analysis of such personal data exclusively by means of automated systems, and
– Claim for compensation of damages in case of damage arising out of any illegal processing of such personal data thereof.
As Kavlak Law Firm, we will reply to your requests free of charge as soon as possible within 30 days based on the nature of such requests. However, in case such requests require for any additional costs, the fee stipulated in the tariff determined by the Board shall be payable.
9. What is consequence of processing personal data of children?
This Website is designed for use by people who are over the age of 18 by Kavlak and our Website is not intended for children. In the event that parents or guardians suspect that children under their supervision share their personal data through our Website, we ask that they contact us regarding their requests regarding this data. In such a case, the data shall be deleted immediately.
10. What is the scope of the Privacy Policy?
The legal owner of this Website is Kavlak Law Firm and the legal rights of the content and/or various items within the Website belong to Kavlak and in some cases to other third parties. Any copying, unauthorized copying or imitation of the contents or elements of the Website is prohibited on the basis of the applicable legislations and is subject to the permission of the respective legal right holder.
The Website contains links to the web sites of third parties. Kavlak declares that it does not accept any liability or obligations for any third-party sites and/or contents and that the user cannot be held liable for any damages incurred by them. Users are encouraged to review privacy policies on the third party websites they visit via the links included.
11. May changes occur in the Website or this Policy?
Kavlak may at any time modify and change this Policy, any legal and/or other texts, any technical elements, contents or features contained within the website. Any such changes shall be deemed to be valid upon the publication of the same on the Website and it is the personal responsibility of you as the users to carry out the necessary examinations and readings regarding such changes and Kavlak shall not have any legal and/or criminal liability in this context.
12. How users may contact with Kavlak?
You may contact with us, Kavlak Law Firm, directly by sending an e-mail to [email protected] to share any comments and suggestions or to ask your questions regarding this Privacy Policy.
We are kindly requesting you to read carefully of the below given Clarification Text on Protection of Personal Data and learn about our purpose of processing your personal data and your associated rights within this scope.
a) Data Controller
Your personal data shall be processed by Fırat Barış Kavlak ve Ortağı Aygen Kavlak (“Kavlak Law Firm”), as a data controller, according to the below explained scope, pursuant to Law No. 6698 on the Protection of Personal Data (“KVKK”).
b) Purpose of processing personal data
The personal data of our estimable online visitors to be obtained under the E-Mail Subscription shall be processed by Kavlak Law Firm with a limited manner to send you latest affairs of Kavlak Law Firm and inform you any events and/or conferences organized by Kavlak Law Firm and/or in cooperation with Kavlak Law Firm; and to communicate with you for promotion or other similar purposes.
c) Method and legal reasons for collecting personal data
The personal data to be collected from you shall be automatically processed on an electronic environment by basing explicit consent to be obtained from you as specified in Article 5 of the KVKK.
d) Personal Data Categories and Types
Within the scope of the E-Mail Subscription, the below-mentioned personal data shall be obtained from you:
e) Transferring Personal Data
Your personal data as specified in (d) sub-clause of this Clarification Text shall be transferred by Kavlak Law Firm to our business partners and service providers residing within country, in line with accomplishment of the purposes as specified in (c) sub-clause and with a limited manner for the data processing conditions as specified in Article 8 of KVKK and purposes of specified above.
f) Your rights concerning protection of personal data as a data subject
You may communicate your requests in writing, regarding the rights of data subject regulated by Article 11 of the KVKK according to the Communiqué on Application Methods and Principles to the Fata Controller to the below given address of Kavlak Law Firm: Nispetiye Cad. Seher Yıldızı Sok. No:23/11 Etiler, İstanbul or by e-mail to the following e-mail address: [email protected] over your personal e-mail address that is provided in E-Mail Subscription.
We are kindly requesting you to read carefully of the below given Clarification Text on Protection of Personal Data and learn about our purpose of processing your personal data and your associated rights within this scope.
a) Data Controller
Your personal data shall be processed by Fırat Barış Kavlak ve Ortağı Aygen Kavlak (“Kavlak Law Firm”), as a data controller, according to the below explained scope, pursuant to Law No. 6698 on the Protection of Personal Data (“KVKK”).
b) Purpose of processing personal data
The personal data of our estimable online visitors to be obtained under the E-Mail Subscription shall be processed by Kavlak Law Firm with a limited manner, in order to inform you and communicate with you regarding the current national and global legal regulations, up-to-date legislation and the latest publications of Kavlak Law Firm.
c) Method and legal reasons for collecting personal data
The personal data to be collected from you shall be automatically processed on an electronic environment by basing on the legal ground as specified in Article 5 of the KVKK, which reads as follows: “It is necessary for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not harmed.”
d) Personal Data Categories and Types
Within the scope of the E-Mail Subscription, the below-mentioned personal data shall be obtained from you:
e) Transferring Personal Data
Your personal data as specified in (d) sub-clause of this Clarification Text shall be transferred by Kavlak Law Firm to our business partners and service providers residing within country, in line with accomplishment of the purposes as specified in (c) sub-clause and with a limited manner for the data processing conditions as specified in Article 8 of KVKK and purposes of specified above.
f) Your rights concerning protection of personal data as a data subject
You may communicate your requests in writing, regarding the rights of data subject regulated by Article 11 of the KVKK according to the Communiqué on Application Methods and Principles to the Fata Controller to the below given address of Kavlak Law Firm: Nispetiye Cad. Seher Yıldızı Sok. No:23/11 Etiler, İstanbul or by e-mail to the following e-mail address: [email protected] over your personal e-mail address that is provided in E-Mail Subscription.