Top of Main Content

Personal Data Protection

NOTIFICATION ON THE PERSONAL DATA PROTECTION

As HSBC Bank A.Ş. ("HSBC" or "Bank"), the security of your information is one of our most important priorities. In this respect, we would like to inform you about personal data processed by our Bank in accordance with the Law On the Protection of Personal Data No. 6698 ("Law" made in order to protect the fundamental rights and freedoms of persons, as well as to protect personal data.

1. IDENTITY OF DATA CONTROLLER

Under the law, HSBC Bank A.Ş. acts as a "Data Controller". You can contact us using the contact details provided below:

Address : Esentepe Mah. Büyükdere Cad. No: 128 34394 Şişli / Istanbul

MERSİS No : 0621002428200197

Registration No : Istanbul Trade Registry Directorate - 268376

Web Site : www.hsbc.com.tr/(This page will be opened in new tab)

2. PURPOSES OF PERSONAL DATA PROCESSING AND LEGAL BASIS

Within the framework of your relationship with our bank, your personal data is processed for the following purposes and relying on the corresponding legal basis for processing personal data ("legal basis").

The following objectives may vary depending on your relationship with our Bank, the products and services that you are procuring or your permission to process your personal data. Depending on your relationship with our bank, in addition to the following objectives, you can also review the processing objectives in the sub-headings.

i. On the legal basis that the processing is necessary so as to meet the legal obligations of the Bank as the data controller and explicity stipulated by the laws;

  • Ensuring the complete and due performance of our contractual and statutory duties,
  • Complying with national and international principles and rules, and performing information retention, reporting, and informing liabilities stipulated by the legislation and official authorities,
  • Authentication to ensure the security of customers, Bank and data, carrying out, recording and reporting controls regarding money laundering, bribery, fraud, financial crime and sanctions, raising suspicious activity reports,
  • Meeting the requirements of authorized agencies and organizations,
  • Planning the information security processes, as well as auditing and performing them,
  • Making banking services accessible and suitable for the customers with disabilities.
  • Performing reporting and auditing activities,
  • Performing credibility assessments; following up and controlling credit monitoring and repayment processes,
  • Preparation of bank statements and investment statements and sending them to the customers, recording of voice calls,
  • Managing the legal, financial, commercial, compliance and reputational risks,
  • Evaluating and responding to the suggestions, requests and complaints sent through various channels,
  • Following financial and accounting transactions, generating financial and business reports,
  • Exchanging information with institutions and organizations, banks, prospective buyers or risk center stipulated within the framework of the provisions of the Banking Law No. 5411; drawing up consolidated financial statements of the main partnerships; executing risk management and internal audit activities; executing valuation activities to sell Bank assets or securities based on them, including but not limited to loans; executing valuation, rating or assistance services; executing independent audit activities and service purchases,

ii. Provided that it is directly related to the establishment or performance of a contract, on the legal basis of necessity to process personal data belonging to the parties to the contract so as to offer the requested products and services and meet the requirements of the contracts concluded,

  • Executing banking transactions; performing correspondent banking activities,
  • Provision of products and services through online banking and our mobile app,
  • Provision of our products and services within the scope of banking, finance, investment, portfolio management, realizing the instructions you submit about our products and services, making transfers of securities such as currency, foreign exchange and gold; executing payment transactions,
  • Making international money transfers, processing payment objections related to transactions made via credit cards abroad, collecting foreign checks.

iii. Provided that no harm is caused to the fundamental rights and freedoms of the data subjects, on the legal basis of where the data processing is necessary for the legitimate interests of data controller,

  • Making improvements in line with the suggestions, requests and complaints sent through various channels and; delivering the quality standards for customer services; recording conversations made through the call center accordingly and listening to and analyzing these records by our authorized units when necessary,
  • Following financial and accounting transactions, generating financial and business reports,
  • Executing customer relations activities,
  • Analyzing how our services are utilized by you and improving our products and services accordingly,
  • Ensuring the continuity of security and activities; performing activity analyses, enhancements and performance measurements,
  • Maintaining social responsibility activities that our bank is involved in,
  • Management and recording of communications with our bank,
  • Conducting effectiveness and expediency analyses for our commercial operations; planning and execution of such operations,
  • Carrying out controls regarding money laundering, bribery, fraud, financial crime and sanctions,
  • Managing the legal, financial, commercial, compliance and reputational risks,
  • Conducting market research and executing segmentation activities.

iv. On the legal basis of where the data processing is necessary to establish, use or protect a right;

  • Contract management, initiating legal transactions and following up on legal processes,
  • Planning and/or execution of activities related to establishing, sustaining and/or discharging collaterals,
  • Managing the legal, financial, commercial, compliance and reputational risks faced by our bank; taking necessary steps to protect our rights in disputes to which we are a party of,

v. On the basis of your explicit consent,

  • Within the scope of marketing, advertising and promotion activities, provided that you give consent creating special products or campaigns, identifying and recommending products or services the Bank considers that you may be interested in or that you may require,; Making banking services accessible and suitable for the customers with disabilities.

2.1. Related or Connected Real Person Parties, Representatives, Shareholders and Employees of Legal Person Customers

Your personal data, shared with us or disclosed in any public media by the legal entity to which you are an related and/or connected party and which is our customer through the business processes and transactions performed with our Bank, shall be collected. We may process such information for (i) executing and performing agreements with the relevant legal entity on the legal basis of where the data processing is necessary for the legitimate interests of data controller, provided that no harm is caused to the fundamental rights and freedoms of the data subjects, and (ii) within the scope of our Bank’s risk management activities on the legal basis of the processing is necessary so as to meet the legal obligations of the Bank as the data controller and explicitly stipulated by the laws.

2.2. Branch Visitors and Non-Customers Performing Transactions in the Branch

Identity information, contact information, CCTV records, financial data collected when you visit the facilities of our branch network and make transactions at the branches and the data provided by you are processed for the following purposes: (i) depositing cash into the account; withdrawing cash from the account by instruction; loan payment; credit card payment; check/promissory note payment, receiving cash for the remittance to name; bill, tax, Social Security Institution payments; taking delivery of credit and debit cards; remittance to the customer’s account; writing off the customer’s account book at the branch and provision of our products and services on the legal basis of necessity to process personal data belonging to the parties to the contract so as to offer the requested products and services and meet the requirements of the contracts concluded, provided that it is directly related to the establishment or performance of a contract and (ii) in order to ensure the security of the facility, taking video and controlling these records through the security cameras located in the branch, on the exterior of the building and ATMs, managing and recording the communication with HSBC on the legal basis of where the data processing is necessary for the legitimate interests of data controller, provided that no harm is caused to the fundamental rights and freedoms of the data subjects, the processing is necessary so as to meet the legal obligations of the Bank as the data controller and explicitly stipulated by the laws.

2.3. Buyers of Insurance Products or Services

HSBC also provides our customers with intermediation activities regarding insurance products or services. The personal data of our customers utilizing our intermediary services is processed for the purposes of intermediating the insurance policy applications and the calculation of insurance premiums, intermediating the transmission of indemnity claims under the insurance policy to the insurer and their payment on the legal basis of necessity to process personal data belonging to the parties to the contract so as to offer the requested products and services and meet the requirements of the contracts concluded, provided that it is directly related to the establishment or performance of a contract. We would like to emphasize that there will be insurance companies acting as the main data controller intermediaries in terms of insurance transactions such as risk and premium calculation, and indemnity payments. For more information regarding personal data processing within this regard, please see the privacy notices of the insurance companies we cooperate with.

2.4. Individuals Under Risk Group

In Article 49 of the Banking Law No. 5411, individuals constituting the "risk group" are defined. Accordingly, risk groups are composed of following individuals: in terms of real persons, the person himself/herself and his/her spouse and children, the undertakings where they are members of board of directors or general managers or the undertakings which they or a legal person control individually or jointly, directly or indirectly or participate in with unlimited responsibility; a bank's qualified shareholders, board of directors' members and general manager as well as the undertakings they control individually or jointly, directly or indirectly or participate in with unlimited responsibility or where they are members of board of directors or general managers; real and legal persons that have surety, guarantee or similar relationships where the insolvency of one will lead to the insolvency of the others. Banking Regulation and Supervision Agency also has the authority to identify other natural and legal persons to be included in the risk group.

The personal data of the individuals within the scope of the risk group may be processed on the legal basis that the processing is necessary so as to meet the legal obligations of the Bank as the data controller and explicitly stipulated by the laws, for the purposes of fulfilling our legal obligations, particularly as per the banking legislation; identifying the risk groups; determining the total loan amount that can be given to the individuals within the same risk group; conducting credibility assessments and managing the legal and financial risks faced by our Bank.

2.5. Persons who Secure or Guarantee for the Persons Utilizing a Product or Service

The personal data of individuals who provide guarantee or go surety for those who utilize our products or services is processed on the legal bases of the data processing is necessary to establish, use or protect a right and necessity to process personal data belonging to the parties to the contract so as to offer the requested products and services and meet the requirements of the contracts concluded, provided that it is directly related to the establishment or performance of a contract, the processing is necessary so as to meet the legal obligations of the Bank as the data controller and explicitly stipulated by the laws; for the following purposes: Managing the legal and financial risks of our bank; Making necessary transactions to protect our rights in disputes to which our bank is a party; Offering our products and services and making credibility calculations; In the cases where the individual utilizing the products or services fails to pay or defaults on his/her debts, collecting the receivables of our Bank.

2.6. Event/Organization Participant

Photos or videos can be taken at the training sessions, seminars, events, invitations and other events organized by our bank. These visual records can be processed on the legal basis of where the data processing is necessary for the legitimate interests of data controller, for the purposes of visually promoting the events organized by our bank for the public, providing information and/or raising awareness, and performing activities to enhance brand value and reputation of our Bank through advertising and promotion.

2.7. Supplier/Business Partner Connected and Related Officers/Employees

Your personal data, shared with us or disclosed in any public media by the legal entity to which you are an officer and/or employee and which is our supplier/Business partner through the business processes and transactions performed with our Bank, shall be collected. We process such information for (i) executing and performing agreements with the relevant legal entity on the legal basis of where the data processing is necessary for the legitimate interests of data controller, provided that no harm is caused to the fundamental rights and freedoms of the data subjects, and (ii) within the scope of our Bank’s risk management activities on the legal basis of the processing is necessary so as to meet the legal obligations of the Bank as the data controller.

3. TRANSFER OF THE PERSONAL DATA

Your personal data can be shared with authorized agencies and organizations including but not limited to The Banks Association of Turkey Risk Center, Credit Reference Agency, Banking Regulation and Supervision Agency, Capital Markets Board, Central Bank of Turkey, Financial Crimes Investigation Board, Ministry of Treasury and Finance, Financial Crimes Investigation Board, Inter-Bank Card Center, Banking Association of Turkey, Central Registrar, law enforcement agencies, courts and enforcement directorates, domestic and international banks and clearing entities that provide intermediary/custody services for domestic and foreign currency and securities transfer, securities custody requests, and HSBC group companies (referring to HSBC Holdings plc and/or its affiliates, subsidiaries, joint ventures and any branches and offices thereof) in Turkey or overseas, third parties we serve as intermediaries and agents of, correspondent banks with which we cooperate, business partners, shareholders of our Company, service provider firms, vendors and support service providers and staff, officials, and subcontractors thereof, for the purposes specified in article 2 of the present NotificationText, within the framework of the provisions of the Law, covering the transfer of personal data within the country and abroad.

4. PERSONAL DATA COLLECTION METHODS AND THE LEGAL GROUNDS

Your personal data is collected on physical, written, verbal and electronic media, via the internet, phone, e-mail and mobile app, during your applications for products and services, visits to our head office, web site and branches, use of mobile app, ATM and online banking, and your calls with the call center, from you, The Banks Association of Turkey Risk Center, Credit Risk Center, the Identity Sharing System, legal entities that you are related and/or connected with, legal authorities and sources available to the public during the establishment and maintenance of the legal relationship with our Bank. The collected personal data is processed based on the following legal grounds stipulated in Articles 5 and 8 of the Law:

  • There is an express consent;
  • The binding legislation for our Bank clearly stipulates so;
  • Provided that it is directly related to the establishment or performance of a contract, the existing of a necessity to process personal data belonging to the parties to the contract so as to offer the requested products and services and meet the requirements of the contracts concluded;
  • It is compulsory so as to meet the legal liability;
  • Data processing is necessary to establish, use or protect a right;
  • It is made public by the related persons themselves;
  • Data processing is necessary for the legitimate interests of data controller, provided that no harm is caused to the fundamental rights and freedoms of the relevant person.

In case of personal data transferring to overseas countries, in addition to the abovementioned legal grounds, personal data can only be transferred abroad if the respective foreign country;

  • offers adequate protection;
  • and, in case there is no adequate protection, if HSBC and the respective data controller in the foreign country to which data will be transferred guarantee adequate protection in writing and if the Personal Data Protection Board gives its approval or
  • you have given your explicit consent for your personal data to be transferred abroad.

5. WHAT ARE YOUR RIGHTS?

You have the following rights concerning your personal data, as per the provisions in Article 11 of the Law.

  • To find out whether your personal data has been processed or not;
  • To request relevant information if your personal data has been processed;
  • To find out the grounds for processing your personal data, and whether it is used for the intended purpose;
  • To learn about the third parties to whom your personal data is transferred at home or abroad;
  • To demand correction in the event of incomplete or incorrect processing of your personal data;
  • To demand the deletion or destruction of your personal data;
  • To demand the notification of the third parties to whom personal data was transferred, about any personal data correction, deletion or destruction;
  • To object to any outcome to the detriment of the person involved, through the analysis of processed data exclusively via automatic systems;
  • To demand damages should any losses be incurred due to the illegal processing of personal data.

6. CONTACTING US FOR YOUR RIGHTS AND REQUESTS

You can either personally submit your requests to our branches in writing or send them through a notary public as per your legal rights. You can also send an e-mail to hsbcbank@hs04.kep.tr using registered electronic mail (KEP) address, secure electronic signature, mobile signature, or to kvkkiletisim@hsbc.com.tr using the electronic mail address previously reported to our Bank and registered in our systems.

The application must include (i) name, surname and, if in writing, signature; (ii) Republic of Turkey identification number for citizens of the Republic of Turkey, and nationality, passport number or, if any, identification number for foreigners; (iii) residential area or workplace address provided for correspondence; (iv) if any, electronic mail address, telephone and fax numbers provided for notification and (v) subject of the request.

Applications made within this scope are accepted following an identification verification by us, and your requests stated in the application are concluded as soon as possible and within 30 days at the latest depending on the type of requests.

7. THINGS YOU CAN HELP WITH

It is important that the personal data we keep about you should be correct and up-to-date. To this end, we kindly ask you to inform us of any change to your personal data using our abovementioned contact details.

If you share with our Bank any personal data not belonging to you, you should make sure that this NotificationText is referred to and read by them so that they can have knowledge about the use of their personal data.

If you would like to get further information regarding personal data you can always reach us via the abovementioned contact details or visit Personal Data Protection Agency's website by clicking https://www.kvkk.gov.tr/.