Notification on the Protection of Personal Data Regarding Credit Card Product Applications and Credit Card Limit Increase

At HSBC Bank A.Ş. (“HSBC” or the “Bank”), the information security of our Customers is one of our top priorities. In this respect, we would like to inform you about personal data processed by our Bank in accordance with the Law On the Protection of Personal Data No. 6698 (“Law” made in order to protect the fundamental rights and freedoms of persons, as well as to protect personal data.

1. IDENTITY OF DATA CONTROLLER

Under the law, HSBC Bank A.Ş. acts as a “Data Controller”. You can contact us using the contact details provided below:

Address: Esentepe Mah. Büyükdere Cad. No: 128 34394 Şişli / Istanbul

MERSİS No: 0621002428200197

Registration No: Istanbul Trade Registry Office - 268376

Website: www.hsbc.com.tr/

2. PURPOSES OF AND LEGAL GROUND FOR PERSONAL DATA PROCESSING

Your personal data are processed for the purposes as set out below and in accordance with legal terms of data processing (“legal ground”) as part of the processes regarding personal lending products with our Bank:

Personal Data Categories	Purpose of Processing Personal Data	Legal Ground
Identity Communication Customer transaction Risk management Finance Professional experience	Authentication to ensure the security of customers, Bank and data; carrying out, recording and reporting controls regarding money laundering, bribery, fraud, financial crime and sanctions, raising suspicious activity reports Exchanging information with institutions and organizations, banks, prospective buyers or risk center stipulated within the framework of the provisions of the Banking Law No. 5411, drawing up consolidated financial statements of the main partnerships, executing risk management and internal audit activities, executing valuation activities to sell Bank assets or securities based on them, including but not limited to loans, executing valuation, rating or assistance services, executing independent audit activities and service purchases	Based on the legal ground that processing is required in order for the Bank to fulfill its legal obligation as the data controller
Identity Communication Risk management Customer transaction Finance Professional experience	Arrangement and execution of the banking transactions agreement pursuant to your credit card and limit increase request Performing customer due diligence and retail onboarding system evaluations Determining and negotiating the conditions of credit card and limit increase Provision of credit card services/transactions through online banking and our mobile application	Based on a legal ground that requires processing of personal data belonging to the agreement parties, provided that it is directly related to the execution and fulfilment of an agreement
Identity Communication Customer transaction Risk management Finance Professional experience	Contract management, initiating legal transactions and following up on legal processes, conducting debt follow-up through contracted law firms and/or performing transfer of receivables to the asset management company Managing the legal, financial, commercial, compliance and reputational risks faced by our Bank, taking necessary steps to protect our rights in disputes to which we are a party	Based on a legal ground that requires data processing to establish, exercise or protect a right

3. TRANSFER OF THE PERSONAL DATA

Your personal data are transferred for the below mentioned purposes and in accordance with legal terms of data processing (“legal ground”) as part of your loan processes with our Bank:

Personal Data Categories	Persons/Organizations on the Receiving End and Purposes of Transfer	Legal Ground
Identity Communication Risk management Customer transaction Finance Professional experience	To judicial authorities and public institutions and organizations that are legally authorized to receive information, for legal reasons such as legal reporting, carrying out regulation and supervision activities and managing complaints and legal processes: The Banks Association of Turkey Risk Center CBRT Central Bank Credit Reference Agency (Kredi Kayıt Bürosu A.Ş.) Banking Regulation and Supervision Agency Capital Markets Board Ministry of Treasury and Finance, Financial Crimes Investigation Board, Revenue Administration Interbank Card Center The Banks Association of Turkey Courts, Execution Offices and Consumer Arbitration Committees Identity Information Sharing System, Address Based Registration System, e-sequestration system, e-pledge system PTT Other authorized bodies and organizations	It is required in order for the Bank to fulfill its legal obligation and it is clearly set forth in the laws
Identity Communication Risk management Customer transaction Finance Professional experience	For the purpose of following financial and accounting transactions, generating financial and business reports, Shareholders of our company Authorized business partners such as financial advisors and auditing companies Contract management, initiating legal transactions and following up on legal processes, conducting debt follow-up through contracted law firms and/or performing transfer of receivables to the asset management company Business partners Law firms, parties providing collection services to us Arrangement and execution of the banking transactions agreement pursuant to your credit card and limit increase request; Companies providing services to us, suppliers and support service provider companies and their employees, authorized persons and subcontractors For the purpose of providing products and services through online banking and our mobile application: Companies providing services to us, suppliers and support service provider companies and their employees, authorized persons and subcontractors	Data processing is necessary for the legitimate interests of the Bank, provided that no harm is caused to the fundamental rights and freedoms of the relevant person

Personal Data Categories

Persons/Organizations on the Receiving End and Purposes of Transfer

Legal Ground

Identity
Communication
Risk management
Customer transaction
Finance
Professional experience

To judicial authorities and public institutions and organizations that are legally authorized to receive information, for legal reasons such as legal reporting, carrying out regulation and supervision activities and managing complaints and legal processes:

The Banks Association of Turkey Risk Center
CBRT Central Bank
Credit Reference Agency (Kredi Kayıt Bürosu A.Ş.)
Banking Regulation and Supervision Agency
Capital Markets Board
Ministry of Treasury and Finance, Financial Crimes Investigation Board, Revenue Administration
Interbank Card Center
The Banks Association of Turkey
Courts, Execution Offices and Consumer Arbitration Committees
Identity Information Sharing System, Address Based Registration System, e-sequestration system, e-pledge system
PTT
Other authorized bodies and organizations

It is required in order for the Bank to fulfill its legal obligation and it is clearly set forth in the laws

Identity
Communication
Risk management
Customer transaction
Finance
Professional experience

For the purpose of following financial and accounting transactions, generating financial and business reports,

Shareholders of our company
Authorized business partners such as financial advisors and auditing companies

Contract management, initiating legal transactions and following up on legal processes, conducting debt follow-up through contracted law firms and/or performing transfer of receivables to the asset management company

Business partners
Law firms, parties providing collection services to us

Arrangement and execution of the banking transactions agreement pursuant to your credit card and limit increase request;

Companies providing services to us, suppliers and support service provider companies and their employees, authorized persons and subcontractors

For the purpose of providing products and services through online banking and our mobile application:

Companies providing services to us, suppliers and support service provider companies and their employees, authorized persons and subcontractors

Data processing is necessary for the legitimate interests of the Bank, provided that no harm is caused to the fundamental rights and freedoms of the relevant person

4. PERSONAL DATA COLLECTION METHODS AND THE LEGAL GROUNDS

Your personal data are physically collected through printed forms, phone, phone banking, branches and ATMs and electronically collected through the internet, phone, short messages (SMS), e-mail and mobile application channels. Collected personal data will be processed based on the legal data processing conditions specified under title number 2 of the text.

5. WHAT ARE YOUR RIGHTS?

You have the following rights concerning your personal data, as per the provisions in Article 11 of the Law.

To find out whether your personal data has been processed or not;
To request relevant information if your personal data has been processed;
To find out the grounds for processing your personal data, and whether it is used for the intended purpose;
To learn about the third parties to whom your personal data is transferred at home or abroad;
To demand correction in the event of incomplete or incorrect processing of your personal data;
To demand the deletion or destruction of your personal data;
To demand the notification of the third parties to whom personal data was transferred, about any personal data correction, deletion or destruction;
To object to any outcome to the detriment of the person involved, through the analysis of processed data exclusively via automatic systems;
To demand damages should any losses be incurred due to the illegal processing of personal data.

6. CONTACTING US FOR YOUR RIGHTS AND REQUESTS

You can either personally submit your requests to our branches in writing or send them through a notary public as per your legal rights. You can also send an e-mail to hsbcbank@hs04.kep.tr using registered electronic mail (KEP) address, secure electronic signature, mobile signature, or to kvkkiletisim@hsbc.com.tr using the electronic mail address previously reported to our Bank and registered in our systems. You can also reach us via telephone banking by calling 0850 211 0 111 to exercise your rights.

The application must include (i) name, surname and, if in writing, signature; (ii) Republic of Turkey identification number for citizens of the Republic of Turkey, and nationality, passport number or, if any, identification number for foreigners; (iii) residential area or workplace address provided for correspondence; (iv) if any, electronic mail address, telephone and fax numbers provided for notification and (v) subject of the request.

Applications made within this scope are accepted following an identification verification by us, and your requests stated in the application are concluded as soon as possible and within 30 days at the latest depending on the type of requests.

7. THINGS YOU CAN HELP WITH

It is important that the personal data we keep about you should be correct and up-to-date. To this end, we kindly ask you to inform us of any change to your personal data using our abovementioned contact details.

If you would like to get further information regarding personal data you can always reach us via the abovementioned contact details or visit Personal Data Protection Authority’s website available at https://www.kvkk.gov.tr/.

Version: 1.0
Date: 18.08.2022