info@ferhatkule.av.tr
+90 212 579 79 85

Single Blog Title

This is a single blog caption

Banking Secrecy and Data Protection in Turkey: Legal Limits Under BDDK and KVKK Regulations

20 Şub 2026
0

Introduction

Banking secrecy and data protection in Turkey constitute one of the most sensitive and heavily regulated areas of financial law. Banks and financial institutions process vast amounts of personal and financial data daily. This data includes account information, transaction history, loan records, credit scores, and identity documentation. Given the systemic importance of banks in the financial ecosystem, Turkish law imposes strict confidentiality and data protection obligations.

Two primary legal frameworks govern this field:

  1. Banking Law No. 5411, supervised by the Banking Regulation and Supervision Agency (BDDK), and

  2. Personal Data Protection Law No. 6698 (KVKK), supervised by the Personal Data Protection Authority (KVKK Authority).

While these regimes overlap, they serve distinct regulatory purposes. Understanding the legal limits, compliance requirements, and sanctions under both frameworks is essential for banks, financial institutions, fintech companies, and legal practitioners.

Legal Framework of Banking Secrecy Under Turkish Law

Article 73 of Banking Law No. 5411

Banking secrecy in Turkey is primarily regulated under Article 73 of the Banking Law. This provision establishes strict confidentiality obligations for:

  • Board members of banks

  • Bank employees

  • External service providers

  • Individuals who obtain customer information due to their professional role

The law prohibits disclosure of:

  • Customer secrets

  • Banking secrets

  • Financial and credit information

These secrets cannot be disclosed to third parties unless explicitly permitted by law or with the customer’s written consent.

Scope of “Customer Secret”

The concept of customer secret is interpreted broadly and includes:

  • Account balances

  • Transaction records

  • Loan agreements

  • Credit risk assessments

  • Collateral information

  • Investment portfolios

Even the existence of a banking relationship may fall within confidentiality scope.

Regulatory Role of the BDDK

The Banking Regulation and Supervision Agency (BDDK) oversees compliance with banking secrecy obligations. In recent years, regulatory scrutiny has increased, especially concerning:

  • Outsourcing arrangements

  • Cloud computing usage

  • Data localization

  • Third-party service providers

Amendments and Secondary Legislation

Recent regulatory developments have introduced stricter limitations on data sharing, especially with foreign parent companies and group entities. Turkish banks must now demonstrate:

  • A legal basis for any data transfer

  • Technical and administrative safeguards

  • Compliance with confidentiality principles

Unauthorized disclosure may result in administrative fines, professional bans, and even criminal liability.

Data Protection Obligations Under KVKK

Relationship Between Banking Law and KVKK

Although Banking Law regulates confidentiality, KVKK regulates the processing of personal data. Financial information almost always qualifies as personal data because it is linked to an identifiable individual.

Therefore, banks must comply with both regimes simultaneously.

Key KVKK Principles Applicable to Banks

Under Article 4 of KVKK, personal data must be:

  • Processed lawfully and fairly

  • Accurate and up-to-date

  • Processed for specific and legitimate purposes

  • Limited and proportionate

  • Retained only as long as necessary

Banks must ensure that all financial data processing activities comply with these core principles.

Legal Bases for Processing Financial Data

Under KVKK, personal data may be processed if:

  • The data subject gives explicit consent, or

  • Processing is explicitly permitted by law, or

  • Processing is necessary for the performance of a contract

In banking operations, most data processing activities rely on:

  • Contractual necessity (loan agreements, account services)

  • Legal obligations (AML compliance, MASAK reporting)

Explicit consent is generally required for marketing activities, profiling beyond contractual necessity, and certain cross-border transfers.

Cross-Border Data Transfers and Data Localization

One of the most controversial aspects of banking secrecy and data protection in Turkey concerns cross-border data transfers.

Restrictions Under Banking Law

Banks are prohibited from sharing customer secrets with foreign entities unless:

  • The customer provides explicit consent, and

  • The transfer complies with BDDK regulations

This limitation significantly affects multinational banking groups.

Restrictions Under KVKK

Under KVKK, cross-border transfer requires:

  • Explicit consent, or

  • Transfer to countries deemed to provide adequate protection, or

  • Standard contractual clauses and safeguards approved by the Authority

Since Turkey has not yet published a comprehensive safe country list, most transfers rely on explicit consent or special approval mechanisms.

Criminal and Administrative Sanctions

Violations of banking secrecy and data protection laws may result in severe penalties.

Under Banking Law

  • Administrative fines

  • Revocation of licenses

  • Criminal liability for unauthorized disclosure

  • Professional disqualification

Under KVKK

  • Administrative fines up to significant monetary thresholds

  • Suspension of data processing activities

  • Public announcements of violations

  • Civil liability claims for damages

Banks face not only regulatory penalties but also reputational risk and compensation lawsuits from affected customers.

Banking Secrecy vs. AML and Regulatory Reporting

A common legal question concerns whether banking secrecy conflicts with anti-money laundering (AML) obligations.

Under Turkish law, confidentiality obligations do not prevent banks from:

  • Reporting suspicious transactions to MASAK

  • Complying with court orders

  • Providing information to regulatory authorities

These disclosures are considered lawful exceptions.

Thus, banking secrecy is not absolute. It operates within a structured legal framework that balances privacy and financial transparency.

FinTech Companies and Data Protection Compliance

FinTech companies operating in Turkey, including payment institutions and electronic money institutions, are subject to:

  • Banking secrecy rules (if applicable under sectoral regulations)

  • KVKK obligations

  • Central Bank regulatory oversight

These entities must implement:

  • Data mapping exercises

  • Data minimization policies

  • Vendor risk assessments

  • Cybersecurity measures

Given the digital nature of fintech operations, regulatory scrutiny is increasing.

Practical Compliance Recommendations

To mitigate regulatory risk, financial institutions should:

  1. Conduct regular compliance audits

  2. Review outsourcing agreements for confidentiality clauses

  3. Implement data classification systems

  4. Establish cross-border transfer protocols

  5. Train employees on banking secrecy obligations

  6. Prepare incident response plans

Failure to maintain internal controls may lead to both BDDK and KVKK investigations.

Litigation Risks and Civil Liability

Customers whose banking data is unlawfully disclosed may file:

  • Compensation lawsuits for material damages

  • Moral damage claims

  • Criminal complaints

Courts assess:

  • Whether disclosure was lawful

  • Whether consent existed

  • Whether adequate safeguards were in place

Data breach cases are increasing in Turkey, particularly involving digital banking platforms.

Conclusion

Banking secrecy and data protection in Turkey operate under a dual regulatory regime shaped by Banking Law No. 5411 and the Personal Data Protection Law No. 6698 (KVKK). These frameworks impose strict obligations on banks and financial institutions regarding confidentiality, data processing, and cross-border transfers.

Compliance requires not only legal awareness but also robust technical infrastructure and institutional governance. Given the increasing enforcement activity by BDDK and the Personal Data Protection Authority, institutions must proactively assess their exposure and implement comprehensive data protection strategies.

In the evolving landscape of Turkish banking and finance law, confidentiality is no longer merely a contractual duty; it is a core regulatory and reputational imperative.

, , , , , , , , ,

About Post Author

Leave a Reply

Call Now Button