Protection of Personal Data

The main objective of this Policy is to regulate personal data processing operations carried out by QNB BANK AS (“QNB or “Bank”) lawfully within the scope of banking services provided, to determine principles adopted for processing personal data under personal inviolability, the corporeal and spiritual existence of the individual set forth in Article 17 of the Constitution as well as the fundamental rights and freedoms of the individual set forth in Article 20 of the Constitution and to ensure transparency by informing Data Subjects whose personal data is processed by QNB to build corporate culture.         

QNB carries out operations by by prioritizing the security of Personal Data in all products and services provided and taking utmost care to this security of Personal Data. 

The main principle of QNB is to use Personal Data for banking transactions and to protect privacy of private life, fundamental rights and freedoms of the person whose data is processed.

In terms of implementing the Law and under this Policy:

Explicit consent: Freely given based on informed consent regarding a specific subejct,

Anonymization: The process of preventing identification of the Data Subject or losing the ability to be distinguished within a group or crowd by removing or changing all direct and/or indirect identifiers in a dataset and of rendering personal data impossible to link with an identified or identifiable natural person even though matching them with other data,

User Concerned: The persons who process personal data within the organization of the data controller or upon authorization and instructions received from the data controller, other than the person or department which is responsible for the technical storage, protection and backup of personal data,

Destruction: Erasure, destruction or anonymization of personal data,

Law: Personal Data Protection Law no.6698,

Data Subject: Customers or or non-customers whose personel data is processed such as potential customers, employees, candidates, shareholders, visitors, institutions and organizations which have business relations (support service, independent audit, rating, consultancy, service, purchasing, collaboration, solution partnerships, etc.) under a contract signed with the Bank, and their employees, shareholders and authorized persons and the third real person,

Personal Data: Any information relating to an identified or identifiable natural person,

Processing personal data: Any operation which is performed on personal data, wholly or partially by automated means or non-automated means provided that form part of a data filing system, such as collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization or preventing the use thereof,

Board: Personal Data Protection Board,

Authority: Personal Data Protection Authority,

Customer: The natural person who receives service from the Bank according to the contract he/she has signed with the Bank and whose data is processed,

Data Processor: The natural or legal person who processes personal data on behalf of the data controller upon its authorization,

Data filing system: The system where personal data is processed by being structured according to specific criteria,

Data Controller: Natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing of the data filing system.

The phone, e-mail address and device information you declare to our Bank are processed into our Bank's systems if you have given your explicit consent for the purpose of conducting Advertisement / Campaign / Promotion Processes and sending you commercial electronic messages regarding these processes. For all your legal rights regarding your personal data, application methods to follow and more, you can visit the personal data protection section at Protection of Personal Data | QNB I accept that my phone, e-mail address and device information data I use will be processed and commercial electronic messages will be sent to me by your bank, your affiliates, and insurance companies that you are an agent of, for campaign, promotional and marketing content messages to be sent through electronic channels, including mobile applications.

This Policy entered into force on 07.10.2016. If it is revised partially or wholly, the relevant versions of the Policy will be updated.

The Policy is published on www.qnb.com.tr and shared with the Data Subject upon his/her request. 

All employees are responsible for implementing of this Policy throughout QNB within the scope of their authorizations.

The status of Personal Data, which is currently processed, is regulated in paragraph 3 of provisional Article 1 of the Law. Accordingly, Personal Data that was processed before the publication date of the Law shall be rendered compatible with the provisions of the Law within two years of its date of publication. Personal Data found to be not complying with the provisions of the Law shall be immediately erased, destructed or anonymized. However, consents duly taken before April 7, 2016 (the publication date of the Law) shall be deemed compatible with the provisions of the Law unless a declaration of intention is made to the contrary within one year. 

As per Article 2 of the Law, the provisions of the Law shall apply to natural persons whose Personal Data is processed and to natural or legal persons processing such data wholly or partially by automated means or non-automated means which provided that form part of a data filing system. Accordingly, Personal Data belonging to legal persons falls outside the scope of the Law; however, such data shall be deemedunder the Law if it is possible to identify the natural person by using the data related to legal person.  

The anonymized and unidentifiable data and data related to legal persons, is not considered as Personal Data and such data is not subject to this Policy.

Personal Data is any information relating to an identified or identifiable natural person. To qualify any data as Personal Data, the data must relate to a natural person, and this person must be identified or identifiable.

• Relating to natural person: Personal Data relates to a natural person, and data related to the legal persons is not considered as Personal Data. Therefore, information on a legal entity, such as commercial title or address of a company (except being related to a natural person) will not be considered as Personal Data.
• Identified or identifiable natural person: Personal Data may directly indicate the identity of the data subject or it may include all information that can be used to identify the person by relating to any record, though not directly indicating the identity of the person.
• Any Information: The term “any information” is quite comprehensive and is not only the information indicating the identity of the natural person such as name, surname, date of birth and birth place, etc., but also all data which makes the person directly or indirectly identifiable such as phone number, plate of motor vehicle, social security number, passport number, curriculum vitae, photo, video and voice records, fingerprints, IP address, e-mail address, hobbies, preferences, persons interacted with, memberships, family information, health information are considered as Personal Data.

The term “Processing of Personal Data” indicates a cycle. In Article 2 of the Law, data processing is described as a process which starts by collecting Personal Data for the first time wholly or partially by automated means or non-automated means provided that form part of a data filing system and following any operation. After collecting Personal Data as defined, any operation which is performed until the erasure, destruction or anonymization transaction is considered as processing of Personal Data under the Law.     

Personal Data can be processed in various ways: 

• Collection or recording: By the moment Personal Data is collected for the first time, processing operation starts. 
• Organizing/storage: Protection, preservation, or storage of Personal Data in digital or physical media is considered within the scope of processing. 
• Using/alteration: Any use of Personal Data, including viewing thereof is considered as processing. 
• Transfer: Transfer of Personal Data through various methods. 
• Transmission/making available: Making data digitally available to the third parties, such as physically distributing or sharing the data, is also a processing type.  
• Preventing: Preventing the access and use of Personal Data is considered as a processing operation.

Personal Data can be processed by either automated or non-automated means:

a. Automatic Processing

Automatic data processing is the processing operation which is performed by devices with processors such as PC, telephones, watches, etc. and which is automatically carried out without human intervention by means of algorithms created with software or hardware features beforehand.

b. Processing by Non-automated Means (Which Provided That Form Part of a Data Filing System) 
Even if Personal Data is not subjected to automatic processing, it will be subject to the provisions of the Law when it is processed through the “data filing system”. These systems can be created either in electronic or physical media.

All the conditions below must be met together in order to process the data lawfully: 

• Processing is based on the consent or the conditions for processing personal data in the Law, 
• Obligation to inform is fulfilled,
• Processing is limited to the purpose and period,
• Compliance with general (basic) principles of law

During the period when our customers use banking services offered by QNB and after the relationship is over, the Bank has the right to process the data of the Data Subject provided that it complies with the purposes specified in this Policy. 
With respect to the Data Subject, QNB has the right to process the data of the Data Subject provided that grounds of justification laid down in the Law still exist. 

Processing of Personal Data by QNB is the operation performed on the data by automated, semi-automated or non-automated means within the scope of banking operations. 

Processing of Personal Data means any operation which is performed on personal data, such as collection, voice or video recording, recording, protection, organizing, storage, using, alteration, adaptation, categorization, disclosure, transfer in domestic (Türkiye) or abroad, making available, retrieval, and preventing the use thereof.

QNB processes Personal Data in compliance with the principles laid down in the Law, and the procedures and principles stated in this Policy, and within the scope below. 

• Lawfulness and Fairness

  QNB processes Personal Data in accordance with the relevant legislation and requirements of the fairness rule and uses within these limits.

• Being Accurate and Kept Up-to-date Where Necessary

  QNB keeps the processed Personal Data accurate and up-to-date by taking into consideration the fundamental rights and legitimate interests of Data Subjects. Within this scope, the Bank pays attention to determining the sources from which the data is collected, verifying the accuracy of the source from which the data is collected and assessing whether such data needs to be updated.

• Being Processed for Specified, Explicit and Legitimate Purposes

  QNB determines explicitly and precisely the purpose of data processing and ensures that this purpose is legitimate. The fact that the purpose is legitimate means that Personal Data processed by ONB is related to and necessary for banking services provided and works or activities carried out within this scope.

• Being Relevant, Limited and Proportionate to the Purpose for Which the Data Is Processed

  QNB ensures that the processed Personal Data is suitable for the realization of the determined purposes and avoids the processing of Personal Data that is not related to the realization of the purpose or that is not needed. In order to process the data to meet possible needs that may arise later, the Bank fulfills the conditions for the processing of Personal Data regulated in the Law as if it starts to process for the first time. In addition, the processed data is limited to Personal Data necessary for the realization of the purpose.

• Being Stored for the Period Laid Down by Relevant Legislation or the Period Required for the Purpose for Which Personal Data Is Processed

  QNB complies with the period laid down for storage of the data as per all the legislations to which it is subject within the scope of the Banking Law no.5411 and its activity. Otherwise, it stores Personal Data only for the period required for the purpose for which Personal Data is processed. If there is no valid reason for further storage of Personal Data by QNB, that data is erased, destructed or anonymized within the scope of the regulations in the “Personal Data Storage and Destruction Policy”. 

In the Law, “explicit consent” means the freely given, informed, unambiguous and specific statement by the Customer for processing personal data relating to him/her. As per Article 5 of the Law, explicit consent is one of the conditions for processing personal data in the Law, and it does not have any comparative advantage over the other conditions for processing personal data. The explicit consent is not the sole element which legitimizes the data processing activities.  

Personal Data may be processed without seeking the explicit consent of the Data Subject only in cases where one of the following conditions is met: 

• It is expressly provided for by the laws.
• QNB may process Personal Data of the Data Subjects within the scope expressly provided for by the laws to which the Bank is subject due to its banking operations even if there is not any explicit consent.
• It is necessary for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid. 
• Processing of Personal Data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract.  
• It is necessary for compliance with a legal obligation to which the Data Controller is subject. 
• Personal Data has been made public by the Data Subject himself/herself. 
• Data processing is necessary for the establishment, exercise or protection of any right. 
• Processing of data is necessary for the legitimate interests pursued by the Data Controller, provided that this processing shall not violate the fundamental rights and freedoms of the Data Subject.
• QNB may process Personal Data of the Data Subject in cases where the processing of Personal Data is necessary for ensuring the legitimate interests, provided that the fundamental rights and freedoms of the Data Subjects are protected by the Law and this Policy are not violated. 

QNB shows the required sensitivity in complying with the fundamental principles related to Personal Data protection and balancing the interests of both QNB and the Data Subject. 

QNB processes Personal Data in order to

• Fulfill liabilities following the Banking Law no.5411 and all the regulations to which QNB is subject within the scope of banking operations,
• Fulfill the conditions of agreements relevant to the products and services drawn up for the banking services to be offered and liabilities taken over, 
• Conduct the credibility assessments of our customers and carry out inquiry, research, planning and statistical works,     
• Develop the services of the Bank in order to be offered to the customers in the best manner while they analyze their credit history, statistical data, etc.,
• Contact the customers regarding the current status of banking services and updates, provide required information in this respect,
• Offer a new and/or additional a loan or a product other than loan for which the banking transactions and/or credit history and/or behaviour models of our customers are required to be provided or change current conditions,
• Provide services related to banking, insurance, investment and financial products and carry out the related transactions, including those that can be offered acting as an agency, carry out the activities within this scope and develop the services, 
• Provide guidance for our customers on the products which attract them by considering their usage habits and provide information on the campaigns, carry out advertisement, marketing, promotional and campaign activities regarding the services and products,     
• Know our customers who carry out banking transactions through the branches, alternative distribution channels, Internet banking and /or mobile branches and use them for customer analysis to increase customer satisfaction, carry out various marketing and advertisement activities, 
• Offer suggestions to our customers by the contracted companies and solution partners, inform our customers about our services,
• Evaluate the customer complaints and suggestions about our services,
• Fulfill our legal liabilities and exercise our rights arising from the relevant legislation,
• Plan and implement our Human Resources policies in the best manner, evaluate Personal Data shared during the job applications

within the scope of the conditions for processing Personal Data stated in Articles 5 and 6 of the Law. 

Current Employees: QNB has the right to process Personal Data which the Data Subject discloses because he/she will start working and/or internship, with the purposes of performaning the employment contract signed with QNB , and/or fulfilling his/her employee personal rights arising from this contract and maintenance of these uninterruptedly, all kinds of insurance services, occupational health and safety services to be provided to the employees, performance management and evaluation and follow-up, learning activities and conducting human resources and learning processes.   

Candidates: The evaluation of job applications, inquiry, research and other recruitment processes are conducted in accordance with the relevant regulations of the law. 

For the processing of Personal Data related to the business relation but not initially the part of the performance of the employment contract at first, the other grounds of justification stated in the Law must exist.

QNB aims to protect the security of itself and the third parties by using footage recorded by the security cameras at the entrance and inside of the Head Office, Regional Offices, Branches and ATMs.   

Data processing activity mentioned above, is carried out in compliance with the Law on Private Security Services no.5188, and the relevant legislation. 

QNB carries out the security camera monitoring activity in compliance with the purposes laid down in the relevant legislation and the conditions for processing Personal Data stated in the Law in order to provide the security.       

Voice is recorded when QNB contacts by phone within the scope of the Regulation on Determination of Service Level and Quality of Bank Call Centers provided that the Data Subject is informed.

Processing Personal Data Related to Visitors

Personal Data is processed by QNB to monitor visitor entries/exits in the QNB’s Head Office, Regional Offices and Branches to provide security and for the purposes stated in this Policy.  

The Data Subjects are informed when their names and surnames are obtained during their visits to QNB’s Head Office, Regional Offices, and Branches, or through clarification texts hung within the Head Office, Regional Offices and Branches or made available to the visitors in other methods.    

The data, which is collected for monitoring visitor entries/exits, is only processed for this purpose, and the relevant personal data is recorded in the data filing system in the physical media.

Storage of the Records Regarding the Internet Access Provided to the Visitors

In order to provide security for the purposes stated in this Policy, QNB may provide Internet access to the visitors who request this service during the time they are in the Head Office Buildings. Logs regarding Internet access are recorded in accordance with the Law no. 5651 on Regulation of Publications on the Internet and Combating Crimes Committed By Means of Such Publications and the imperative provisions of the legislation regulated as per this Law, these records are only processed in the event that they are requested by authorized public institutions and organizations or in order to fulfill our legal liabilities in the audit processes to be carried out within QNB. 

A limited number of employees can access to the log records obtained within this scope. These employees access these records in order to respond to the requests received from the authorized public institutions and organizations or use them in the audit processes, and they share them with legally authorized persons.   

Website Visitors

Internet activities of persons who visit the websites of QNB are recorded by technical means (e.g. Cookies) in order to ensure that they visit to the websites in accordance with their purposes of visit, to display personalized content, and to carry out online advertising activities.

Detailed explanations regarding the protection and processing of Personal Data related to these activities carried out by QNB are included in the “Privacy Policy” texts of the relevant websites.

QNB acts in compliance with the regulations laid down in the Law for processing of “special categories of personal data” determined by the Law. 

In Article 6 of the Law, certain personal data that carries the risk of causing victimization of persons or discrimination when processed unlawfully is determined as “special categories”. The data relating to the race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other beliefs, appearance, membership to associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and the biometric and genetic data is deemed to be special categories of personal data. 

QNB processes the special categories of personal data in compliance with the Law by taking adequate measures to be determined by the Board, provided that

• the Data Subject has explicit consent,
• it is expressly provided for by the laws,
• it is necessary for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid,
• it is related to Personal Data made public by the Data Subject and is in accordance with the will of the Data Subject to make it public,
• it is necessary for the establishment, exercise or protection of any right,
• it is necessary for the protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, as well as planning, management and financing of health care services by the persons or authorized institutions and organizations under confidentiality obligation,
• it is necessary for fulfilling legal obligations in the fields of employment, occupational health and safety, social security, social services and social assistance,
• it is intended for current or former members and participants or persons regularly in contact with these organizations, provided that it is processed by foundations, associations and other non-profit organizations established with political, philosophical, religious or trade union purposes, in compliance with their legislation and purposes, limited to their fields of activity and that it is not disclosed to the third parties. 

QNB may transfer Personal Data of the Data Subject to third parties by taking the necessary security measures in line with the lawful purposes of Personal Data processing. QNB acts in compliance with the regulations laid down in Article 8 of the Law. 

In line with legitimate and lawful purposes of Personal Data processing, QNB may transfer Personal Data to third parties based on and limited to one or some of the conditions for processing personal data stated in Article 5 of the Law:

• If the Data Subject has explicit consent, 
• If the transfer of Personal Data is expressly provided for by the laws, 
• If it is necessary for the protection of life or physical integrity of the Data Subject or of any other person, and the Data Subject is unable to explain his/her consent due to the physical disability or his/her consent is not deemed legally valid, 
• If the transfer of Personal Data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract, 
• If the transfer of Personal Data is necessary for compliance with a legal obligation to which QNB is subject, 
• If Personal Data is made public by the Data Subject,  
• If the transfer of Personal Data is necessary for the establishment, exercise or protection of any right, 
• If the transfer of Personal Data is obligatory for the legitimate interests of QNB provided that the fundamental rights and freedoms of the Data Subject are not violated.

Transfer of Personal Data Abroad 

QNB may transfer Personal Data of the Data Subject to the third parties by taking the necessary security measures in line with lawful purposes of Personal Data processing. 

If one of the conditions for processing personal data stated in Articles 5 and 6 of the Law is applicable and the Board makes an adequacy decision regarding the country, sectors or international organizations within the country to which the data will be transferred, QNB may transfer Personal Data. QNB acts in compliance with the regulations laid down in Article 9 of the Law. 

If there is no adequacy decision, ONB may transfer Personal Data abroad in line with legitimate and lawful purposes of Personal Data processing provided that one of the conditions stated in Articles 5 and 6 of the Law is applicable and the data subject has the opportunity to exercise his/her rights and access effective legal remedies in the country of transfer, upon the provision of one of the following appropriate safeguards by the parties: 

• The existence of a non-international agreement between public institutions and organizations abroad or international organizations and public institutions and organizations or professional organizations with public institution status in Türkiye and the authorization granted by the Board,
• the existence of binding corporate rules approved by the Board and including provisions related to Personal Data protection, to which companies within the group engaged in common economic activities are obliged to comply,
• the existence of a standard contract announced by the Board and including matters such as data categories, purposes of data transfer, recipients and recipient groups, technical and administrative measures to be taken by the data recipient and additional measures for special categories of personal data,
• the existence of a written undertaking including provisions to ensure adequate protection and the authorization granted by the Board. 

Purposes of Transfer

Personal Data, which is processed by QNB, is transferred limited with the purposes of planning and carrying out strategies, ensuring the legal, commercial and physical security of QNB to perform the contract signed between QNB and institutions and organizations which have business relations (support service, independent audit, rating, consultancy, service, purchasing, collaboration, solution partnerships, etc.), ensuring corporate operation, carrying out works to ensure that the customers benefit from the products and services offered in the best manner, customizing the products and services according to the requests and needs of the customers, developing the services offered on the website, planning and implementing our Human Resources policies in the best manner and contacting those who send their requests and complaints to QNB and within the scope of the conditions stated in Articles 8 and 9 of the Law.

Erasure, Destruction or Anonymization of Personal Data

Without prejudice to the provisions in other laws related to erasure, destruction or anonymization of Personal Data, QNB erases, destructs or anonymizes Personal Data ex officio or upon request of the Data Subject within the scope of the principles in the “Personal Data Storage and Destruction Policy” despite being processed in compliance with the provisions of the Law and other relevant laws, in the event that conditions for processing no longer exist.

Erasure of Personal Data is the process of rendering personal data inaccessible and non-reusable for the users concerned by no means.

Destruction of Personal Data is the process of rendering personal data inaccessible, irretrievable or non-reusable by anyone by no means.

Personal Data is anonymized to prevent identification of the Data Subject or loss of the ability to be distinguished within a group or crowd by removing or changing all direct and/or indirect identifiers in a dataset. This renders personal data impossible to link with an identified or identifiable natural person even though matching them with other data.  

Storage Period of Personal Data 

QNB stores Personal Data for the periods laid down in the laws and other legislation. Following the realization of the purpose of personal data processing and the end of the period stated in the regulations of the relevant law, Personal Data is erased, destructed or anonymized ex officio or upon request of the Data Subject within the scope of the principles in the “Personal Data Storage and Destruction Policy”.  

In case Personal Data is destructed through these relevant methods, such data can be reused or retrieved by no means. If the purpose of data processing no longer exists or the periods stated in the relevant laws expire in cases where QNB has a legitimate interest, Personal Data can be stored provided that the fundamental rights and freedoms of the Data Subject are not violated. 

Each Data Subject has the right to 

a) learn whether Personal Data is processed or not, b) request information as to if Personal Data is processed, c) learn the purpose of the processing of Personal Data and whether data is used in accordance with the purpose, ç) know the third parties in the country or abroad to whom Personal Data is transferred, d) request rectification of the incomplete or inaccurate data, if any, e) request erasure or destruction of Personal Data, f) request reporting of the operations carried out pursuant to sub-paragraphs (d) and (e) to third parties to whom Personal Data is transferred, g) object to occurrence of any result against him/her by analyzing Personal Data processed solely through automated systems, ğ) claim compensation for the damage arising from the unlawful processing of Personal Data.

QNB concludes requests relating to the implementation of this Policy and Law within the shortest time and in 30 days at the latest by taking into account the nature of the demand in the request free of charge. However, if the action requires an extra cost, the fees below determined by the Board may be charged. If the request is made due to fault of QNB, the fee is refunded to the Data Subject.

Method of request 

Under the rights described in Article 11 of the Law, Data Subject may send requests

• by using Application Form which can be obtained from the branches of the Bank or by providing a letter along with documents proving identity (identity card, driver's license, passport, etc.) by personal application,
• by means of secure electronic signature, mobile signature or electronic mail address which is previously notified to our Bank and is registered in the systems of the Bank 
  • to the Bank’s Registered e-mail address (qnb@hs05.kep.tr) and
  • to kvkk_bilgi@qnb.com.tr address.

Requests shall be accepted following the indentity verification by the Bank and response shall be given in written or via electronic media within the legal period.

In written requests, the date when the letter is submitted to the Bank shall be considered as the date of request.

Response to request

QNB is obliged to take all the required administrative and technical measures to conclude the requests to be made by the Data Subject effectively and in accordance with norms of lawfulness and fairness.

QNB shall act on the request or refuse it together with justified grounds. QNB shall send its response to the Data Subject in writing or by electronic means.

In case the demand of the Data Subject is accepted, it shall be fulfilled by QNB within the shortest time and the Data Subject shall be informed.     

Fee

If the request of the Data Subject is to be responded in writing, no fee will be charged up to ten pages. 1 Turkish Lira may be charged per page over ten pages.

In cases where the request is responded by means of recording medium like CD, flash memory, fee to be charged by the data controller cannot exceed the cost of the recording medium.

The Law, this Policy and its provisions shall not apply in the situations below:

• Personal data is processed by natural persons within the scope of purely personal activities of the data subject or of family members living together with him/her in the same dwelling provided that it is not disclosed to third parties and the obligations about data security are complied with,
• Personal data is processed for official statistics and provided that it is anonymized for the purposes such as research, planning and statistics,
• Personal data is processed with artistic, historical, literary or scientific purposes or within the scope of freedom of expression provided that national defence, national security, public security, public order, economic security, right to privacy or personal rights are not violated or the process does not constitute a crime,
• Personal data is processed within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations duly authorized and assigned by law to maintain national defence, national security, public security, public order or economic security,
• Personal data is processed by judicial authorities or execution authorities with regard to investigation, prosecution, judicial or execution proceedings.

Provided that it is in compliance with and proportionate to the purpose and fundamental principles of this Policy and the Law, Article 10 regarding the data controller’s obligation to inform, Article 11 regarding the rights of the data subject, excluding the right to claim compensation, and Article 16 regarding the obligation to register with the Data Controllers Registry shall not apply to the following situations where personal data processing:

• is necessary for the prevention of committing a crime or for crime investigation,
• is carried out on the data which is made public by the data subject himself/herself,
• is necessary for the performance of supervision or regulatory duties and disciplinary investigation or prosecution to be carried out by the assigned and authorized public institutions and organizations and by public professional organizations, in accordance with the power conferred on them by the law,
• is necessary for the protection of the economic and financial interests of the State related to budget, tax and financial matters.

Data processing activities, carried out by QNB within the frame of banking operations, are subjected to the data security principles within the scope of the Banking Law no.5411, Communiqué on the Principles to Be Taken as Basis for Management of Information Systems in Banks, and Communiqué on the Internal Systems, which are the sub-regulations of the relevant law.

Relevantly, it is forbidden for any employee in QNB to access to, process or use such data without authorization. 

Processing such data by any employee who is not authorized within the scope of the legal duties of QNB is deemed to be an unauthorized transaction. 

The employees of QNB can only have access to Personal Data within the frame of the type and scope of their aforementioned duties properly. Roles and responsibilities are separated and detailed according to the principle of separation of duties.  

Misusing of Personal Data for special or commercial purposes, sharing such data with unauthorized persons or making them accessible by QNB’s employees is forbidden.

QNB carries out the data processing activity in compliance with the regulations of the Law and approaches to Personal Data Protection and Processing Policy as a part of corporate governance. Besides, the Bank takes all the required administrative and technical measures to enforce the Policies and Procedures published as per the Law. 

Data processing activities carried out by QNB are regularly checked by the authorized employees working in the relevant units of the Bank and are subject to audit.