Author: Idil Yildirim Gunaydin
Introduction
The Banking Regulation and Supervision Agency (“BRSA”) published the Circular on the Disclosure of Confidential Information Regulation No.2022/1 (“Circular”) on 11.08.2022. The purpose of this Circular is to elaborate on concepts and procedures as outlined in the Regulation on Disclosure of Confidential Information that was published in the Official Gazette dated 4.06.2021 and numbered 31501 (“Regulation”) in line with Article 73 and Article 93 of Banking Law No.5411 (“Banking Law”), which authorizes BRSA to determine the scope, form, procedures and principles regarding sharing and transfer of confidential information or to impose restrictions. The Circular has particular importance as it aims to address and resolve several issues regarding the implementation of the Regulation such as criteria to be considered as joint-client, disclosures made to parent companies and sharing of sensitive data. This article briefly identifies BRSA’s key provisions.
BRSA’s Explanations Regarding Banks’ Confidentiality Obligation
The Circular concludes that the bank employees’ data is essentially considered personal data and should be treated within the principles and the scope of Law No.6698 on Protection of Personal Data (“LPPD”). However, when some categories of data such as human resources data contain information about a bank's financial status or main activities such as lending and deposit collection, the technical methods used by the bank and the capability of the bank, it is possible to treat this aspect of the data as a bank secret.
The Circular further sets the framework for exceptions to the confidentiality obligation as outlined in the Regulation. The Regulation permits banks to disclose information for the preparation of consolidated financial reports, risk management and internal audit purposes, as long as they execute a confidentiality agreement and limit disclosure of confidential information to its stated purpose. Consequently, the Circular states that within the scope of the preparation of consolidated financial statements, risk management and internal audit purposes, banks can disclose information to their parent companies, including domestic or foreign credit institutions and financial institutions holding at least ten percent of their share capital...
