Data protection notice according to EU-DSGVO

With the following information, we would like to give you an overview of the processing of your personal data by us and your rights under data protection law. Which data is processed in detail and how it is used depends largely on the services requested or agreed.

The responsible body is:

You can reach our company data protection officer at
Email: dataprotection@yapikredi.de

We process personal data that we receive from our clients as part of our business relationship. In addition, we process - to the extent necessary for the provision of our services - personal data that we legitimately obtain from publicly accessible sources (e.g., debtor directories, land registers, commercial and association registers, press, Internet) or that are legitimately transmitted to us by other companies of the YKB-Group or by other third parties (e.g., a credit agency).

Relevant personal data are personal details (name, address and other contact details, date and place of birth and nationality), identification data (e.g., ID card data) and authentication data (e.g., signature sample). In addition, this may also include order data (e.g., payment order), data from the fulfilment of our contractual obligations (e.g., turnover data in payment transactions), information about your financial situation (e.g., creditworthiness data, scoring/rating data, origin of assets), advertising and sales data (including advertising scores), documentation data (e.g., consultation protocol) and other data comparable to the categories mentioned.

We process personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG):

a - For the fulfilment of contractual obligations (Art. 6 para. 1 b GDPR)

Data is processed for the provision of banking transactions and financial services as part of the execution of our contracts with our customers or for the implementation of pre-contractual measures that are carried out on request. The purposes of data processing are primarily based on the specific product (e.g. account, loan, building society savings, securities, deposits, brokerage) and may include, among other things, needs analyses, advice, asset management and support as well as the execution of transactions. Further details on the data processing purposes can be found in the relevant contractual documents and terms and conditions.

b - As part of the balancing of interests (Art. 6 para. 1 f GDPR)

Where necessary, we process your data beyond the actual fulfilment of the contract to protect our legitimate interests or those of third parties. Examples:

• Consultation of and data exchange with credit agencies (e.g., SCHUFA) to determine creditworthiness or default risks in the credit business and the need for a seizure protection account or basic account,
• Examination and optimization of procedures for needs analysis for the purpose of addressing customers directly,
• Advertising or market and opinion research, unless you have objected to the use of your data,
• Assertion of legal claims and defense in legal disputes,
• Ensuring the bank's IT security and IT operations,
• Prevention and investigation of criminal offenses,
• Video surveillance to safeguard domiciliary rights, to collect evidence in the event of robberies and fraud offenses or for proof of transactions and deposits, e.g., at ATMs (see also § 4 BDSG),
• Measures for building and system security (e.g., access controls),
• Measures to safeguard domiciliary rights,
• Measures for business management and further development of services and products,
• Risk management in the Yapı Kredi Bank-Group.

c - On the basis of your consent (Art. 6 para. 1 a GDPR)

If you have given us your consent to process personal data for specific purposes (e.g., transfer of data within the Group, analysis of payment transaction data for marketing purposes), the lawfulness of this processing is based on your consent. Any consent given can be revoked at any time. This also applies to the revocation of declarations of consent given to us before the GDPR came into force, i.e., before May 25, 2018. The withdrawal of consent does not affect the lawfulness of the data processed prior to the withdrawal.

d - Due to legal requirements (Art. 6 para. 1 c GDPR) or in the public interest (Art. 6 para. 1 e GDPR)

As a bank, we are also subject to various legal obligations, i.e., statutory requirements (e.g., German Banking Act, Money Laundering Act, Securities Trading Act, tax laws) and banking supervisory requirements (e.g., European Central Bank, European Banking Authority, Deutsche Bundesbank and German Federal Financial Supervisory Authority). The purposes of processing include credit checks, identity and age checks, fraud and money laundering prevention, the fulfilment of control and reporting obligations under tax law and the assessment and management of risks in the bank and in the Yapı Kredi Bank Group.

Within the bank, those departments that need your data to fulfill our contractual and legal obligations will have access to it. Service providers and vicarious agents employed by us may also receive data for these purposes if they maintain banking secrecy. These are companies in the categories of credit services, IT services, logistics, printing services, telecommunications, debt collection, advice and consulting as well as sales and marketing.

With regard to the transfer of data to recipients outside our bank, it should first be noted that as a bank we are obliged to maintain confidentiality about all customer-related facts and evaluations of which we become aware (banking secrecy in accordance with No. 2 of our General Terms and Conditions). We may only pass on information about you if this is required by law, if you have given your consent or if we are authorized to provide banking information. Under these conditions, recipients of personal data may be, for example:

• Public bodies and institutions (e.g., Deutsche Bundesbank, Federal Financial Supervisory Authority, European Banking Authority, European Central Bank, tax authorities, law enforcement authorities) in the event of a legal or official obligation.
• Other credit and financial services institutions or comparable institutions to which we transfer personal data in order to conduct the business relationship with you (depending on the contract, e.g., correspondent banks, custodian banks, stock exchanges, credit agencies).
• Other companies in the Yapı Kredi Bank Group for risk management due to legal or regulatory obligations.

Other data recipients may be those entities for which you have given us your consent to transfer data or for which you have released us from banking secrecy in accordance with the agreement or consent.

Data is transferred to bodies in countries outside the European Union (so-called third countries) if:

• it is necessary for the execution of your orders (e.g., payment and securities orders),
• it is required by law (e.g., reporting obligations under tax law) or
• you have given us your consent.

Furthermore, data transfer to bodies in third countries is provided for in the following cases: Your personal data will be processed in the area of account management and payment transactions as well as securities transactions in our data center in Germany and in Scotland in compliance with the European level of data protection (based on agreed standard contractual clauses for the transfer of personal data to processors in third countries within the meaning of Article 26 (2) of Directive 95/46/EC).

We process and store your personal data for as long as is necessary to fulfill our contractual and legal obligations. It should be noted that our business relationship is a continuing obligation that is intended to last for years. If the data are no longer required for the fulfilment of contractual or legal obligations, they are regularly deleted, unless their - temporary - further processing is necessary for the following purposes:

• Fulfilment of retention obligations under commercial and tax law: These include the German Commercial Code (HGB), the German Fiscal Code (AO), the German Banking Act (KWG), the German Money Laundering Act (GwG) and the German Securities Trading Act (WpHG). The retention and documentation periods specified there are two to ten years.
• Preservation of evidence within the framework of the statutory limitation periods. According to Sections 195 et seq. of the German Civil Code (BGB), these limitation periods can be up to 30 years, whereby the regular limitation period is 3 years.

Every data subject has the right of access under Article 15 GDPR, the right to rectification under Article 16 GDPR, the right to erasure under Article 17 GDPR, the right to restriction of processing under Article 18 GDPR, the right to object under Article 21 GDPR and the right to data portability under Article 20 GDPR. The restrictions under Sections 34 and 35 BDSG apply to the right to information and the right to erasure. In addition, there is a right of appeal to a competent data protection supervisory authority (Article 77 GDPR in conjunction with Section 19 BDSG).

You can withdraw your consent to the processing of personal data at any time. This also applies to the revocation of declarations of consent given to us before the General Data Protection Regulation came into force, i.e., before May 25, 2018. Please note that the revocation is only effective for the future. Processing that took place before the revocation is not affected.

We hereby declare that you are entitled to the following rights, regarding your personal data, set forth under Article 11 of the Law:

• To learn whether your personal data are being processed,
• To request information if your personal data have been processed,
• To learn the purpose of the processing of your personal data and whether they have been used accordingly,
• To learn which third parties domestic or abroad your personal data has been transferred to,
• To request rectification in case your personal data has been processed incompletely or inaccurately and to demand the operations in this regard be reported to third parties your personal data has been transferred to,
• To request deletion or destruction of your personal data within the framework of the conditions stipulated in the relevant legislation,
• To request the correction, deletion and destruction processes made in accordance with the relevant legislation be notified to the third parties to whom your personal data has been shared,
• To object to negative consequences to you that are concluded, as a result of analysis of the processed personal data through solely automatic systems,
• To demand compensation for the damages that you have suffered as a result of an unlawful processing of your personal data.

To exercise your rights listed above, you can submit your requests to our Bank:

• via our Branches with identity verification,
• via our Digital Channels or Call Center by performing identity verification,
• via your e-mail address registered in our Bank’s system.

The application must include the following:

• name, surname, and if the application is in writing, signature,
• identification number, for foreigners; nationality, passport number or identification number, if any residential or workplace address for notification,
• electronic mail address, telephone and facsimile number, if any,
• subject of the request.

Your request will be concluded as soon as possible, within 30 days at the latest and in principle, free of charge. However, if the process requires additional costs, a fee may be demanded according to the tariff determined by the Personal Data Protection Board.

By following these steps, we aim to ensure a smooth and compliant account deletion process while protecting your personal data.

You can delete cookies that are already on your computer and prevent your internet browser from saving/placing cookies.

Internet browsers are set to accept cookies automatically by default. Managing cookies varies from browser to browser, so you can refer to the help menu of your browser or application for detailed information.

Most internet browsers allow you to:

• View and delete saved cookies
• Block third-party cookies
• Block cookies from specific sites
• Block all cookies
• Delete all cookies when you close your internet browser

If you choose to delete cookies, your preferences on the relevant website will also be deleted.

Controlling Cookies on Your Mobile Device:

On Apple Devices:

• You can clear your browsing history and cookies via: "Settings -> Safari -> Clear History and Website Data."
• To delete cookies while keeping your history, follow: "Settings -> Safari -> Advanced -> Website Data -> Remove All Website Data."

If you do not want history to be retained while visiting sites:

• Activate private browsing by following: "Safari -> icon -> Private -> Done."
• To block cookies, follow: "Settings -> Safari -> Block All Cookies." However, note that blocking cookies may cause some websites and features to not function properly.

On Android Devices:

• You can clear your cookies via: "Chrome app -> Settings -> Privacy -> Clear browsing data -> Cookies, media licenses, and site data -> Clear Data."
• You can allow or block cookies via: "Chrome app -> Settings -> Site Settings -> Cookies."

By following these steps, you can effectively manage and control the cookies on your devices, ensuring your privacy and preferences are maintained.

As part of our business relationship, you must provide the personal data that is necessary for the establishment and execution of a business relationship and the fulfilment of the associated contractual obligations or that we are legally obliged to collect. Without this data, we will generally not be able to conclude or execute the contract with you.

In particular, we are obliged under money laundering regulations to identify you using your identification document before establishing the business relationship and to collect and record your name, place of birth, date of birth, nationality, address and identification data. To enable us to comply with this legal obligation, you must provide us with the necessary information and documents in accordance with the Money Laundering Act and notify us immediately of any changes that occur during the course of the business relationship. If you do not provide us with the necessary information and documents, we may not enter into or continue the business relationship you have requested.

In principle, we do not use fully automated decision-making in accordance with Article 22 GDPR to establish and conduct the business relationship. Should we use these procedures in individual cases, we will inform you of this separately if this is required by law.

We sometimes process your data automatically with the aim of evaluating certain personal aspects (profiling). We use profiling in the following cases, for example:

• Due to legal and regulatory requirements, we are obliged to combat money laundering, terrorist financing and criminal offenses that endanger assets. This also involves data analysis (e.g., in payment transactions). These measures also serve to protect you.
• We use evaluation tools to provide you with targeted information and advice on products. These enable needs-based communication and advertising, including market and opinion research.
• We use scoring to assess your creditworthiness. This involves calculating the probability that a customer will meet their payment obligations in accordance with the contract. The calculation may include, for example, income, expenditure, existing liabilities, occupation, employer, length of employment, experience from the previous business relationship, contractual repayment of previous loans and information from credit reference agencies.

The scoring is based on a mathematically and statistically recognized and proven procedure. The calculated score values help us to make decisions when concluding product contracts and are included in ongoing risk management.

We collect mobile device permissions for several purposes via different variety of functions based on different mobile operating systems and we process your personal data via such functions. The main permissions and personal data that are collected are as following:

iOS

Android

Individual right of objection

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Article 6(1)(e) GDPR (data processing in the public interest) and Article 6(1)(f) GDPR (data processing on the basis of a balancing of interests); this also applies to profiling based on this provision within the meaning of Article 4(4) GDPR. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defense of legal claims.

Right to object to the processing of data for direct marketing purposes

In individual cases, we process your personal data for direct marketing purposes. You have the right to object at any time to the processing of personal data concerning you for the purpose of such advertising; this also applies to profiling insofar as it is associated with such direct advertising. If you object to processing for direct marketing purposes, we will no longer process your personal data for these purposes.

The objection can be made informally and should preferably be addressed to:

Date of last update: 10/12/2024