General Data Privacy and Protection Policy

General Data Privacy and Protection Policy

General Data Privacy and Protection Policy

1. Introduction

1.1 Data as a strategic priority

Garanti BBVA ("T. Garanti Bankası A.Ş. and its subsidiaries") is a corporation with subsidiaries in Turkey and abroad, primarily engaged in banking activities and other activities directly or indirectly related to this purpose.

In carrying out this activity, Garanti BBVA considers data as a critical and strategic asset, especially in a highly complex environment characterized by technological developments and regulatory changes.

The Board of Directors of T. Garanti Bankası A.Ş. ("Bank") approves this Data Privacy and Protection Policy ("Policy") in line with, but not limited to, the following basic regulations, always respecting the legal requirements in force, in order to ensure that the necessary measures are taken to guarantee the confidentiality and protection of the data of natural and legal persons with whom the Bank interacts;

• Values of T. Garanti Bankası A.Ş.
• Garanti BBVA Ethics and Integrity Principles
• Data Governance and Quality Policy
• Information Security Policy
• Non-Financial Risk Management Policy

The following definitions apply under this Policy;

• Privacy: right of natural and legal persons to have their information collected, shared and used in accordance with applicable regulatory requirements. Under the concept of privacy, personal data protection is the set of measures that seek to ensure that natural persons have control over their data, and that the processing of personal data is carried out in accordance with the applicable regulations, in view of protecting public freedoms and the fundamental rights of data subjects.
• Data: any specific information relating to a natural person (identified or identifiable) or legal person, which the Group processes in some way.
• Data processing: any (automated or not) operation or technical procedure that enables the collection, retention, preparation, alteration, consultation, use, cancellation, blocking or deletion of data, as well as the assignments of data resulting from communications, consultations interconnections and transfers.

1.2 Regulatory framework

This Policy has been approved by the Bank's Board of Directors in accordance with Purpose and Scope titled Article 2 of the Bank's Internal Regulatory Framework.

This Policy has been prepared in compliance with the Personal Data Protection Law and other legislation in force and taking into account the good practices guide and recommendations.

2. Purpose and scope

2.1 Purpose

This Policy establishes the general principles and basic management and control guidelines applicable to the confidentiality and protection of data belonging to natural and legal persons in the processes and data processing carried out within Garanti BBVA as per applicable legislation.

2.2 Scope

This Policy will serve as a reference and must be taken into consideration when establishing and developing local or sectoral policies within Garanti BBVA. Said policies must be coherent and in accordance with the Policy.

However, in instances when the provisions of this Policy go against sectoral or local requirements, the applicable specific sectoral or local legislation will prevail. The relevance and risks associated with the activities carried out by each subsidiaries will be taken into consideration when this Policy is applied.

Garanti BBVA will promote the application of this Policy to people who provide services or carry out activities in the name and on behalf of it.

3. General Principles

GarantiBBVA performs its activities on the basis of the following general principles:

• Integrity
• Prudence in risk management
• Transparency
• Achieving a profitable and sustainable long-term business
• Creating long-term value for all stakeholders
• Compliance with the applicable legislation at any given time

Under these general principles, the principles governing data privacy and protection are as follows:

• Principle of lawfulness of processing: any data processing carried out within the Garanti BBVA will be done in a lawful manner, in accordance with the applicable legislation in each jurisdiction.
• Principle of confidentiality: the data must be kept and stored so as to guarantee its confidentiality. In particular, no information or data that has been accessed while performing professional duties may be disseminated, transmitted or disclosed to third parties, or used for individual interest subject to express or contractual authorisation or if the information has been requested by an administrative or judicial authority. This obligation will continue even after the contractual relationship ends.
• Principle of data accuracy: the data must be at all times adequate and truthful and, when necessary will be updated, and the proportionate measures needed to delete or rectify inaccurate data will be adopted.
• Principle of data retention: the data must be stored in the appropriate place in accordance with the retention periods specified in the relevant regulations that Bank is obliged to comply with.

In addition to the aforementioned principles, the following will govern the protection of personal data:

• Principle of transparency: measures must be established to provide data subjects with all the information on the conditions of the data processing that affects them. The information must be provided in a concise, transparent, intelligible and easily accessible manner, in clear and simple language.
• Principle of restriction of processing: the data collected must be adequate, pertinent and limited in relation to the purposes for which it will be processed. The data cannot be used for purposes other than those informed, and no additional data may be processed if it is not necessary for the purposes of processing.

4. Provisions of the Policy

The management of data privacy and protection will be based on the following general guidelines:

Organisation and Governance:

• The data privacy and protection processes will be aligned with the Garanti BBVA's structure and goals, while always observing the commitment to preserve the privacy and protection of data subjects, in accordance with current legislation.
• The data privacy and protection governance structure must be designed in such a way as to include the involvement of all levels of Garanti BBVA with the aim of reconciling priorities, streamlining conflict resolution and fostering support for data accuracy and data protection.
• The roles and responsibilities of the areas involved in Garanti BBVA’s data privacy and protection governance will be defined by applying proactive responsibility and promoting the necessary measures to boost privacy and protection.

Control:

• The standards and procedures for data management and privacy will be periodically assessed to ensure compliance. The controls required to promote and assess proper implementation will be incorporated into the Garanti BBVA's control frameworks.
• In order to ensure that the data is suitable for its purpose, data categories will be defined for its segmentation according to its level of confidentiality and criticality.
• Specific metrics and controls will be defined to determine the effectiveness of data privacy and protection measures, with the aim of measuring their risks and establishing a continuous improvement process.

Training:

• Periodic training will be delivered to ensure that all members of GarantiBBVA are aware of the value of information and the need for data protection and privacy.

5. Governance and supervision model

5.1 Corporate bodies

This Policy entered into force upon the approval of the Bank's Board of Directors on 6 June 2024 after being evaluated and approved by the Board of Directors.

5.2. Executive

This Policy has been developed and coordinated by the Data Governance Department, with the collaboration of Internal Control, Information Systems Security, Compliance and Legal Consultancy Department, within the scope of their respective competencies.

The Data Governance Department will be responsible for making the Policy known and implementing the Policy in coordination with the relevant departments.

In turn, the managers of the areas affected by the Policy shall provide the appropriate tools, systems and organization for the implementation of the Policy in their areas of responsibility and where appropriate.

At least once a year, or when any event requires changes to the Policy, the Data Governance Department shall review this Policy and submit any changes or updates deemed appropriate for review and, if necessary, approval by the Bank's corporate bodies.

The day-to-day operational responsibilities regarding privacy will not fall under the Data area, as it happens with the

• Information Security Policy, which is owned by the Information Systems Security department
• General Policy on Sharing Confidential Data, which is owned by the Legal Consultancy Department
• Personal Data Protection And Processing Policy, which is owned by the Compliance department

5.3. Control Model

Control over the degree of compliance with both this Policy and its development will be performed in accordance with the internal control model established at all times by GarantiBBVA, for adequate management of the risks therein. This management is structured on the basis of three lines of defence, independent of each other. The control functions will cooperate actively and regularly in supervising the implementation of this Policy, in accordance with the powers conferred on them.

Any standards and procedures relating to data privacy or protection must comply with this Policy.

Glossary

• Data subject/Relevant person: The natural person to whom the data refers.
• Bank: T. Garanti Bankası A.Ş.
• BRSA: Banking Regulation and Supervision Agency.
• Garanti BBVA: T. Garanti Bankası A.Ş. and its subsidies
• Kanun: Law No. 6698 on the Protection of Personal Data
• Personal Data : Any information about an identified or identifiable natural person whose identity can be determined directly or indirectly through an identifiable (e.g. a name, an identification number, location data or an online identifier) or one or more elements specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

Change log