78 NEWSLETTER 2021 within the framework of Article 6 of the Regulation, it is seen that the exceptions to the confidentiality obligation are explained in detail as subclauses in a way to clarify such discrepancies, and that under which conditions and to whom the information sharing will be accepted as an exception, and that some of the exception cases (such as disclosures for the preparation of consolidated financial reports, risk management and internal audit purposes) are clarified. For instance, it is stated in the Regulation that the data transfer for risk management purposes covers all risk management activities, including compliance, credit, and reputation risks included in the ISEDES Regulation.3 The Regulation further indicates that the obligation to obtain the request or instruction of the customer shall be met for information sharing within the scope of outsourced services, if the outsourced service is not within the scope of the primary systems. General Principles Regarding the Sharing of Confidential Information The Regulation determines the general principles and procedures regarding the transfer of the confidential information as well as specific issues related to the sharing to be made in exceptional cases. In principle, the Regulation emphasizes that customer secrets and bank secrets should be transferred in accordance with the principle of proportionality, limited to specified purposes, and necessary for those purposes. Furthermore, it is pointed out that if the purposes in question could still be achieved when the shared data is aggregated, anonymized or pseudonymized, these methods should be applied. It is also obligatory to comply with the general principles4 regulated under 3 Regulation on Internal Systems of Banks and Internal Capital Adequacy Assessment Process (ISEDES Regulation), OG, No. 29057, 11.07.2014. https://www. mevzuat.gov.tr/File/GeneratePdf?mevzuatNo=19864&mevzuatTur=KurumVeK urulusYonetmeligi&mevzuatTertip=5 (Access date: 29.03.2021). 4 Pursuant to Article 4 of Law No. 6698; “a) Lawfulness and fairness; b) Being accurate and kept up to date where necessary; c) Being processed for specified, explicit and legitimate purposes; c) Being relevant, limited and proportionate to the purposes for which they are processed; d) Being stored for the period laid down by the relevant legislation, or the period required for the purpose for which the personal data are processed.” https://www.resmigazete.gov.tr/eskiler/2016/04/20160407-8.pdf (Access date: 29.03.2021).
RkJQdWJsaXNoZXIy MjUzNjE=