Protection of Personal Data

This Policy aims at (i) establishing set of rules for discipline in personal data processing operations carried out by QNB Bank A.Ş. ("QNB") under the Banking services in compliance with legislation, (ii) defining principles adopted for processing personal data in relation with the fundamental rights and freedoms of the person covered by 20th Article of the Constitution along with the material-nonmaterial wealth and personal integrity set forth in 17th article of the Constitution and (iii) ensuring transparency by providing information to Personal Data Owner/Relevant Persons whose personal data is processes by QNB to generate corporate culture

QNB pays maximum attention to safety of personal data and carries out activities by considering the prioritization of personal data safety in all products and services.

The main principle of QNB is to use Personal Data for banking transactions and to protect privacy, fundamental rights and freedoms of the person whose data is processed.

In terms of practicing the law and under this Policy:

Express consent: The consent which is based on being provided information and explained with free will on a specific subject.

Anonymization: The process of transforming the personal data so as to ensure unfamiliarity to any natural entity's data whose identity either can or cannot be determined even if such data is matched.

Relevant User: Persons who are responsible for technical storage, protection and backup of data or persons who process the received data in parallel with the authorization and directions given by the data supervisor or within the data organization excluding the unit.

Disposal: Procedure on erasure, disposal or anonymization of personal data

Law : The Privacy Act with no.6698.

Personal Data Owner/ Relevant Person: Customers or potential customers whose personal data is processed, employees, candidates, shareholders, visitors, institutions and entities and employees, shareholders and supervisors and the third real person of them which have business relations (support service, independent audit, rating, consultancy, service, purchasing, cooperation, solution partnership etc.) within the frame of a contract drawn up with the Bank.

Personal Data: All kinds of information related to a real person whose identity is determined or can be determined.

Processing personal data: All kinds of transactions carried out on personal data such as obtaining, saving, storing, changing, personal data through non-automatic ways, re-editing, explaining, transferring, taking over, becoming obtainable, classifying or preventing the usage.

Board: Protection of Personal Data Institution

Institution: Protection of Personal Data Institution.

Customer: The real person who receives service from the Bank according to the contract he/she has signed with the Bank and whose data is processed.

Data Processor: Real person or legal entity who process personal data according to the authorization given by the data supervisor on behalf of him/her.

Data Registry System: Registry system that personal data is processed by structuring according to the specified criteria

Data Supervisor: Real person or legal entity who determines the process purposes of the personal data and is responsible for set-up and management of the data registry system.

This Policy applies to all personal data which are processes by non-automatized means with the condition of being a part of data registry system whether partially or wholly automatized and which belong to QNB customers, potential customers, employees, candidates, shareholders, visitors; to entities and institutions working with the Bank under a contract signed (supportive services, independent auditing, rating, consultancy, service, purchasing, collaboration, solution partnerships, etc.), and their employees, shareholders, executives and to third persons.

This Policy enters into force on 07.10.2016. Should this Policy partially or wholly renewed, relevant versions of the Policy are updated.

This Policy is published at QNB website https://www.qnb.com.tr/, and it can be shared with the Personal Data Owner/Related Person is demanded.

All employees are liable for implementation of this Policy throughout QNB within the scope of their authorizations.

The status of personal data which are currently processed are regulated in the 3rd paragraph of the provisional 1st article of the Act. Accordingly, Personal Data processed prior to the date of effective of the Act are updated as per the provisions of the Act within two years as from the date of effective. The Personal Data which is detected to be contradictory to the provisions of the Act is disposed or anonymized. And yet, the legal consent which is obtained prior to April 7, 2016 (the effective date of the Act) are deemed as compliant to the Act should otherwise is declared within one year.

As per the 2nd article of the Act, the provisions of the Act apply to real persons whose personal data is processed and to natural and corporate entities who process information such data automatically in part or whole or non-automatically with the condition of being a part of any data registry system. Accordingly, Personal Data of all corporate entities are excluded by the Act; however, such data will be deemed included in the Act should it becomes possible to determine the real person by using the data of corporate entity.

The anonymized and unidentifiable data and data on corporate entities are not considered as Personal Data and they are not subject to this Policy.

All kinds of information related to a real person whose identity is determined or can be determined. To qualify any data as Personal Data, the data must be related to real person and this person must be identified or identifiable.

• a. Being related to real person: Personal Data is related to reals persons and the data of corporate entities are not covered by the definition of Personal Data. Therefore, information on corporate entity such as title of commerce or address (except being related to real person) will not be considered as Personal Data.
• b. Real Person Identified or Possible to Identify: Personal Data might directly refer to identity information of the owner or it might consist all information which can be used for identifying the person by relating to any record, though not directly indicating identity of the person, as well.
• c. Information of Any Kind: The notion of "any information" is quite comprehensive; and not only the information indicating identity of the person such as name, surname, date of birth and place, etc. but also all data which makes it directly or indirectly possible to identify the person such as telephone number, moto-vehicle plate, social security number, passport number, curriculum vitae, photo, video or voice records, fingerprints, IP address, e-mail, hobbies, preferences, relevant persons, memberships, family information, health information are deemed as Personal Data.

The term of "Processing Personal Data" indicates a cycle. In the 2nd article of the Act, such act is defined as a process which is initiated as receiving information automatically in part or whole or non-automatically with the condition of being a part of a data registry system and following data processing transaction of any kind. After collecting Personal Data as defined, any operation carried out till the erasure, disposal or anonymization transactions is considered as processing of Personal Data under the Act.

Personal Data can be processed in various ways:

• Collection or registry: By the time the Personal Data is first obtained, processing begins.
• Organizing/storage: Protection, reserving or storing of Personal Data on the digital or physical platform is accepted within the scope of processing.
• Using/changing: All kinds of usage, even the viewing of the Personal Data is accepted as processing.
• Transfer: Directing of the Personal Data with various methods.
• Spreading/ making achievable: Giving access to the third parties is also a processing type such as distributing or sharing the data physically.
• Prohibition: These are also accepted as some of the processing types.

Personal Data can be processed either automatic or non-automatic methods.

a. Automatic Processing

Automatic data processing is the processing operations which are performed by devices with software such PC, telephone, watch, etc. and which are automatically carried out without any intervention by humans by means of algorithms arranged beforehand via software and hardware features.

b. Non-automatized Methods for Processing (Provided that the Data is a Part of Data Registry System)

Even if Personal Data is not subjected to automatic processing, they will be subject to the provisions of the Act once they are processed via "data registry system". These systems can be created either in physical or electronic media.

All the conditions should be fulfilled in order for the data to be processed in compliance with the law:

• Processing is based on consent and exception,
• Disclosure is actualized,
• Processing is limited to purpose and period,
• Compliance to the general law principles.

During the period when banking services offered by QNB is used by our customers and following that the relation is over, Bank has the right to process the data of Personal Data Owner/Relevant Person provided that it follows the purposes specified in this Policy.

With respect to Personal Data Owner/Relevant Person, QNB  has the right to process the data of the Personal Data Owner/Relevant Person provided that the reasons of compliance with law foreseen in the Law continue.

Personal Data processing performed by QNB is the transactions carried out for the data by using the automatic, half-automatic or non-automatic ways within the scope of banking activities.

Personal Data Processing refers to all kinds of transactions performed on the data such as obtainment, voice or video recording, collecting these, saving, reserving, organizing, storing, using, changing, re-editing, classifying, explaining, transferring to the homeland or abroad, making obtainable, taking over, preventing from using.

Personal Data is processed in compliance with the principles foreseen in the Law and the procedures and principles stated in this Policy and within the scope below.

• Being Compliant to Law and Good Faith

  QNB  processes the Personal Data in compliance with the relevant legislation and core of good faith and uses within relevant limits.

• Being Accurate and Up-To-Date Where Necessary

  QNB ensures that Personal Data is accurate and updated paying attention to the fundamental rights and freedoms of the Personal Data Owners. Within this scope, it takes into consideration the principles such as determined sources, confirmation of their accuracy, evaluating if they require to be updated or not.

• Processing the Data with the Specific, Obvious and Lawful Purposes,

  QNB determines the data processing purpose clearly and precisely and ensures that this purpose is legal. Legalizing the purpose means that the Personal Data processed by QNB is connected to the banking services and works and activities performed within this scope and is required for these.

• Data is related, limited and moderate to the purpose that it is processed,

  QNB ensures that processed Personal Data is sufficient for the purposes to be actualized and avoids the processing of the Personal Data which is not related to the actualization of the purpose or is not needed. It actualizes the Personal Data processing conditions regulated in the Law, as if it is just beginning to process, in order to process data regarding the fulfillment of the needs which are possible to occur later. Besides, it confines the processed data to what is required to actualize the purpose.

• Data is preserved within the required period for the purpose stated under the legislation or they are processed for,

  If there is a period foreseen for storage of the data, QNB adjusts to these periods for all the legislations it is subject to within the scope of Banking Law and activity no.5411, otherwise it preserves the Personal Data for the period required as the purpose of processing. If there is not a valid reason for a Personal Data to be preserved longer by QNB, relevant data is erased, disposed or anonymized within the frame of the regulations in the "Personal Data Storage and Disposal Policy".

Statement of approval that is given by the customer for data processing related to him/her, having sufficient knowledge on the subject, leaving no room for hesitation and limited to only this transaction is defined as "express consent" in the Law. As per the article 5 of the Law, express consent is one of the personal data processing conditions in the Law and it does not have any comparative advantages over the other personal data processing conditions. Express consent is not the sole element which brings legality to the data processing activity.

If one of the conditions below is present, without the express consent of the Personal Data Owner/Relevant Person, processing of the personal data is possible:

• a. It is foreseen in the Law,
• b. Even if there is not any express consent, QNB can process the Personal Data of the Personal Data Owner/Relevant Person within the scope that is clearly projected by laws that it is subject to.
• c. It is obligatory for the protection of the person who cannot explain his/her consent due to actual impossibility or whose consent is not acknowledged for legal validity or for the protection of another person's life or body integrity,
• d. It is necessary for the Personal Data belonging to the parties of the contract to be processed provided that it is directly related to drawing up or fulfillment a contract,
• e. It is obligatory for the Data Supervisor to fulfill the legal obligations,
• f. Processing of the personal data which is declared by the Personal Data Owner/Relevant Person.
• g. Data processing is obligatory for establishing, using or protecting a right,
• h. Data processing is obligatory for the legitimate interests of the data supervisor provided that fundamental rights and freedoms of the Personal Data Owner/Relevant Person are not damaged.
• i. Provided that it does not damage the fundamental rights and freedoms of the Personal Data Owners, QNB can process the personal data of the Personal Data Owner/Relevant Person where it is obligatory to process the Personal Data for the protection of legal interests.

QNB shows the required sensitivity on following the main principles regarding the protection of Personal Data and looking after the benefit balance of the Personal Data Owner/Relevant Person.

QNB processes the Personal Data in order to:

• Fulfill liabilities posed by all legislations subjected within the scope of banking operations and Banking Law with no.5411, in particular,
• Fulfill the execution of the conditions of agreements relevant to the products and services drawn up and liabilities taken over in order for the banking services to be offered,
• Perform the credibility valuations of our customers and carry out enquiry, information researches, planning, statistical works,
• Develop the services of the Bank in order to be offered to the customers in the best way while customers are analyzing their loan history, statistical data etc.,
• Contact the customers regarding the current status of banking services and updates, provide required information in this respect,
• Offer a new and/or an extra loan or a product other than loan which the banking transactions and/or loan history and/or behavior models of our customers are required to be provided;
• Carry out the transactions related to banking, insurance, investment and finance products, perform the activities within this scope and develop the services,
• Guide for the products which our customers can be interested in by considering the usage habits of them and provide information on the campaigns, carry out the advertisement, marketing, promotion and campaign activities regarding the services and products,
• Know and use our customers who perform banking transactions through the branches, alternative distribution channels, Internet banking and /or our "QNB Mobil" for the customer analysis, perform various marketing and advertisement activities,
• Offer suggestion to our customers by the contracted companies and solution partners, inform our customers about our services,
• Evaluate the customer complaints and suggestions about our services,
• Fulfill our legal liabilities and use our rights derived from the applicable legislation,
• Plan and implement our Human Resources policies in the best way, evaluate the Personal Data shared during the job applications,

within the scope of Personal Data processing conditions stated in the 5th and 6th articles of the Law.

Current Employees: QNB has the right to process the personal data which the Personal Data Owner/Relevant person has declared because he/she will start working for the Bank, with the purposes of executing the contract within the frame of the employment contract drawn up with QNB, and/or fulfillment of his/her Benefits and Compensation Rights arising from this contract and maintenance of these uninterruptedly, all kinds of insurance services offered to the employees, occupational health and safety services, monitoring of performance management and evaluation, training activities and fulfillment of human resources and training processes.

Candidates: Evaluation of the job applications is carried out in compliance with the regulations of law related to the management of enquiry, research and other recruitment process.

For the processing of the Personal Data which is related to the business relation but is not the part of the execution of the employment contract at first, it should have the reasons of compliance with the law. (Consent of the applicant (electronic or non-electronic ways), Legal interest of QNB, data processing principles and purposes stated in the Law and this Policy)

QNB, with the video records made with the security cameras in the entrances and inside of Head Office, Regional Offices, Branch, ATM, has the purposes for protecting the security of itself and third parties.

Data processing activity mentioned above, is carried out in compliance with the Law on Private Security Services with no.5188 and the relevant legislation.

QNB engages in the security camera monitoring activity in compliance with the purposes foreseen in the relevant legislation and the Personal Data processing conditions stated in the Law in order to provide the security.

Voice recording is carried out when QNB is communicated through phone provided that the Personal Data Owner/ Relevant Person is informed.

Data Processing Regarding the Visitors

Personal Data Processing is carried out regarding the visitor entries and exits QNB Head Office, Regional Offices and Branches for providing security with the purposes stated in this Policy by QNB.

Personal Data Owner/ Relevant Persons are provided with information when their names are obtained while they enter QNB Head Office, Regional Offices and Branches as visitors or through the informative texts hung within the QNB Head Office, Regional Offices and Branches or presented to the visitors.

Data, which is obtained for monitoring of visitor entries-exits, is only processed with this purpose and the relevant personal data is saved to the data registry system on the physical platform.

Storage of the Records Regarding the Internet Access Provided For Visitors

Internet access can be provided for visitors requesting this service within the Head Office buildings with the maintenance of security and the purposes stated in this Policy by QNB. Logs regarding the internet access are recorded according to the Law on Regulation of Publications on the Internet and Suppression of Crimes by means of such Publications no.5651 and the imperative provisions of the legislation regulated according to this law; these records are only processed in case they are requested by the authorized state institutions and organizations or in order to fulfill our legal liabilities in the auditing process to be carried out within QNB.

The logs, obtained within this frame, can only be accessed by the limited employees of QNB. QNB employees who have access to mentioned records, share them to respond to the requests coming from the authorized state institutions and organizations or with the persons legally authorized to access to use them in the auditing process.

Web Site Visitors

On the websites in the property of QNB; internet movements in the website are saved through the technical means (E.g. Cookies) in order to provide that visiting purposes are carried out in compliance with the visiting purpose of the visitors, to display specialized contents and perform online advertisement activities.

Detailed explanations regarding the protection of these activities which are performed by QNB can be found in the "Privacy Policy" texts of the relevant websites.

QNB act in compliance with the regulations foreseen in the Law during the processing of personal data determined as "special quality" with the Law.

On the Article no.6 of the Law, a number of personal data having the risk to cause unjust treatment of the people or discrimination are determined as "special quality". These data is related to ethnicity, political view, philosophical view, religion, sect or other beliefs, appearance, association, foundation or union memberships, health, sexual life, conviction and security precautions and biometric genetic data.

Provided that sufficient precautions determined by the Board are taken, in compliance with the Law by QNB, Special quality personal data is processed

• If there is express consent of the personal data owner or,
• If there is not any express consent of the personal data owner

The special quality personal data except the health and sexual life of personal data owner in the situations foreseen in the laws,

The special quality personal data regarding the health and sexual life of the personal data owner is only processed by the people having the liability to keep secrets or authorized institutions and organizations with the purposes of protection of the public health, maintenance of preventive medicine, medical diagnosis, treatment services, planning and management of the health and financing services.

QNB can transfer the personal data of the Personal Data Owner/Relevant Person to the third parties taking the required precautions in line with its legal personal data processing purposes. QNB acts in compliance with the regulations foreseen in the article no.8 of the Law accordingly.

QNB can transfer the Personal Data to the third parties in line with the legal personal data processing purposes, based on and limited to the one or some of the data processing conditions stated in the article no.5 of the Law mentioned below:

• If there is express consent of the personal data owner,
• If there is a clear regulation regarding the transferring of the personal data ,
• If it is obligatory for the life of the Personal Data Owner/Relevant Person or someone else or the protection of the body integrity and if the Personal Data Owner/Relevant Person is unable to explain his/her consent due to occupational impossibility or his/her consent is not legally validated
• If it is necessary for the personal data belonging to the parties of the contract to be processed provided that it is directly related to drawing up or fulfillment a contract,
• If the personal data transferring is obligatory for QNB to fulfill its legal liability,
• If the personal data is declared by the personal data owner,
• If the personal data transferring is obligatory for establishment, usage or protection of a right,
• Provided that fundamental rights and freedoms of the personal data owner are not damaged, if the personal data transferring is obligatory for the legal interest of QNB.

Transferring To Abroad

QNB can transfer the Personal Data of the Personal Data Owner/Relevant Person to the third parties taking the required precautions in line with its legal Personal Data processing purposes.

Personal data can be transferred to the foreign countries, which are declared to have sufficient protection by the Board ("Foreign Country with Sufficient Protection") or if there is insufficient protection, to the foreign countries ("Foreign Country Which Has The Data Supervisor Undertaking The Sufficient Protection") which data supervisors in Turkey or in the relevant foreign country undertake a sufficient protection as written and which have the Board permission. QNB acts in compliance with the regulations foreseen in the article no.9 of the Law.

If there is express consent of the Personal Data Owner/Relevant Person in line with the legal personal data process purposes or if there is not any expressed consent, in case one of the the situations below is present, QNB can transfer the personal data to the foreign countries which have The Sufficient Protection or A Data Supervisor Undertaking the Sufficient Protection:

• If there is a clear regulation regarding the transferring of the personal data,
• If it is obligatory for the life of the Personal Data Owner/Relevant Person or someone else or the protection of the body integrity and if the Personal Data Owner/Relevant Person is unable to explain his/her consent due to occupational impossibility or his/her consent is not legally validated;
• If it is necessary for the personal data belonging to the parties of the contract to be processed provided that it is directly related to drawing up or fulfillment a contract,
• If the personal data transferring is obligatory for QNB to fulfill its legal liability,
• If the personal data is declared by the personal data owner,
• If the personal data transferring is obligatory for establishment, usage or protection of a right,
• Provided that fundamental rights and freedoms of the personal data owner are not damaged, if the personal data transferring is obligatory for the legal interest of QNB.

Transferring Purposes

Personal Data, which is processed by QNB,is transferred limited with the purposes of planning and carrying out strategies, procurement of legal, commercial and physical security of QNB to the entities and institutions that are working with the Bank (support service, independent auditing,rating, consultancy, service, purchasing, cooperation, solution partnerships etc.) with the purpose of fulfillment of the contract, providing corporate operation, conducting works to benefit customers from the products and services offered in the best way; making the products and services specialized according to the requests, needs and claims of the customers, developing the services offered on the website, planning and implementing our human resources policies in the best way, contacting those who directed their requests and complaints to QNB and within the scope of the conditions stated in the articles no.8 and 9. Of the Law.

Erasure, Disposal And Anonymization Of Personal Data

Provided that provisions in the other laws related to erasure, disposal and anonymization of personal data are kept secret, although the Bank process that in compliance with this Law and other provisions of the Law, it erases, disposes and anonymizes the personal data ex officio and on demand of the Personal Data Owner/Relevant Person and within the frame of the principles in the Personal Data Storage and Disposal Policy if the causes requiring the processing disappear.

Erasure of the Personal Data is the process of making the Personal Data inaccessible and unusable.

Disposal of the data is the process of making Personal Data inaccessible, nonreturnable and unusable.

Anonymization of the data ensures the personal data to be unassociated with any identified or unidentified real person on no condition even if the personal data is matched with other data.

Storage Period Of The Personal Data

QNB stores the Personal Data according to the period foreseen in the laws and other legislation. Following the actualization of the Personal Data processing purpose and end of the period in the regulations of the relevant law, Personal data is erased, disposed or anonymized within the frame of the principles in the "Personal Data Storage and Disposal Policy" or on demand of the Personal Data Owner/Relevant Person.

In case the personal data is disposed through these relevant methods, these data can never be reused or restored. Although there are legal interests of QNB or the purpose of the processing and the period stated in the relevant laws end, personal data can be stored provided that fundamental rights and freedoms of the Personal Data Owner/Relevant Person are not damaged.

Every Personal Data Owner/ Relevant Person has the rights stated below.

a) Learning if the Personal Data is processed or not, b) if it is processed, demanding information regarding this, c) Learning the purpose of Personal Data processing and if these are used in compliance with their purposes, ç) Learning the third parties at home and abroad to which the personal data is transferred, d) in case the Personal Data is processed incorrectly, demanding the correction, e) Asking for the erasure or disposal of the Personal Data, f) Demanding the transactions performed as per paragraph (d) and paragraph (e) to be notified to third parties receiving such information, g) Objecting to the result coming out against itself due to the analysis of the Personal Data exclusively with the automatic systems and ğ) Requesting for recovery in case any losses incurred due to illegal processing of Personal Data.

QNB concludes the requests regarding the implementation of this Policy and Law as soon as possible and at least within 30 days based on the request stated in the application free of charge. However, in case the transaction requires extra cost, below amounts determined by the Board might be collected. Should the application is occurs as a mistake by QNB, the amount charged is reimbursed to the Personal Data Owner/Relevant Person.

Data Controller which you apply to within the scope of the Law:
Under the rights described under 11th article of relevant Law, you may send requests

• by using Application Form which can be obtained from the branches of the Bank or by providing a letter along with documents proving identity (identity card, driving license, passport, etc.) by personal application
• by means of secure electronic signature, mobile signature or registered electronic mail address which is available in the systems of the Bank 
  • to the Bank’s Registered e-mail address (qnb@hs05.kep.tr) and
  • to kvkk_bilgi@qnb.com.tr address.

With regard to applications,

• Personal Data Owner/Relevant Person’s name, surname and signature-if the application is made in written,
• TR ID number if the applicant is citizen of Turkey Republic, citizenship of the applicant if a foreigner, passport number or ID number if available,
• Domicile or workplace address to send notifications,
• Electronic mail address, telephone and facsimile to send notifications,
• The subject of the request

must be stated; and related information and documents must be enclosed to the application. Applications shall be accepted after your identity is confirmed by the Bank and you shall be informed in written or via electronic media within the legal durations.
In written applications, the date when the letter is submitted to the Bank is considered as the date of application.
In the case of applications submitted in other methods, the date of receipt by the Bank is taken as the application date.

Response to application

QNB is obliged to take all administrative and technical measures in order to effectively finalize each application, to be submitted by Personal Data Owner/Relevant Person, in compliance with the law and the code of good faith.

QNB either accepts the application ot declines by stating the reasons. QNB sends the response to Personal Data Owner/Relevant Person in written or via e-mail.

If the demand by Personal Data Owner/Relevant Person is accepted, QNB fulfills the liabilities arising from the demand and provides the Personal Data Owner/Relevant Person with information.

Salary

If the response is to be given to Personal Data Owner/Relevant Person in written, pages up to ten are not charged. For each page exceeding ten pages, transaction cost is charged as 1 TL.

If the response is given in a recorded media such as CD, USB, etc., the cost to be demanded by the incumbent cannot exceed the overall cost of the media.

The Law and Provisions of this Policy will not be implemented in the cases below:

• Personal data is processed within the scope of the activities related to himself/herself or his/her family members living in the same house provided that they are not given to the third parties and the liabilities for the data security are followed.
• Personal data is processed with the purposes of research, planning and statistic provided that they are anonymized with the official statistic.
• Personal data is processed with the art, historical, literature or scientific purposes provided that they don't violate national defense, national security, public security, public order, economic security, privacy or personal rights or they don't constitute a crime.
• Personal data is processed within the scope of preventive, protective and informative activities which are carried out by the state institutions and organizations authorized and assigned intended for ensuring the national defense, national security, public security, public order or economic security.
• Personal data is processed by judicial authorities or execution authorities related to inquiry, prosecution, judgment or execution transactions.

Article no.10 of the Law which regulates the liability to inform provided that it is proportional and in compliance with the purpose and the main principles of the Law, except for the right of demanding the recovery of loss, article no.11 which regulates the rights of the relevant person and the article no. 16 which regulates the liability to registry of Data Supervisors Registry will not be implemented in the conditions below:

• Personal Data processing is necessary for prevention of crime or criminal investigation.
• Processing of the personal data which is declared by the relevant person.
• Personal Data processing is necessary for carrying out of the auditing and regulation tasks by the authorized state institutions and organizations and professional organizations qualified as public institutions and for inquiry or prosecution.
• Personal data processing is necessary for protection of the economic interests of the Government related to the budget, tax and economic subjects.

Data processing process, which is carried out within the frame of banking activities, is subjected to the data security principles within the scope of the Communiqué on the Principles to Be Taken as Basis for Management of Information Systems in Banks which have the Banking Law numbered 5411 and sub-regulations by the Bank.

Relevantly, it is forbidden for any employee in QNB to access, process or use these data without authorization.

Processing of such information by any employee who is not authorized within the scope of the legal duties of QNB is deemed to be unauthorized transaction.

Employees of QNB can only have access to the data within the frame of the kind and scope of his mentioned assignments properly. Roles and responsibilities are detailed as separated according to the principle on segregation of duties.

Misusing of the personal data for special or commercial purposes, sharing such data with unauthorized people or making them accessible by employees of QNB are forbidden.

QNB carries out the data processing activity in compliance with the regulations of the Law and approaches to Protection and Process of the Personal Data Policy as a part of corporate management. Besides, it takes all the required administrative and technical precautions to bring into force the Policy and Procedures it published referring to the Law.

Data processing activities carried out by QNB are checked regularly by the authorized persons working in the relevant units of the Bank and subject to auditing.