FİBABANKA ANONİM ŞİRKETİ PRIVACY NOTICE FOR CUSTOMERS

We, as Fibabanka Anonim Şirketi (the “Company” or “Fibabanka”), acting in the capacity of data controller, conduct sensitivity at maximum level, for processing and protection of the personal data of you, as our customers, in compliance with the Law on Personal Data Protection no. 6698 (“LPPD”) and the secondary legislation thereof (jointly, the “PDP Law”).

By this Privacy Notice, we would like to inform you regarding the personal data processing activities performed by our Company with regards to you, as our customers.

1.Your Personal Data That Shall Be Processed, Collecting Methods, Processing Purposes and Reasons of Legality

Your personal data specified below (“your personal data”) shall be collected by automatic and non-automatic means, and shall be processed accordingly, by our Company, within the scope of implementation of the agreements and in line with the requirements of the services that shall be provided to you; electronically, verbally or in writing in physical or electronic environments, being connected, limited and commensurate to the purposes defined below and in accordance with the principles defined in the LPPD and in compliance with the PDP Law.

This Privacy Notice is prepared, in a manner covering the legal reasons defined in the law with regards to your personal data that shall be processed within the scope of all products and/or services offered to you by our bank.

Your personal data that shall be processed within the framework of the products and/or services offered by our Bank, are as follows:

Your Personal Data That Shall Be Processed:

• Identity information (name, surname, Republic of Turkey Identity Number (RTIN), foreigner identity number, tax identity number, foreign country identity number, signature, nationality, title, mother’sfather’s name, date of birth, country information, tax office information, United States of America (“USA”) tax identity number, source of USA citizenship, potential tax number, citizenship information, tax residence information, place of birth, passport number, passport information, gender, age, maiden surname, identity serial no., identity sequence no., issue date of identity certificate, mother’s maiden surname, marital status, type and number of identity certificate, license information, identity certificate expiry date, identity certificate’s place of issue, title of policyholder, military service status, declaration number, registration number, country of birth)

• Communication information (address, phone number, e-mail address, title, company’s trade name, fax number, address code (NADB (National Address Database)), domicile information, city information, place of residence)

• Location information (site information)

• Financial information (account information, international bank account number (IBAN), salary information, balance information, content of cash account, foreign currency amount, estimated assets, source of assets, explanation regarding assets, monthly net income, source of income, purpose of transaction, payment details, transfer date, transfer explanation, recipient information, pricing details, transaction date, value date of transaction, transaction amount, debt information, vehicle license information, land registry information, information on assets, credit information, overdue principal amount, vehicle information, encumbrance information, collateral information, risk information, account balance, risk amounts, transfer information, transaction information, commission information, derivative information, information on immovable property(ies), information on owned immovable property(ies), overdraft deposit account (“ODA”) information, limit excess information, credit card information, credit card number, electronic fund transfer (“EFT”)/remittance transaction information, information on receivable(s), credit allocation free information, scores, scoring details, credit information-accounts in debit status, limit information on source basis, risk information on source basis, credit type, account information on the basis of credit type, given collaterals (obligor) collaterals whereby suretyship is given (surety), legal entity participants and shareholders, real person shareholders, unpaid cheque(s) information, fiscal (Turkish Revenue Administration (“RA”) information, exemption limit, total balance of blocked account, concentration limit, concentration rate, total risk, current appropriate collateral, account number, classification score, branch information, branch name, risk status, history observation information, number of overdue day(s), overdue payment amount range, risk range, credit status, limit upper type, limit lower type, limit sub type, cash risk, limit type, credit type, credit reference, branch code, limit superior type, limit lower type, purpose of usage, disbursement amount, risk, value date, expiry date of maturity period, credit status, cash credit information, total disbursement amount, receivable information, cash credit preference information, limit information, interest information, interest details information, clearing type, clearing status, reason of return, collateral amount, collateral type, collateral status, safekeeping branch, collateral inquiry information, collateral general information, pledge details, receivable details, balances at the end of accounting period, customer segment, total limit, total risk, group risk, number of day(s) in delay, information on asset transfers which can be made as a result of change in marital status, immovable property information, land registry information of an immovable property, encumbrance information of an immovable property, location information of an immovable property, features of an immovable property, features of an independent section, current zoning status, valuation information, building occupancy permit, energy identity certificate information, credit amount, maturity period of credit, credit repayment plan, collateral information, Credit Bureau of Turkey (“CBT”) score, Individual Indebtedness Index (“III”) score, payment information, credit extension date, credit limit, instalment, outstanding debt, total number of entries, total limit amount, number of open entries, open limit amount, total instalment amount, total outstanding debt amount, product type, product, sub-product type, application status, channel, amount, application date, limit, reason of removal, tear of removal, promissory note amount, credit product type, result of request, amount of request, allocation amount, date of request, date of result of request, reason of rejection of request, information on protested promissory note, Memzuç (Central Bank Over-all Credit Risk Records) information, bank warning list, credits of negative nature, credits at the bank, individual limit risk inquiry, derivative, attachment information, ownership status of the house s/he lives in, duration of residence at the address, total monthly income, source of income, income earner person, purpose of credit, income certificate information, Social Security Institution (“SSI”) employment details information, information on salary pay roll regarding the last month, product information, transaction limit information, information on persons authorised to make transaction, information on available limit, card number, card status, account activities, branch, channel, financial control sector code, sector code, chamber registration number, taxation type, Central Registration Recording System (“MERSIS”) number, profit centre, portfolio code, portfolio reference, customer status, registration date, hazard classes code of economic activities (“NACE”), foreign exchange code, product code, transaction code, remarks, transaction reference, original amount, net debt, total debt, net receivable, total receivable, total balance, customer type, account limit, interest amount, interest income, rediscount date, negative rediscount amount, limit amount, accounting records, cash inflows-outflows, deposit information, close monitoring details, credits in close monitoring process, deferred credits, credits for which change in class is considered, information on being in legal follow-up process, collections in legal follow-up process, non-performing credits (“NPL”) sales, assets to be disposed of, placement (investment) and funding details, information delays in credits, reference, general ledger (“GL”) account number, rediscount GL account number, agreement type, account opening date, number of days in maturity period, number of days remained until payment due date, maturity range, payment due date, latest interest date, main group code (“GR”), limit reference, status, status code, paid tax amount, information on total principal amount, branch that extended the credit, credit number, credit account code, credit risk range, credit opening date, original maturity period of credit, extended maturity period of credit, date when the credit is transferred to follow-up process, interest rate of the credit, currency code of the credit, internal rating, credit class, province code, source of credit, segment, suretyship amount, amount of credit extended, compensated amount, collateral amounts, Credit Guarantee Fund (“CGF”) to which payment request is made, account code, financing subject code, approach code, agreement date, payment due date, date of getting out from follow-up process, end of grace period without payment, total payment period, interest rate, index, collateral amounts, agreement amount, payments made, principal amount, agreement code, nature of the credit, credit class, collateral amounts, credit class before restructuring, internal rating, rating agency score, financial restructuring agreement number, leading bank EFT code, reduced receivable amount, nature of payment, repayment amount of the credit, current principal amount of the credit, payment due date of the credit, financing subject code of the credit, reason, opening date of the credit, pricing period of the credit, interest structure of the credit, currency code, original currency amount, reference interest rate, counter currency code, deposit, rediscount amount, current market value, sub type code, option requirement, change in original currency amount, market in which transaction is made, foreign currency transfer code (Society for Worldwide Interbank Financial Telecommunications “SWIFT”), code of the unit by which the transaction is made, transaction number, purpose of making the transaction, collateral portfolio, customer limit, derivative transaction restriction, transaction purpose of the counter party, interest spread, code of the branch that extended the credit, date of unpaid instalment of the credit, main operations code, rating board, date when it has become the bank’s customer, anti-money laundering “AML” risk score, security verification method (“3D Secure”), card type, expiry date of the card, card shipment type, card shipment branch information, password shipment type, password shipment branch information, customer group, customer number (“CIF”), monthly income, annual income, tax residence information, credit and risk information, crypto currency activities, crypto currency account information, crypto currency balance, monthly average income, payment instrument information, contribution share information, collateral reference, collateral type, Turkish Lira (“TRY”) equivalent of collateral amount, signature verification status, signature verification note, entry date, incoming date, signature date, payment due date, release information, sub-branch, tax office, data source, communication language, share amount, equity, project investment information, information on expertise examination of the facility, contribution share, limit, short term risk, mid-term risk, long term risk, total risk, group information, company code, reliability status, limit name, customer operating risk, customer project risk, reason of valuation, request type, request sort, information on debt details, sales date, land registry transaction date, expertise amount, purchase price, sale price, difference, type of purchase, expertise value in the system when follow-up proceedings are started, expertise date in the system, value assessment by execution office/court, date of value assessment by execution office/ court, current expertise before the auction, expertise date before the auction, purchase price, total acquisition cost, acquisition date, expertise after acquisition, expertise date after acquisition, sale price, sale date, date of credit risk (“CR”), CR risk principal amount and cost, current follow-up status, transfer/ assignment balance, date when collection is made in the system, date of current risk after collection, current risk (principal amount + cost) after collection, date of transfer back to active, amount, information of right of repurchase (redemption), type of immovable property, internet sales status, deposit balance, type of currency, turnover information, collection date, investment funds, balance information on the date when deposit is invested, latest updating, KKB (Credit Bureau of Turkey) inquiry date, reason of failure to calculate by KKB, field of activities, general limit, general risk, cash limit, agricultural limit, non-cash limit, non-cash risk, agricultural risk, information on ownership status of the workplace, limit revision date, total amount, distribution of risk amounts, amount, risk group code, risk type, country code, assets size, number of employees, name of risk group, provincial code, period in which default started, amount subject to default, credit type, amount of collection in default, amount subject to write-off in the balance sheet, current credit balance, name of vessel, price of vessel, vehicle registration certificate, information on debt activities, reason of failure to make collection, expiry date of the card, card verification code (“CVC”), Card Validation Value (‘’CVV’’), Card expriy date, card number, transaction type, description of transaction, credit disbursement amount, interest information, balance, EFT information, remittance information SWIFT information, credit information, information on deposit transactions, money transfer transactions, description of transaction, information on indebtedness, transaction types, branch, classification code, scoring type, reference number, score range, customer risk range, internal rating score, early warning system (“EWS”) rating score, number of EWS criteria, amount of credit requested, internal rating, result of application, reason of rejection, current reason of delay in open accounts, current limit occupancy ratio (overdraft account & credit card), term of account, KKB commercial credit rating) score, allocated credit amount (last 1 year), status of credit in NPL (within the bank), current delay status (within the bank), current collateral(s), current type of currency, current maximum repayment period, current limit amount, current risk, credit code, bank branch, credit amount, outstanding (remaining risk), repayment period (payment due date(s)), credit principal amount period, monthly payment point (point of sale, (“POS”)) volume information, customer general limit summary, current risk information, approved collateral conditions, segment, code/name of group, credit rating (“rating”), general limit summary, collateral summary, collateral conditions, disbursement conditions, limit details, suretyship limit detail, credit limit offer history, gold deposit account information, Finecus Avra (rating platform) rating score, group rating score, limit-risk information with the bank, credit performance information with the bank, total capital amount, Memzuç (Central Bank Over-all Credit Risk Records) information, immovable property information, movable property information, investments, financial analysis, financial condition information, profit or loss information, comprehensive income information, information on development of equity capital, information on cash flow, KKB score, financial information, balance sheet information, stock (equity) information, ownership of the house where related person resides, internal rating, result of application, current reason of delay in open accounts, credit extension date, credit limit, credit instalment, remaining (outstanding) credit debt, overdue amount, open limit amount)

• Employee personal information (title, company information, professional information, manner of working, employee registration number, educational status, name of firm at which related employee worked in the past, information on workplace, commencement date of working, date of quitting work, professional code, name of the profession, cv information)

• Visual and voice records (photograph, voice record, video record, camera records, video banking records, call centre records)

• Customer transaction information (customer CIF number, balance information, transaction amount, description of transaction, type of foreign currency, amount in foreign currency, payment due date of amount in foreign currency, message information, source of payment, purpose of payment, branch code, date of lease agreement, number of safe deposit box, safe deposit box visit information, initial opening/ updating/ safe deposit box closing information, details of updating transaction, safe deposit box closing date, information on joint safe deposit box, blockage information, channel information, source of customer acquisition, customer status, customer segment, date of becoming a customer, status of customer, information on profit centre, portfolio code, transaction information, information on customers’ product trend, reference number, customer account number, credit information, credit offer information, credit limit information, limit information, group information, sector information, credit score, collateral information, collateral ratio, collateral type, policy information, policy number, information on distribution channel/branch, policy commencement-expiry date, annual premium information, number of instalments, number of premium instalments, premium payment due date(s), premium payment amount, insurance coverage information, heirship information, inheritance information, cash credit information, non-cash credit information, credit disbursement information, collection information, settlement (liquidation) information, delay information, legal follow-up status, customer number, cheque/promissory note information, information on transaction subject to complaint, sum of cheque deposits, current risk for cheque(s), total risk for cheque(s), cheque amount, amount of cheque(s) accepted as appropriate collateral, cheque endorsement information, customer group, customer type, branch of cheque, KKB (Credit Bureau of Turkey) cheque score, cheque report, cheque information summary, amounts of cheques drawn, information on open cheque(s), information on post-dated cheque(s), information on cheque(s) with closest payment due date (issue date), cheques of which the related party of cheque report is the holder or final endorser, information on unpaid cheque(s), information on cheque(s) subject to court process, individual cheque inquiry, NRIS (information on execution proceedings), application number, applicant number, invoice information, subscriber number, customer registration number, user name, password, name, surname of drawer of cheque, name, surname of endorser of cheque, name, surname of avalist of cheque, signature of drawer of cheque, name/trade name of the drawee of cheque, customer information, account information, customer code, product information, profit/loss information, risk group code, country code, sector (industry) and off-shore code, transaction type code, transaction serial number, date of transaction, transaction time, type of transaction, transaction identity number (“ID”), debt-receivable settlement ID, transaction result, card number, card limit, cash advance limit, account cut-off date, payment due date, debt information, interest information, instalment information, card information, additional card information, information on products used, transaction information, customer transaction channel, customer criteria information, product/reward information, card security code, card expiry date, expense information, tax information, cost information, income information, transaction cost, expense information, credit card information, foreign currency transaction information, precious metal transaction information, alarm information, order information, capital markets transactions information, foreign currency credit information, (“FCY”) beneficiary information, designated share of beneficiary, payment and deduction information, collateral amounts, insurance commencement date, insurance expiry date, application issue date, collateral information, premium amount, payment information, insurance renewal information, insurance renewal year, language preference, customer transaction activities, information on progress of complaint process, customers’ comments, net promoter score (“NPS”), complaint/request information, most frequently displayed screen, number of session(s), duration of session(s), session commencement time, session expiry time, displayed page, ranking of pages as per visits, page displaying frequency, page displaying order, page visit frequency, transaction execution time, time when a transaction is recorded in database, session date, session ID, number of transaction(s), amount of transaction(s), cheque limit, cheque risk, amount of annual contribution share, manner of payment/frequency of payment of contribution share, amount of entrance fee / payment frequency thereof, amount of entrance fee to be paid in instalments, contribution share payment commencement date, amount of entrance fee deferred to quitting, name of fund, code of fund, contribution share fund ratios, fund total cost (daily), fund total cost (annual), management cost deduction rate, information on suspension deduction, participant customer number, agreement number, agreement type, private pension (“BES”) entry date, BES account number, selected pension plan/number, effectiveness date, offer signing date, BES lump-sum payment amount, policy recording number, name of plan, Health Insurances Information and Surveillance Centre (“SAGMER”) tariff number, tariff number, policy commencement date, policy period, renewal number, sequence number, date of general condition, date of special condition, supplemental policy commencement date, supplemental policy issue date, number of supplemental policy, net premium, Banking and Insurance Transactions Tax (“BITT”) information, gross premium, payment plan, number of instalments, instalment amount, payment type, land registry information, price in tariff, premium, insurance policy number, insurance commencement date, insurance expiry date, issue date, place of issue, issue time, Natural Disasters Insurances Agency (“DASK”) policy number, risk address, field of operations, subject of insurance, payable premium, insurance amount/limit, insurance premium, insurance price, previous policy number, policy serial number, policy commencement date and time, policy issue date and time, place of issue of policy, reference date, agency number, number of additional document, commencement date of insurance, expiry date of insurance, discount information, vacancy period, DASK information, value of building subject to insurance, total gross premium, collection method of insurance premium, exemption information, policy issue date, number of previous policy, information on insurance coverage, payment due date, payment amount, collateral commencement date, collateral expiry date, name of collateral, amount of collateral, name of tariff, report group, product group, policy status, payment period, commencement date, expiry date, initial premium amount, collateral code, user type, renewal information, branch code, product code, card status, card delivery type, card delivery branch information, card delivery type, password delivery branch information, reason of issuing the card, initial date of having card, cargo tracking number, date of giving to cargo, information on shipment transaction, merchant POS number, Bankalararası Kart Merkezi A.Ş. (Interbank Card Centre Joint Stock Company) (“BKM”) merchant number, name of POS, terminal type, POS installation date, value date calculation, information on on/off status, group code, category code, transaction entry, buy/sell information, transaction type, fund information, date of commercial transaction, transaction status, value date, exchange rate, type of foreign currency subject to sale by bank, amount sold by bank, type of foreign currency subject to purchase by bank, amount purchased by bank, foreign currency amount, tax amount, source of transaction, transaction details, voucher number, transaction receipt number, bank’s shareholding information, entry date, invoice amount, type of representative relating to transaction, type of goods, cost details, commission amount, reference information, pool information, portfolio information, product reference number, KGF (Credit Guarantee Fund) application number, operation dates, remittance amount, foreign currency code, information on duration, information on annual expenses, transaction number, information on the bank with which transaction is made, information on the bank to which transfer is made, transaction code, transaction content, risk amount, total tax amount, total expenses, total commission amount, number of day(s) in delay, payment date, currency, amount of funds, equivalent in US Dollars (“USD”), payment due date information, information on result of application, reason of cancellation of application, reason of refusal of application, tariff information, commission information, penetration ratio, insurance information, payment method, payment channel, failure record, balances as of the end of financial period, banks with open and/or closed cheque account, information on cheques subject to precautionary injunction, number of unpaid cheque(s), liability amount (including postdated cheques), cheque score, customer representative, credit type, credit amount, type of payment plan, credit monthly repayment amount, total debt amount, total principal amount, repayment schedule, overdraft account limit, payment date, channel preference relating to account statement, credit limit, overdraft account number, type of application, interest accrual date, account statement preference, account statement channel preference, interest rate, increased limit, credit application number, information on immovable property, type of repayment schedule, payment date, credit monthly repayment amount, repayment period of credit, instalment date, insurance premium amount, total amount to be repaid, credit disbursement date, remaining (outstanding) principal amount, payment date, total cost of credit, information relating to product, price of product, quantity of gold, transferred amount, information on movable assets / deposits, credit debt principal amount, new terms and conditions relating to the credit, credit number, credit disbursement date, principal amount, balance (outstanding) payable amount, company information, commission amount / rate, credit disbursement amount, reason of incorrect entry, number of incorrect entry (entries), reference code, user code, date of complaint/request entry, credit and risk information, date of failure to make payment, reason of failure to make payment, debt information, undertaking information)

• Information on professional experience (professional knowledge, educational status, information on work experience, workplace information, professional status/workplace, manner of working, duration of employment at the workplace, sector (industry) information, field of operations, position at which s/he works, limit information, business line, experience in the sector (industry))

• Information on transaction security (Fiba key, e-signature, transaction (“log”) records, internet protocol address (“IP”) information, traffic information, File Transfer/Transmission Protocol (“FTP”) information, device ID, device information, operator information, banking password, card password, screen size, information on operating system, version of operating system, version of application, source of login to the system, device type, one time password (“OTP”) information

• Information on legal transaction(s) (dispute information, information contained in correspondences with judicial authorities, information contained in execution proceeding file, commencement date of legal follow-up proceedings, type of legal follow-up proceedings, amount subject to legal follow-up proceedings, settlement (liquidation) date, information on collection, information on legal charges, type of collection, notification date, information on attachment (seizure), payment amount, payment date, court information, type of lawsuit, amount subject to lawsuit, legal status, risk status, type of obligor, description of receivable, details of individual receivable, payment due date, interest type, interest commencement date, interest amount, receivable amount, claimed receivable, remaining (outstanding) amount, off-setting option, reason of debt, way of legal follow-up proceedings, information on attorney fees, exemptions, commencement date of lawsuit, pledge on vehicle, pledge on cash, composition with creditors (concordat) status, National Judicial Network Information Technologies System (“UYAP”) inquiry/ record, e-attachment information/ status NRIS (execution proceeding information), status of related person (person who committed an fraud attempt, suspect, victim), content of the lawsuit, information on dispute, type of agreement, information on lawsuit)

• Other (cheque/promissory note payment due date, cheque/promissory note issue date, cheque/ promissory note place of issue, cheque/promissory note amount, branch information, bank information, promotion amount, my WU (Western Union) number, Gold Card (credit card) number, printed swift card request, donation amount, document barcode, preferred delivery channels, account statement shipment information, bank card preference, Foreign Accounts Tax Compliance Act (“FATCA”) information, Common Reporting Standard (“CRS”) information, Alternative Transaction Channels (Multilateral Trading Facility (“MTF”) risk factors information, MTF/customer relation commencement information, MTF transaction date, military service status, information on bank’s shareholding, content of response/defence, suretyship information, surety information, attachment (seizure) information, betting information, bidding process restriction notices, status of being restricted from attending a bidding process, reference number, information on the status of being prohibited, application status, reasons of refusal, reason of cancellation, dealer code, communication language, residential status, reference, information contained in the letters of official authorities, incident, damage information, content of notice, status of notice, suspicious transaction information, vehicle plate number, social media user account name, number of followers, call period, result of call, shareholding information, work place information, description of determination, message type, provision amount, provision number, tax amount, degree of affinity with the person, with whom transaction is made, salary, tax office information, information on beneficiary, tax residence information, type of suretyship, amount for which surety shall be liable,, spouse information, encumbrance information (mortgage), amount of pledge, vehicle plate number, vehicle’s brand, vehicle’s model, vehicle’s type, information regarding pledge on vehicle, engine number, chassis number, International Securities Identification Number (“ISIN”) code, issue date, issue period, issue amount, product amount, subject of liability, amount of liability, pledge assurance information, payable currency, maximum amount of pledge, information on asset subject to pledge, date of suretyship, amount of suretyship, type of suretyship, type of pledge, registration certificate serial number, Vehicle and Driver Information System (“ASBİS”) registration reference number, record of customer complaint, communication commencement and completion time, call time range), usage habits of products and services

• Marketing information (cookie records, questionnaire answers)

• Criminal conviction and security measures (criminal records)

• Biometric data (biometric photograph)

• Health information (health report, information on disability status, health data [current disease, past disease, treatment received and other information], information on medicines used)

Reasons of Legality:

• Being set forth explicitly in the laws (article 5/2 (a))

Managing the customer accounts with regards to prescription (time-barring) in deposit accounts; fulfilling the obligations within the scope of FATCA; process of identification of tax residence of individual customers by financial institutions; communication, approval and reporting processes; executing blockage transactions on accounts; meeting information requests by official authorities and institutions; sending warning letter to the debtors; making inquiry regarding customers in the Land Registry and Cadastre Information System (“TAKBIS”); making KKB inquiry for follow-up of the risks which shall occur in relation to the faith of the customers; conducting Promissory Note-Cheque Concentration Observation to follow the risks that shall occur in relation to the faith of the credits; conducting observation of other bank cheques to follow the risks that shall occur in relation to the faith of the credits; conducting EUS observation to follow the risks that shall occur in relation to the faith of the credits; conducting observation of the overdue credits (NPL) to follow the risks that shall occur in relation to the faith of the credits; conducting observation for bankruptcycomposition with creditors (concordat) to follow the risks that shall occur in relation to the faith of the credits; conducting limit-risk observation to follow the risks that shall occur in relation to the faith of the credits; conducting observation of cash credits to follow the risks that shall occur in relation to the faith of the credits; conducting observation of the bank cheques inquired via clearing process to follow the risks that shall occur in relation to the faith of the credits; conducting observation of collaterals to follow the risks that shall occur in relation to the faith of the credits; conducting observation on legal follow-up to follow the risks that shall occur in relation to the faith of the credits; conducting cheque index inquiry to follow the risks that shall occur in relation to the faith of the credits; conducting TAKBIS inquiry to follow the risks that shall occur in relation to the faith of the credits; examining the KKB records for managing the processes intended for following credit payments; examining the TAKBIS records for managing the processes intended for following credit payments; managing the processes intended for following credit payments - Expertise report; conducting Application Observation Screen KKB Inquiries to evaluate credit applications by current customers; conducting inquiry of the information relating to credits used in the last 24 hours to evaluate credit applications by current customers; conducting Cheque-Promissory Note Inquiries to evaluate credit applications by current customers; Conducting Application Observations to evaluate credit applications by current customers - Intelligence; examining Individual Loan Request Form to evaluate credit requests received from branches; conducting Individual KKB Inquiries to evaluate credit requests received from branches; taking Identity Certificate to evaluate credit requests received from branches; examining Income Certificate to evaluate credit requests received from branches; examining Individual Loan Request Form to evaluate credit requests received from branches; examining Individual Loan Request Form to evaluate credit requests received within the scope of store internal rating system (“SIRS”); conducting Individual KKB Inquiries to evaluate credit requests received via SIRS; taking Identity Certificate to evaluate credit requests received via SIRS channel; updating credit card limits; ensuring information security in the FTP usage processes; reporting, to the senior management, the information obtained in process of following the cheques; following customer account activities; intelligence / Memzuç (Central Bank Over-all Credit Risk Records) inquiry; evaluating credit applications - risk centre; evaluating credit applications- Central Decision Support System (“CDSS”); conducting GIB (Revenue Administration of Turkey) inquiries to identify the customers for whom credit can be allocated; conducting KKB inquiries to identify the customers for whom credit can be allocated; presenting account statements to the customers; taking requests for credit card / bank card; in the process of SIM card blockage removal process, identity chip scanning by Near Field Communication “NFC”; in the phone number updating process, identity chip scanning by NFC; following buy/sell transactions at the bank; account inquiries relating to tax audits; taking action in relation to attachment (seizure) letters; branch internal audit reports; reporting daily transactions to the Central Bank of the Republic of Turkey (“CBRT”); transfer process of foreign currency funds equal to USD 50,000 and above; receiving store credit applications by SMS; receiving applications by SMS, via the Bank’s outsourcing business partners, institutions from which it receives support services mainly Tarfin A.Ş. (“Tarfin”), AlışGidiş Elektronik Ticaret A.Ş. (“AlışGidiş”); upon receiving credit application, conducting check at GIB (Revenue Administration of Turkey); conducting KKB (Credit Bureau of Turkey) corporate inquiry to evaluate the customers’ credit applications; conducting KKB individual inquiry to evaluate the customers’ credit applications; making identity verification of customers, for whom product shall be defined; conducting KKB individual inquiry to evaluate customer credit limit; conducting KKB corporate inquiry to evaluate customer credit limit; conducting GIB inquiry to evaluate customer credit limit; conducting cheque index inquiry to evaluate customer credit limit; following deteriorations in the credit performances of current customers via the Main Banking Early Warning Observation Screen; conducting MKDS (Central Decision Support Systems) inquiry to follow deteriorations in the credit performances of current customers; conducting KKB inquiry to follow deteriorations in the credit performances of current customers; observing Memzuç (Central Bank Over-all Credit Risk Records) records to follow deteriorations in the credit performances of current customers; conducting KKB individual inquiry to follow deteriorations in the credit performances of current customers; conducting POS inquiry for customer credit limit evaluation; conducting KKB corporate inquiries to make evaluations on suitability for commercial credit; conducting KKB corporate inquiries for evaluation of the cheques that shall be accepted as collateral; conducting KKB individual inquiries for evaluation of the cheques that shall be accepted as collateral; examining the cheque reports for evaluation of the cheques that shall be accepted as collateral; in case any delay or problem is encountered in credit payments, making inquiry regarding the customers’ immovable properties via TAKBIS; examining Firm Presentation Reports (“FPR”) received from the branches; taking consent from owner of immovable property for Land registry and Cadastre Sharing System (“TAKPAS”); establishing right of pledge in the Registry of Pledge on Movable Assets for Commercial Enterprises (“TARES”); keeping log records for incorrect tapping; following by which user SMS and OTP’s are triggered; conducting KKB inquiries for current customers to analyse their financial data for the purpose of credit assessment / credibility; conducting TAKBIS inquiries for current customers to analyse their financial data for the purpose of credit assessment / credibility; examining financial analysis reports of current customers to analyse their financial data for the purpose of credit assessment / credibility; evaluating the customer complaints; verifying a customers in the conversations that shall be made; conducting KKB check for the purpose of evaluating customers, to whom credit shall be marketed, with regards to risk.

• Provided that it is directly relating to concluding or implementing an agreement, requirement to process the personal data relating to the parties to an agreement (article 5/2 (c))

Transactions concerning cheques/promissory notes taken for collateral or collection purposes: giving promotion for customers’ pensions (retirement salaries); managing the processes relating to remittance transactions; managing the processes relating to EFT/Instant and Continuous Transfer of Funds (Fast and Secure Transfers “FAST”) transactions; banking transactions of foreigners; checking necessary documents for defining Fiba Key; managing customers’ personal information; conducting/managing agreement processes; meeting information requests by branches of the bank; meeting requests relating to reference letters; making collection from the customers who are transferred to legal follow-up process; assigning receivable subject to execution proceeding file and process management; giving information to the units relating to information requests by official authorities and institutions; intermediating for invoice payments of customers; making necessary definitions to enable use of FTP; conducting batch EFT/SWIFT transactions of customers in FTP; providing customers with access to FTP; making necessary definitions to enable use of Web Service Protocol; providing customers with access to Web Service Protocol; making necessary definitions to enable use of Account Statement Web Service Application; providing customers with the means to follow account activities; intermediating for invoice payments by dealers to provide cash flow of parent firm; providing financing to customers in consideration for post-dated receivables of customer suppliers; signing protocol relating to electronic account statement process; creation of records, based on account activities, automatically in the customers’ accounting system; sending Printed Swift Card; informing the customers relating to campaign results; offering virtual POS service to the customers; informing the customers relating to changes in interest rates; having access to customer data within the scope of conversations made in relation to a transaction; recording conversations made in relation to a transaction; giving approval relating to deposit products; calling the customers on daily basis within the scope of customer transactions; giving approval for expenses incurred for customers; making evaluations to define limit for customers; making analyses for pricing process; taking action relating to customer complaints; account opening; making equity (stock) transactions; making foreign exchange and metal trading (buy-sell) transactions; taking customer information for cherry account application; making crypto currency transfers; taking applications for time deposit account; taking applications for demand deposit account; presenting vehicle insurance offers; presenting BES (Private Pension System) offers; presenting offers for other elementary insurances (DASK, home, fire, etc.); evaluating applications for life insurance; taking applications relating to products via official web site; updating the communication information; taking the information required for customer system check; entering password for self-service updating; entering the passwords in the SIM card blockage removal screen; identity chip scanning by NFC in the SIM card blockage removal process; identity chip scanning by NFC in the phone number updating process; issuing statutory earthquake insurance policy; issuing health insurance policy; entering into BES (Private Pension System) agreement; issuing casco (casualty and collusion - full coverage vehicle insurance) policies; presenting vehicle insurance offers; issuing casco policies; presenting BES offers; evaluating life insurance applications; issuing special workplace package insurance policy; issuing home insurance policy for credit; issuing life insurance policy for credit; issuing life insurance (unintended unemployment coverage) policy for credit; matching the information contained in a policy with the information in the database; making a list relating to policies to be renewed; managing card requests; conducting the processes relating to card delivery; managing POS requests by customers; managing cash register POS requests; following the processes concerning investment funds held by the customers; following the processes concerning bonds held by the customers; providing functions relating to messages required for derivative transactions; following monitoring screens relating to customers; making the transactions relating to foreign trade products; SWIFT message processes; remittance transactions sent via the Document Management System (“DMS”); credit payment process regarding customers; meeting information requests received from branches; taking store credit applications by SMS; conducting customer inquiry in the credit application process; receiving credit applications by SMS, via the Bank’s outsourcing business partners, institutions from which it receives support services mainly Tarfin, AlışGidiş, and verifying customer information within the scope of credit disbursement; taking credit application; following applications made via channels out of branches; following credit processes of customers who use agricultural card; obtaining the information relating to applicants to agricultural card life insurance; taking customer instruction relating to delivery of agricultural card account statement; composing the credit offers; fulfilling the obligation of providing information before agreement; entering into overdraft account agreement; taking instruction relating to defining overdraft account; taking overdraft account instruction regarding repayment of credit instalment; taking information updating instruction regarding overdraft account; taking instruction regarding agricultural card credit; signing the undertaking form relating to insurance request; allocating individual loan; entering into housing finance loan agreement; entering into consumer loan agreement; entering into vehicle pledge agreement; entering into treasury bill/government bond pledge agreement; entering into derivative products bonds denominated in foreign currency (Eurobond) pledge agreement; entering into gold pledge agreement; entering into transfer/assignment of receivable agreement; entering into agreement relating to transfer/assignment of POS receivable; entering into derivative transactions framework agreement; entering into bank bond pledge agreement; entering into movable assets and deposits pledge agreement; signing protocol on change in interest/repayment period; composing repayment schedule according to credit agreements; managing the requests relating to letter of guarantee; signing general guarantee undertaking form for prepayment; managing the process relating to delivery of intra-branch documents; entering into company credit card membership agreement; making available (extending) credit with variable interest; defining the collaterals in the system; issuing Authorisation Certificate within the scope of the Direct Debit System (“DDS”); sending the cheques to the Credit Allocation Unit for allocation of limit; in cases where customer is unable to pay his/her debt, taking necessary information for restructuring of the debt; conducting receivable follow-up process and making calls; communicating with the customers for the purpose of debt collection, Process of transactions with bank/credit cards of the Bank at ATMs and pos devices of other banks.

• Requirement for the data controller to fulfil his/her legal obligation (article 5/2 (ç))

Managing the customer information relating to prescription (time-barring) in deposit accounts; fulfilment of the obligations within the scope of FATCA; process of identification of individual customers’ tax residence by financial institutions; conducting the processes concerning donation payments; fulfilling safe deposit box declaration obligation; communication, approval and reporting processes; making blockage transactions relating to accounts; responding to an inquiry by correspondents in the customers’ foreign currency transactions; maintaining SWIFT operations; communicating with the customers available on IB chat in Bloomberg; conducting the process of offering pricing to customer and branch via Reuters Messenger; PowerBI reporting processes; meeting information requests by official authorities and institutions; making inquiry relating to execution proceeding files of tax offices; preparing independent audit report; following the lawsuit processes; reporting the lawsuit processes to the accounting; giving information regarding customer complaints made via competent authorities; conducting checks on money transfers between the personnel and the customers and other personnel; money transfers from customer accounts where the receiver’s name is the bank’s personnel; evaluating cases where the same phone number is defined both in the name of personnel and a customer; ensuring control of betting transactions; conducting checks on suspicious transactions concerning persons who acted as proxy for more than one customers; checking the transactions made in the accounts of elderly; checking the customers with the same mobile phone number; checking the term deposit accounts opened with past value date; checking the transactions giving rise to liability, made in joint accounts; checking the commission repayments; checking the transactions giving rise to liability, made at branch for customers who reside abroad; checking the transactions giving rise to liability, made by customers who turn into active from dormant (inactive); derivative transactions standard risk coefficient rates pot value check; check on credit customers for whom group definition is not made; transactions made at more than one branches for the same customer on the same day; check regarding individual loans transferred to follow-up process without making any collection; checking the customers, credit limit revision date of whom is past; checking overdraft account limit excess incidents; check regarding customers, credit interest rate applicable to whom is changed; check regarding customers for whom point(s) is/are loaded onto credit card; check on POS commission rate; checks on CIF opened repeatedly; check on legal limit relating to EFT-remittance commissions; tapping inappropriate calls; checking the accounts of real person customers, in the accounts of there are many credit entries; various receivable (VR) transactions settled by making available credit; checking the credit card payments made from the account of a person different from the card holder; checking the cash deposit withdrawal transactions with one day difference; checking the credit payments made by funds transferred from a different customer; correctness of credit allocation fee charged to financial consumers; customers who have proxy/curator and to whom individual loan is made via a channel out of branch; customers who gain profit from foreign exchange transactions concurrently; buying foreign currency by funds made available within the scope of credit; buying crypto currency by funds made available within the scope of credit; reporting made to the Banking Regulation and Supervision Agency (“BRSA”); keeping the log records relating to credits regarding which refusal decision is taken; ensuring information security in the FTP usage processes; reporting the information obtained in the follow-up process of the cheques, to the senior management; following customer account activities; conducting the process for creating record for trial balance; taking necessary action for correcting records with reverse direction; sending the bank’s legal books to the Revenue Administration; AssetsLiabilities Committee (“ALCO”) reporting; Oracle Business Intelligence (“OBI”) reports; making tax payments of customers; reporting annual transaction activities made within the scope of customer relations; reporting annual transaction activities; credit reporting; reporting restructured credits; answering the questions regarding legislation, received from business units; conducting work activities intended to avoid damages which may be suffered by 1^st and 2^nd degree customers due to fraud; conducting processes for identification of credit applications made by issuing inaccurate document; identifying banned persons by making categorisations of persons; making reporting to the Audit Committee, conducting the processes for evaluating denunciation forms; evaluations AML declarations; reporting daily provisional commercial credit repayments; reporting daily provisional commercial credit information; reporting derivative financial instruments; conducting the processes of automating ALCO reports; conducting the processes of automating derivative financial instruments reporting; in order to protect customers against damages they may suffer within the scope of external fraud, monitoring customer transactions and preventing incidents; in order to protect customers against damages they may suffer within the scope of external fraud, monitoring customer transactions and observing card information for the purpose of preventing incidents; weekly reporting relating to customers who suffer a fraud and any damages sustained by customers; conducting fraud detection checks in order to prevent damages which may be sustained by customers; communicating with the customer for customer verification; conducting the process of acquiring customers who comply with the criteria defined for the know your customer process; making necessary examinations in order to respond to requests received from official authorities/processes of reporting to official authorities; communicating with correspondent banks relating to customer transactions; conducting the process of approval of acquiring customers who comply with the criteria defined for the know your customer process; making necessary examinations in order to respond to requests received from official authorities/processes of reporting to official authorities; making expense entries; conducting Corporate Credits-Cash CreditsCredit Monitoring for monitoring and following credit projects; conducting Limit-Risk-Customer and Group Based Risk Monitoring for monitoring and following credit projects; examining Memzuç (Central Bank Over-all Credit Risk Records) report screens for monitoring and following credit projects; examining Project Assessment Presentations for monitoring and following credit projects; examining collateral observation screens for monitoring and following credit projects; conducting the interest risk and liquidity risk processes; BRSA (Banking Regulation and Supervision Agency) reporting; customer scoring, classification and rating process; ALCO reporting; International Financial Reporting Standards (“IFRS”) reporting; BRSA reporting; resolving complaints relating to automatic teller machines (“ATM”); resolving complaints relating to common ATM’s; branch internal audit reports; taking action in relation to attachment letters; meeting information requests by official authorities; account inquiries relating to tax examinations; giving information to competent institutions regarding opened investment accounts; giving information to competent institutions relating to gold transfers; monitoring buy/sell transactions at the bank; processes of issuing voucher/receipt manually; conducting the process relating to customs declarations; meeting information requests by official authorities; reporting daily transactions to the CBRT (Central Bank of the Republic of Turkey); transfer process of funds in foreign currency equal to USD 50,000 and above; conducting identity verification of customers for whom product shall be defined; obtaining information regarding tax residence in a foreign country; obtaining customer information for delivery of security key; making physical settlements within the scope of audits made at the branches; conducting process audits within the scope of banking processes; conducting examinations and investigations within the scope of banking processes; in case of complaints raised by the customers, examining the customer accounts; reporting the findings; BRSA reporting; Financial Crimes Investigation Board (“MASAK”) reporting; notifying failures encountered in application opened for access by customers; conducting KKB (Credit Bureau of Turkey) Inquiries for credit performance reporting to the Credit Guarantee Fund (CGR Reporting); conducting credit performance reporting to the Credit Guarantee Fund (CGR Reporting); fulfilling the pre-agreement information obligation; independent audit reporting; evaluating customer complaints; making analyses relating to quality level of voice records and reporting them to the BRSA; verifying customers in the conversations made; recordings phone conversations made by the call centre with the customers; sending incorrect voice record to the customers; customer verification on the phone; customer scoring, classification and rating process.

• Making public by related person directly (article 5/2 (d))

Complaint and reputation management.

• Requirement of data processing for establishing, exercising or preserving a right (article 5/2 (e))

Sending warning letter to the debtors; assigning a receivable subject to execution proceeding file and process management; following and conducting execution proceedings; managing the lawsuit/execution proceeding processes; assigning a receivable to asset fund firm; following the execution proceedings; commencing execution proceeding against debtor persons via “icratek”; managing the lawsuit processes; taking letter of guarantee from other banks in the processes of stay of execution; following and conducting intermediation affairs; making KKB (Credit Bureau of Turkey) Individual Inquiries for monitoring the customers whose liabilities are past due; making KKB (Credit Bureau of Turkey) Corporate Inquiries for monitoring the customers whose liabilities are past due; following the customers whose liabilities are past due; for customers subject to follow-up proceedings, assigning the monitoring and collection process to related business unit or lawyer; in the lawsuit, the process regarding is completed by the legal unit, making the cost payments; presenting, to related business units, the list relating to immovable properties subject to right of repurchase (redemption); entering into  right of repurchase (redemption) agreements for conducting pre-sale and sale transactions of immovable properties acquired by the bank, for set off against the bank’s receivable; sending the expertise report to intermediary institutions for conducting presale and sale transactions of immovable properties acquired by the bank, for set off against the bank’s receivable; ordering preparation of expertise reports for immovable properties which shall be accepted as collateral, and checking them; reporting, to related business unit, the immovable properties which shall be sold; making a list of debtors who shall be called.

• Requirement of data processing for legitimate interests of the data controller (article 5/2 (f))

Making periodic reporting on the basis of profit; reporting, to related business units, the customers whose payments are delayed; sharing necessary information with related business units for conducting the execution proceeding processes; reporting processes made to the senior management in order to ensure accuracy of related information in the reports that shall be prepared for the BRSA; reporting regarding routine checks made in order to check whether there is any mistake in the data or accounting; preparing the Board of Directors report; checking, issuing, profitability evaluation of derivative transactions; option-settlement (swap) end-of-day reports; monitoring customer profitability; monitoring yields of deposits; conducting the process of automating the board of directors reports; requesting customer data via PowerBI for organising campaign; reporting customer transaction details; ; monitoring customer profitability; conducting monitoring of employees’ performance; making reporting to the senior management; transactions made via digital channels and statistical analysis thereof; improving customer experience on digital channels; improving customer experience on the bank’s channels; monitoring the calls; monthly reporting to the board of directors; preparing executive summary relating to FTR’s and presenting a report to the Assistant General Manager; defining the collaterals in the system; making customer segmentation for composing a marketing strategy; monitoring customer complaints; conducting monitoring of customer representatives’ performance evaluation; designating the target customer group who shall be communicated for marketing purposes; confirming the information on segmentation.

• Explicit consent (article 5/1)

Communicating with the customers for the purpose of making product promotion; sending commercial electronic message relating to insurance products; sharing guest information with the team who organise an open air movie event at a hotel and making reservation; statistical analysis; sending gifts to customers on special days; complaint and reputation management; face recognition system within the scope of SIM card blockage removal process; face recognition system within the scope of phone number updating process; collecting customer feedbacks; management of NPS questionnaires; sending commercial electronic message relating to insurance products; keeping central sales lists; regardless of the customer segment in which related customer is included, sending SMS/e-mail and making calls to the customers within the scope of marketing activities, including also individual and/or commercial credit marketing purposes; calling the customers for the purposes of providing information/marketing; meeting information requests by the bank’s branches; evaluating life insurance applications; issuing health insurance policy; meeting information requests by a counterparty bank; obtaining the information relating to persons who apply for agricultural card life insurance; processes of sending money to abroad / receiving money from abroad; providing customers who want to buy goods and/or services from the Bank’s outsourcing business partners, with the opportunity to use consumer loan with more advantageous interest, cost and/or commission rates, and directing the customers who want to benefit from these opportunities, to AlışGidiş via the branches of Fibabanka or electronic banking channels, and making their membership transactions, and providing customers with the opportunity to benefit from the products, services and loyalty programs offered by AlışGidiş, Customizing the offered products and services according to acclaim, usage habits, necessity.

2. Sharing Your Personal Data with Third Persons

2.1 Disclosure / Transfer in Turkey

Your personal data described above, shall be disclosed/transferred to the receiver groups specified below, in accordance with the purposes and reasons of legality set forth below.

• Based on the legal reason of being set forth explicitly in the laws (article 5/2 (a)),

For the purposes of conducting KKB (Credit Bureau of Turkey) individual inquiry in order to evaluate credit applications by customers; conducting KKB corporate inquiry in order to evaluate credit applications by customers; scanning identity chip by NFC in the SIM card blockage removal process; scanning identity chip by NFC in the phone number updating process; managing / conducting the business processes intended to follow buy/sell transactions at the bank; conducting the processes relating to taking consent form; conducting the processes relating to establishing right of pledge; identification process of tax residence of individual customers by financial institutions; fulfilling the obligations within the scope of FATCA; making blockage transactions relating to the accounts; meeting information requests by official authorities and institutions; communication, approval and reporting processes; ensuring information security in the FTP usage processes; providing customers with the means to have access to Web Service Protocol; responding to requests receive from official authorities; for the purpose of sending warning letters to the debtors; to the Competent Public Authorities and Institutions (Identity Sharing System, Address Sharing System,

Revenue Administration, MERSIS, Artisans and Craftsmen Information System (“ESBIS”), KKB (Credit Bureau of Turkey), NRIS (execution proceeding information), UYAP (National Judicial Network Project), e-Attachment, Central Depository of Securities (“MKK”), Takasbank, Borsa İstanbul, General Directorate of Land Registry and Cadastre, BRSA (Banking Regulation and Supervision Agency), Ministry of Treasury and Finance, Savings Deposit Insurance Fund (“SDIF”), MASAK (Financial Crimes Investigation Board), Banks

Association of Turkey (“TBB”), Ministries, PDP (Personal Data Protection) Board, Security Forces, Offices of Public Prosecutor, Courts, CBRT (Central Bank of the Republic of Turkey), Chairmanship of the Tax Audit Board, Execution Offices, Tax Offices, Customs Directorates, Municipalities, Notaries Association of Turkey, Postal and Telegraph Administration (“PTT”)),

For the purposes of conducting Application Monitoring Screen KKB Inquiries in order to evaluate credit applications by current customers; conducting Application Observations in order to evaluate credit applications by current customers - intelligence; conducting Cheque-Promissory Note Inquiries in order to evaluate credit applications by current customers; conducting inquiry relating to credit used in the last 24 hours in order to evaluate credit applications by current customers; updating credit card limits; taking requests for bank card; presenting account statements to the customers; taking requests for credit card, evaluating customer complaints; verifying customers in the conversations made; examining the financial analysis reports of current customers in order to analyse their financial data for credit evaluation / credibility purposes; conducting KKB inquiries of current customers in order to analyse their financial data for credit evaluation / credibility purposes; conducting TAKBIS inquiries of current customers in order to analyse their financial data for credit evaluation / credibility purposes; managing / conducting the business processes relating to monitoring buy/sell transactions at the bank; to the suppliers; for the purpose of carrying out transactions with credit/debit cards in ATMs and POS devices of other Banks.

• Based on the legal reason of requirement to process the personal data relating to the parties to an agreement (article 5/2 (c)), provided that it is directly relating to concluding or implementing the agreement,

For the purposes of conducting the processes relating to donation payments; meeting requests relating to reference letters; managing requests relating to letter of guarantee; providing customers with the means to follow account activities; conducting/managing DDS (Direct Debit System) processes, making collection from the customers transferred to legal follow-up process; to other Receiver Groups (institution to which donation is made, addressee institutions/persons, firms with which it is intended to share account information, firms with which a business relation is maintained, attorney/law office from which services are received),

For the purposes of transactions relating to cheques/promissory notes taken for collateral or collection purposes; managing the processes relating to EFT/FAST transactions; making collection from the customers transferred to legal follow-up process; assigning a receivable subject to execution proceeding and process management; to the Private Law Legal Entities (banks, Kredi Garanti Fonu A.Ş., Türkiye Varlık Fonu Yönetimi A.Ş.),

For the purposes of giving promotion for customers’ retirement (pension) salaries; managing the processes relating to remittance transactions; managing the processes relating to EFT/FAST transactions; taking credit applications; taking store credit applications by SMS; receiving credit applications by SMS, via the Bank’s outsourcing business partners, institutions from which it receives support services mainly Tarfin, AlışGidiş, and verifying customer information within the scope of credit disbursement; scanning identity chip by NFC in the SIM card blockage removal process; scanning identity chip by NFC in the phone number updating process; managing/conducting the business processes intended for following customers’ promissory note processes; managing/conducting the business processes intended for following processes relating to investment funds held by the customers; to Competent Public Authorities and Institutions (SSI (Social Security Institution), CBRT (Central Bank of the Republic of Turkey), Identity Sharing System, Address Sharing System, Revenue Administration, MERSIS (Central Registration System), ESBIS (Artisans and Craftsmen Information System), KKB (Credit Bureau of Turkey), MKK (Central Depository of Securities), Takasbank, Borsa İstanbul),

For the purposes of presenting BES (Private Pension System) offers; evaluating applications for life insurance; matching the information in the process of issuing policy; issuing insurance policies; obtaining the information relating to applicants to agricultural card life insurance; managing insurance requests; to the Group Companies,

For the purposes of making updating transactions relating to individual customers; sending Printed Swift Card; offering Virtual POS service to the customers; evaluating applications for life insurance, managing the card requests; conducting processes relating to delivery of cards; managing customer complaints; managing/conducting the business processes intended for following customers’ promissory note processes; managing/conducting the business processes intended for providing the functions relating to messages required for derivative transactions; managing/conducting the business processes intended for following processes relating to investment funds held by the customers; managing/conducting the business processes intended for execution of transactions relating to foreign trade products; managing/ conducting the business processes intended for SWIFT message processes; to the Suppliers,

For the purposes of account opening; presenting vehicle insurance offers; presenting offers for other elementary insurances (DASK, home, fire, etc.); issuing insurance policies; matching the information in the process of issuing policy; conducting customer inquiry in the credit application process; verifying customer information; managing insurance requests; to the Business Partners.

• Based on the legal reason of requirement for the data controller to fulfil its legal obligation (article 5/2 (ç)),

For the purpose of independent audit reporting, to the Other Receiver Group (Audit Firms),

For the purposes of independent audit reporting; managing the information relating to the customers; identification process of tax residence of customers by financial institutions; fulfilment of the obligations within the scope of FATCA; fulfilment of the declaration obligation relating to safe deposit boxes; conducting blockage transactions relating to accounts; meeting information requests by official authorities and institutions; conducting inquiry relating to execution proceeding files of tax offices; giving information relating customer complaints made via competent institutions; reporting made to the BRSA (Banking Regulation and Supervision Agency); communication, approval and reporting processes; weekly reporting regarding customers who suffer a fraud and damages sustained by customers; ensuring information security in the FTP usage processes; providing customers with the means to have access to Web Service Protocol; making necessary examinations in order to provide response to requests receive from official authorities; making necessary examinations in order to provide response to requests receive from official authorities - processes of reporting to official authorities; making tax payments of customers; MASAK (Financial Crimes Investigation Board) reporting; managing/conducting the business processes relating to the customs declarations process; responding to requests received from official authorities; managing/conducting business processes relating to buy/sell transactions at the bank; reporting to the Audit Committee; conducting work activities intended to protect 1^st and 2^nd degree customers against any damages which they may suffer due to fraud;  conducting processes intended to identify credit applications made by issuing inaccurate documents, derivative financial instruments reporting; daily provisional commercial credits repayments reporting; daily provisional commercial credits information reporting; credit reporting; restructured credits reporting; sending the bank’s legal books to the Revenue Administration; to Competent Public Authorities and Institutions (BRSA (Banking Regulation and Supervision Agency), Ministry of Treasury and Finance, SDIF (Savings Deposit Insurance Fund), Revenue Administration, MASAK (Financial Crimes Investigation Board), CIMER (Presidency’s Communication Centre), TBB (Banks Association of Turkey), TBB Risk Centre, Ministries, PDP (Personal Data Protection) Board,

Security Forces, Offices of Public Prosecutor, Courts, Tax Offices, Consumer Arbitration Board (CAB), General Directorate of Customs, CBRT (Central Bank of the Republic of Turkey), MKK (Central Depository of Securities),

Takasbank, Borsa İstanbul, Execution Offices, Customs Directorates, Municipalities, Chairmanship of the Tax Audit Board, KKB (Credit Bureau of Turkey), BKM (Interbank Card Centre)),

Derivative financial instruments reporting; daily provisional commercial credits repayments reporting; daily provisional commercial credits information reporting; credit reporting; restructured credits reporting; sending the bank’s legal books to the Revenue Administration; preparing independent audit report; following the lawsuit processes, ALCO reporting; OBI reports; non-cash credits reporting; conducting the processes for automating ALCO reports; conducting the processes for automating credit reporting; conducting the processes for automating derivative financial instruments reporting; evaluating customer complaints; verifying customers in the conversations made; making analyses relating to quality level of voice records and reporting them to the BRSA; recordings phone conversations made by the call centre with the customers; providing internal communication of the personnel, customer verification on the phone; identifying banned persons by making categorisations of persons; managing complaint processes; managing / conducting the business processes intended to follow buy/sell transactions at the bank; obtaining customer information for providing security key; to the Suppliers,

For the purpose of credit performance reporting to the Credit Guarantee Fund; to Private Law Legal Entities (Kredi Garanti Fonu A.Ş.),

For the purpose of managing complaint processes; to the business partners.

• Based on the legal reason of making public by related person directly (article 5/2 (d)),

For the purpose of complaint and reputation management, to the Suppliers.

• Based on the legal reason of requirement of data processing for establishing, exercising or preserving a right (article 5/2 (e)),

For the purposes of assigning a receivable subject to an execution proceeding file and process management; assigning a receivable to a firm included in the assets fund; to Real Persons and Private Law Legal Entities (Banks, Türkiye Varlık Fonu Yönetimi A.Ş.),

For the purpose of assigning a receivable to a firm included in the assets fund; to Other Receiver Group (firms included in the assets fund),

For the purpose of sending warning letter to the debtors, to Competent Pubic Authorities and Institutions

(Notaries Association of Turkey, PTT (Postal Administration),

For the purposes of managing lawsuit/execution proceeding processes; following and conducting execution proceeding transactions; following and conducting intermediation transactions; commencing execution proceeding against debtor persons on “icratek”; for customer subject to follow-up proceedings, assigning the follow-up and collection process to related business unit or lawyer; to the Suppliers,

For the purpose of sending the expertise report to intermediary institutions in order to make pre-sale and sale transactions of the immovable properties acquired by the bank for set off against receivable; to the Business Partners.

• Based on the legal reason of requirement of data processing for data controller’s legitimate interests

(article 5/2 (f)),

For the purposes of making periodic reporting on profit basis; reporting relating to routine checks made to check whether there is any mistake in data or accounting; conducting the process for automating the board of directors reports; to the Suppliers.

• Based on the legal reason of explicit consent,

For the purposes of issuing insurance policies; obtaining the information relating to applicants to agricultural card life insurance; to the Group Companies.

For the purpose of sending commercial electronic message; to Other Receiver Group (Message Management System),

For the purpose of evaluating applications for life insurance; to the Group Companies

,

For the purposes of calling the customers for information/marketing purposes; evaluating applications for life insurance; sharing guest information with the team who organise an open air movie event at a hotel and making reservation; complaint and reputation management; collecting feedbacks by customers; to the Suppliers,

For the purposes of providing customers who want to buy goods and/or services from the Bank’s outsourcing business partners, with the opportunity to use consumer loan with more advantageous interest, cost and/ or commission rates, and directing the customers who want to benefit from these opportunities, to AlışGidiş via the branches of Fibabanka or electronic banking channels, and making their membership transactions, and providing customers with the opportunity to benefit from the products, services and loyalty programs offered by AlışGidiş; to Business Partners (AlışGidiş A.Ş.).

Our Company undertakes that, other than purposes defined above, it shall not disclose/transfer your personal data to third persons, without obtaining your explicit consent.

2.2 Disclosure to Abroad

Your personal data described above shall be disclosed to the Banks located abroad if you give explicit consent, within the scope of processing of fulfilment of the obligations within the scope of FATCA; transfer process of foreign currency funds in an amount equal to USD 50,000 and above; making batch EFT/SWIFT transactions of the customers on FTP; SWIFT message processes; making the transactions relating to foreign trade products; communicating with correspondent banks relating to customer transactions; identification process of tax residence of individual customers by financial institutions; providing response to questions of correspondents in the customers’ foreign currency transactions; maintaining SWIFT operations; controlling the transactions giving rise to liability, made at the branches for customers located abroad; obtaining information regarding tax residency in a foreign country; meeting information requests by a counterparty bank; sending money to abroad / receiving money from abroad, carrying out process of transactions with bank/credit cards of the Bank by customers at ATMs and pos devices of banks abroad.

3. Protection, Preservation and Destruction of Your Personal Data

Your personal data shall be processed by our Company during the period required by the purpose of processing personal data, and in any, shall be kept until the end of legally required period. Upon expiry of the keeping period, your personal data shall be erased from electronic and physical environments, shall be destroyed or anonymised according to the PPD (Protection of Personal Data) legislation, in accordance with our Company’s Policy on Protection and Secrecy of Personal Data, Policy on Protection and Secrecy of Private Personal Data and Policy on Keeping/Storage and Destruction of Personal Data.  

For the purposes of prevent access to your personal data by unauthorised persons, processing of your personal data incorrectly, disclosure thereof, amendment/erasure thereof for illegal reasons, to ensure protection and security thereof; our Company shall take all technical and administrative measures in accordance with the PPD (Protection of Personal Data) legislation.

In case your personal data is damaged and/or is obtained by third persons/is disclosed as a result of attacks committed against the physical archive and/or servers and/or other systems of our Company; our Company shall inform you and the Personal Data Protection Board immediately.

4. Your right to be informed

Under The Law on Personal Data Protection, Article 11, you can apply to our Company; (a) to be informed whether your personal data is processed, or not; (b) if processed, to request information in relation thereto; (c) to learn purpose of processing and whether it is used according to intended purpose, or not; (d) to know the third persons to whom your personal data is disclosed in Turkey and abroad; (e) if processed incompletely or incorrectly, rectification thereof; (f) to request the erasure or destruction of your personal data under the conditions laid down in Article 7; (g) to request notification of the transactions made according to the paragraphs (e) and (f), to third persons to whom personal data has been disclosed/transferred; (h) to object against any outcome which shall arise due to analysis thereof by means of automatic systems exclusively, and (i) to request compensation for the damage arising from the unlawful processing of your personal data.

5. Your requests

If you have any question or request relating to processing of your personal data within the scope of this Privacy Notice, you can apply to our Company either by the Online Form available at the web address https://www.fibabanka.com.tr/bilgi-toplumu-hizmetleri/kvkk-kapsaminda-basvuru-talepleri or via the Registered E-Mail System.

Our Company shall handle and finalise the application requests, according to the nature of related request and at the latest within 30 (thirty) days, according to article 13 of the LPPD (Law on Personal Data Protection). When required due to nature of related transaction, tariff set by the PDP Board shall be applicable. If your request is refused, reason/s of refusal shall be specified in our response letter.

If you think that your personal data processed by our Company, is outdated, incomplete or incorrect, for your declarations relating to change(s) in your personal data, please contact our Company immediately via the e-mail address fibabanka.kisiselveri@hs03.kep.tr.

This Privacy Notice can be updated in order to adapt to changing conditions and legal regulations. You can follow the updates via the web address https://www.fibabanka.com.tr/.

Data Controller

Fibabanka Anonim Şirketi

MERSİS Number:              Address:                                          E-mail: fibabanka.kisiselveri@hs03.kep.tr

0209000780814852         Esentepe Mahallesi Büyükdere

Caddesi No:129 Şişliİstanbul/Türkiye