GarantiBank International N.V. (‘GBI’) processes personal data. With this privacy statement, we would like to give you an overview of the processing of your personal data by us and your rights under the EU General Data Protection Regulation (‘GDPR’) and applicable national data protection law, which data is processed by us and how it is used. We hereby provide answers to the most important questions about the processing of personal data by GBI.
2. Who is responsible for processing my data and who can I contact?
The responsible body is;
GarantiBank International N.V.
1017 DR Amsterdam,
If you would like to know more about data protection at GBI, execute your data subject right(s) or have any other data protection questions or remarks, please contact our Data Protection Officer.
4. What are personal data?
Personal data is information that relates to you and by which (together with other information or otherwise) you can be identified. Examples of personal data that we process of you is your name, date of birth, telephone number, address, email address, gender, place of birth, nationality, national identification numbers, ID data, signature, as well as your computer’s IP address. In addition, in certain circumstances and only where this allowed under applicable law, we also process other data (e.g. payment order), data for the fulfillment of our contractual obligations or a money transfer you have made, information about your financial situation, tax administration, voice recordings and other data comparable to the above categories.
Some of the personal data are considered sensitive, for example data relating to criminal convictions and offences, ethnicity, race or your National Identification Number. GBI only processes sensitive personal data if this is specially required under national law, with your explicit permission. GBI only processes sensitive personal data taking the highest levels of technological and organizational measures into account.
5. What does processing mean?
Processing means any operation or set of operations which is performed on personal data or sets of personal data. The GDPR provides the following examples of processing ‘collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data.’
6. Whose personal data does GBI process?
GBI processes personal data of people with whom it has, or has had, a direct or indirect relationship. For example: personal data of customers and their representatives or people who show an interest in our products and services.
7. Which sources does GBI use to collect your personal data?
We process your personal data that we receive from you directly. Where this is necessary we also collect your personal data from publicly accessible resources (e.g. registers, the internet and press) or other companies within the Turkiye Garanti Bankasi A.S. Group (‘TGB Group’), the Banco Bilbao Vizcaya Argentaria Group (ꞋBBVA GroupꞋ) or other third parties.
8. Why does GBI process your personal data (purpose of data processing) and what is the legal basis for this?
We process your personal data for the following reasons:
a. To execute our agreement with you
The processing of personal data is necessary for providing banking and financial services in connection with the execution of our contract(s) with you or in order to take steps at your request prior to entering into a contract: to execute your orders and to carry out activities necessary for the operation and administration of banking services and transactions.
The data processing is primarily carried out in relation to a specific product (e.g. account, credit, savings, deposits ) and may include, provision of advice, execution of transactions, orders, ensuring IT security, the processing of the data for determining the integrity, authenticity and availability of the data, the control by the supervisory boards or supervisory bodies, the traceability of orders and other agreements as well as quality control through appropriate documentation and, if necessary, recording the telephone conversations.
Further details on data processing purposes can be found in the relevant contract documents and terms and conditions.
b. To comply with a legal obligation to which GBI is subject:
As a bank, we are subject to various legal obligations and banking supervisory requirements (e.g. the European Central Bank, the European Banking Authority, the Dutch Central Bank and AFM). The processing purposes include, but are not limited to: credit checks, identity and age checks to comply with know your customer obligations, prevention of fraud and money laundering, combating terrorist financing, to fulfil tax control and reporting obligations, as well as the evaluation and management of risks in the Bank and within the TGB Group and BBVA Group.
c. When you have provided your consent
Insofar as you have given us consent to the processing of personal data for specific purposes, the legality of this processing is based on your consent.
d. When this is necessary for the purposes of the legitimate interest of GBI or a third party
Examples of a legitimate interest of GBI is to perform marketing activities or to protect the security of our banking business. The use of this legitimate ground requires a balancing test and will only be used if the legitimate interest is not overridden by your interests or fundamental rights and freedoms which require protection of personal data.
9. Who receives your personal data?
Within GBI, those departments that gain access to your personal data are those that need to fulfil our contractual and legal obligations. For the same purposes we may also share your personal data with service providers and agents (companies in the categories of financial services, IT services, and logistics). When this is the case we always impose secrecy on these parties and conclude all necessary agreements, including data processing agreements where required.
With regard to the transfer of data to recipients outside of our bank, it should also be noted that we, as a bank, are obliged to maintain secrecy about all customer-related facts and assessments of which we are aware. We may only disclose information about you if statutory provisions require it, if you have given your consent or if we are authorized to provide you with bank information, e.g. due to our legitimate interest or the legitimate interest of a third party. Under these conditions, recipients of personal data may, for example be:
- Public bodies and institutions (e.g. AFM, European Banking Authority, European Central Bank, Dutch Central Bank, tax authorities, law enforcement authorities) in the presence of a legal or regulatory obligation.
- Authorities, credit bureaus, debt collection agencies, lawyers, courts, appraisers and inspection bodies.
- Other credit and financial services institutions, IT service providers or similar institutions to which we provide personal information in order to conduct a business relationship with you.
- Other companies within TGB Group and BBVA Group for risk management due to legal or regulatory obligations.
Other data recipients may be those for whom you have given us your consent to transmit your personal data, or for whom you have exempted us from banking secrecy in accordance with an agreement or your consent.
10. Is your personal data transferred to a third country or to an international organization?
Personal data will only be transferred to third countries (i.e. countries outside the European Economic Area (EEA)) in accordance with the provisions of the GDPR.
In particular we would like to point out that where GBI shares your personal data with TGB Group and BBVA Group, this may include personal data transfers to third countries such as Turkey. In such cases we ensure that, in accordance with GDPR, adequate safeguards are in place to protect your personal data.
If you need more information on the appropriate safeguards we have in place for international personal data transfer, or would like to receive a copy of these safeguards please contact our Data Protection Officer.
11. How long do we keep your personal data?
GBI keeps personal data as long as it is necessary for the purpose for which it is processed and for as long as the law obligates us to store your data. The retention period that applies to personal data varies ranging from several months to many years. Upon your request, we can provide you with our data retention schedule.
12. How do we take care of your personal data?
Protecting your personal data has highest priority within all levels of GBI. Below you will find a list of guarantees we provide:
- All personal data is treated confidentially and with care.
- Personal data will only be passed on to third parties where this is permitted by law.
- The use and registration of personal data is limited to the minimum of what is required for the purpose it was collected.
- When third parties are contracted to provide supporting services they must conform to our privacy requirements such as confidentiality and in certain cases data processing agreements. At all times, third parties will be monitored to ensure all our requirements are met.
- Our safety policy is based on legal and regulatory obligations, including the guidelines and requirements set by De Nederlandsche Bank and the Dutch Association of Banks (Nederlandse Vereniging van Banken).
- Only authorized and trained personnel may have access to and handle personal data.
- We have taken all possible precautions, both technically and organizationally, to ensure all personal data is adequately protected.
13. Which data protection rights do you have and how can you exercise them?
As a data subject, you have the right:
- To be informed about how GBI processes your personal data. This information is shared with you through this Privacy Statement.
- Of access to the personal data GBI processes about you.
- To rectification of inaccurate personal data or completed if it is incomplete.
- To erasure of your personal data. However, this right only applies under certain circumstances and is not absolute.
- To restriction of processing. However, this right only applies under certain circumstances and is not absolute.
To object to:
- To data portability. This right is not absolute, as it only applies to personal data that is directly provided by you and where the processing is based consent or on performance of a contract.
- Not to be subjected to a decision based solely on automated processing, including profiling: (e.g. automated processing of personal data to evaluate certain aspects about you), which produces legal effects concerning you or similarly significantly affects you unless it is:
If you wish to exercise one of these rights, please address your request in writing to our Data Protection Officer:
With regard to consent, please be informed that you may revoke your consent to the processing of personal data at any time. Please note that the revocation only works for the future. Processing that took place before the revocation is not affected.
14. Is there an obligation for you to provide your personal data?
To enter into a business relationship with us and for us to perform our contractual obligations, we must process certain personal information of you such as name, address, contact details. Without this personal data, we will not be able to conclude or execute a contract with you.
Sometimes we are required to process your personal data by law. For example, according to the money laundering regulations, we are obliged to identify you prior to the establishment of a business relationship on the basis of your identity document and to record your name, place of birth, date of birth, nationalities, address and identity card details. In order for us to be able to fulfil this legal obligation, you must provide us with the necessary information and documents in accordance with the Money Laundering Act and immediately notify us of any changes resulting from the business relationship. If you do not provide us with the necessary information and documents, we may not take up or continue the business relationship you have requested.
This may also relate to data required later in the business relationship. If we also request data from you, you will be informed about the voluntary nature of the information separately.
15. Does GBI perform automated decision making?
We do not perform (fully) automated decision making pursuant to the GDPR to justify and implement the business relationship.
16. About this privacy statement
This privacy statement can be amended by GBI. In such a case, GBI will inform you accordingly. This version was created on 18 May 2018.