As DenizBank A.Ş. (“Bank”), we would like to inform you about the “Personal Data Protection Law” which is set out regarding the personal data to protect the fundamental rights and freedoms including the privacy of the personal life in particular.

Our purpose is to inform you about the way to collect your personal data, purpose of processing it, legal causes and rights in the most transparent way as per your satisfaction.

As per the Personal Data Protection Law numbered 6698 which took effect in 7 April 2016, our Bank DenizBank A.Ş. shall acquire, save, store, retain, update to continue the services, change, rearrange, disclose to the third parties in cases and to the extent allowed by the legislation , transfer, share, classify, anonymize the personal information and process in other manners listed in the law in the capacity of Data Officer to the extent laid out in the law in terms of any type of private data you have including any personal data and biometric data, health data which you have submitted to our Bank or which our Bank has gathered within the framework of the terms and procedures (“Data”).

The purpose of processing your personal data and its legal causes; within the scope of the Banking Law and other legislation, your personal data is processed in order to provide banking, insurance and finance products services and/or fulfill, execute and develop the transactions regarding them including those which can be provided in an agency capacity, carry out promotion, marketing and campaign activities for these services and products, fulfill the requirements of the agreements you have entered into and/or we have entered into; conduct intelligence, information researches and credibility surveys, provide planning, statistics, customer satisfaction studies, security, ensure compliance with antimoney laundering legislation and domestic and international legislation; comply with information storing, reporting, informing obligations set forth by the authorities such as BRSA, CBRT, CMB, MASAK, TBB, GİB, Treasury Undersecretariat and other authorities, provide better and more reliable services to you, develop services and products for you and sustain this without interruption.

Method of collecting your personal data: Your personal data can be collected through our Bank’s Head office units, branches, ATMs, online branch, call center, public institutions and agencies and parties, contracted institutions and support service institutions which are complementary to or serve as an extension of the activities of the Bank or other similar channels, through automatic or non-automatic manners, in writing or on a verbal or electronic media.

The persons/institutions which the personal data can be transferred to for the above-mentioned purposes: Your Personal Data can be transferred to our Bank’s main shareholders, subsidiaries and their subinstitutions; employees, bank representatives, legal, financial and tax advisors, auditors, consultants, institutions, parties and support service institutions including KKB and Findeks and contracted institutions which are complementary to or serve as an extension of the activities of our Bank, international or domestic card payment system institutions including Europay INT.SA, Moneygram, Mastercard INT.INC, Visa INT, JCB INT, Maestro, Electron, authorized public institutions and agencies such as BRSA, CMB, CBRT, MASAK, TBB, KOSGEB, GİB, Treasury Undersecretariat, SGK, ministries, judicial authorities, when necessary, correspondent bank and domestic/international financial institutions and domestic/international merchants; s; and persons, institutions and agencies allowed by the other legislation provisions including the Banking Law no. 73/4 and other third parties for which you have an express consent.

Your Rights Within the Framework of the Article 11 of the Law; by applying to our Bank; you have the right to a) find out if your personal data has been processed or not, b) if yes, request information in this respect, c) find out about the purpose of your personal data being processed or used in a way that fits the purpose, d) know the third parties to which your personal data is transferred in or outside of the country, e) if your personal data is processed inaccurately or incompletely, request its correction, f) within the framework of conditions laid out in the article 7 of the Law, ask for the erasure or destruction of your personal data, g) request the notification of the transactions made as per the above-mentioned paragraphs (e) and (f) to the third parties to which your personal data is transferred, h) in case the analysis of your personal data through automatic systems exclusively produces a result against you, object to this result and i) in case you incur a loss because your personal data has been processed illegally, request the compensation of your loss.

It is possible for your rights to be exercised as of 07.10.2016 which is the effective date of the regulation whereas our right is reserved to claim the expenses to be incurred by our Bank to make sure that your requests are fulfilled from you as per the tariff set out in the article 13 titled “Application to the data officer” of the Personal Data Protection Law

Cases Which Do not Require a Consent, as per the paragraph 2 of the article 5 of the Personal Data Protection Law numbered 6698, provided that it is clearly set forth in the laws, it is directly relevant through setting up or executing an agreement, the Bank has the right to process personal data without obtaining an express consent in case processing personal data regarding the parties to the agreement is necessary, it is obligatory for Denizbank A.Ş. to fulfill its legal obligation, it is anonymized by the related person, data processing is obligatory to establish, exercise or maintain a right,data processing is obligatory for the legitimate interests of the Bank which is the data officer and in exceptional cases laid out in provisions of the Banking law no. 73/4 and the related legislation, and

Data which is obliged to be disclosed for public information in accordance with the provisions in the official registrations or balance sheets and annual reports and in the laws as per the principle of clarity published or made public or laid out in the laws and Data disclosure, use and transfers to be performed in order for the Bank to fulfill its legal obligations resulting from the legislation which the Bank is subject to and/or legal obligations and/or fulfill the Data transfer obligation to persons who may request the secrets in the laws to fulfill the Data transfer obligation and and for these Data, the Bank is authorized to disclose, give, process and transfer the related Data to related persons without the requirement of obtaining a separate letter of consent.

Our Legal Retention Obligation ; as per the article 42 of the Banking Law no. 5411 and provision 17 of the Article of Regulation on Terms and Procedures Regarding the Accounting Practices of the Banks and Retention of Documents, it is a legal obligation of our bank to retain the information and documents regarding you for a period of ten years. In the event that you request the deletion or destruction of your personal data, your request can be fulfilled at the end of the said 10-year period. Even in case the mentioned periods expire; your data might be anonymized in line with the legitimate interests of our bank to make analysis including risk analysis and evaluations in order to improve the Banking services and make it more secure. Your personal data which does not fall within the above-mentioned scope shall be deleted upon your request.