The Regulation on Sharing of Confidential Information (“Regulation”) has been published in the Official Gazette (No. 31501) on June 4, 2021, and will enter into force on January 1, 2022. The Regulation has been prepared on the basis of Articles 73 and 93 of the Banking Law (Law No. 5411) and defines the obligation of confidentiality, and furthermore clarifies its exceptions as well as the general principles.

According to Article 4 of the Regulation, those who have access to bank or customer secrets by the virtue of their position or duties, cannot disclose such information to anyone other than authorities expressly authorized by law. The duty of confidentiality has a continuing nature and therefore, cannot be discharged even after the termination of service.

Customer secrets, on the other hand, are referred to as any type of customer data that emerges following the establishment of customer relationships between banks and customers. Moreover, the duty will still be applicable in cases where the bank obtains the confidential information of a noncustomer held by another bank.

Confidential information can be disclosed to the authorities expressly authorized by law. The Regulation also allows bank and customer secrets to be shared with third parties under clarified conditions, provided that a confidentiality agreement is concluded. The exemptions under the Regulation are mainly provided for the transactions of the banks with financial institutions and credit institutions, concerning matters such as consolidated financial statement preparation studies; risk management; internal or independent audit practices; valuation, rating, support services, etc.

Confidential information that solely qualifies as a bank secret can also be shared with third parties if permitted by a resolution of the executive board of the bank. Such disclosure should be given in ac-cordance with the principle of proportionality and limited with the stated purposes. The Regulation also determines the proportionality measures to be considered in general and makes it obligatory to comply with the general principles determined by the Personal Data Protection Law. Accordingly, personal data related to the health and sexual life of natural person customers cannot be shared with third parties under any circumstances.

Customer secrets cannot be shared with third parties without a request or instruction from the customer, even if the customer expresses explicit consent priorly. In addition, such consent cannot be imposed as a prerequisite for services to be provided by the bank.

The Regulation is expected to eliminate the hesitancy that exists in practice and will also provide guidance for data transfers once enters into force.