​Information Note For The Law On Protection Of Personal Data

We, as Aktif Yatirim Bankasi A.S., acting as the data controller, hereby would like to inform you as per the Law Nr. 6698 on Protection of Personal Data (the "Law"), which has been promulgated on the Official Journal, dated April 7, 2016 and bearing the issue number 29677.

Purposes of processing personal data, and the legal grounds thereof: Recording the identity, address and such other details as required for identification of the respective person, executing the transaction, under the Banking Law and such other applicable regulations, and issuance of any and all records and documentation that will serve as the basis for the respective transaction you have performed with the bank, either by electronic means or in hard copy, and retaining such records and documentation during the course of time as prescribed under the applicable regulations, and complying with the related domestic and international regulations, and fulfilling any and all obligations with respect to data and documentation storage, reporting, risk monitoring, information exchange and provision of information as prescribed by the Banking Regulation and Supervision Agency (BRSA), CMB (Capital Markets Board), the CBRT (the Central Bank of the Republic of Turkey), MASAK (Financial Crimes Investigation Board), TBB (Banks' Association of Turkey), Revenue Administration, Undersecretary of Treasury, and such other competent authorities; performance of the initiatives for planning, statistics, customer satisfaction and enhancement of the service quality, and anti-fraud activities, ensuring security, and accomplishment of the researches on limit, intelligence and information and the credibility assessments with respect to the products and services of the Bank as requested by you; management of all our legal processes; fulfillment of any and all obligations of the Bank against you with respect to any and all transactions you have performed with the Bank; and also provision and offering of any and all banking and financial services.

In addition to the purposes listed herein above; your personal data may be processed for the purpose of establishment of communication with you, our valuable clients, in relation to the products and services you have received / will receive in order for provision and offering of any and all kinds of products and services exclusively for you, and use of such data in promotional activities, product/service offerings, marketing activities and campaigns to the extent that you have granted your consent for such purpose, and also developing services and products, as appropriate for you, as well as the existing and new product development activities and market survey by the Bank and our subsidiaries, and also determination of the targeted client group, etc.

Cases Not Requiring Your Consent: As per section 5 of the Law; the Bank is entitled to process any personal data without obtaining the explicit consent under the circumstances where it is necessary to process any personal data of the parties to the agreement to the extent that it is required by the laws and that it is directly associated with execution or performance of the agreement, and where it is necessary for the Bank to fulfill its statutory obligation in the capacity of data controller, and where any such data is already made public by the concerned person, and where processing of any data is necessary to establish, exercise or protect any right, and where processing of any data is necessary for legitimate interests of the Bank, as the data controller, to the extent that the fundamental rights and freedoms of the concerned person are not impaired, as well as in case of any exception indicated under the provisions prescribed under Section 73/4 of the Banking Law.

Persons/entities to whom/which the personal data may be transmitted for the purposes listed herein above:

i) The persons or organizations, to whom/which information exchange is allowed / required by the provisions prescribed under the Banking Law, and the other applicable regulations;

ii) The financial institutions listed under Section 73/4 of the Banking Law Nr.5411 to the extent not limited with the ones as listed thereunder;

iii) The public legal entities such as the Banking Regulation and Supervision Agency (BRSA), CMB (Capital Markets Board), the CBRT (the Central Bank of the Republic of Turkey), MASAK (Financial Crimes Investigation Board), TBB (Banks' Association of Turkey), Revenue Administration, Undersecretary of Treasury and Social Security Institution, as well as the governmental agencies;

iv) The agencies such as the Interbank Card Center (BKM), the Credit Bureau (KKB) and FINDEKS;

v) Our principal shareholder, direct and indirect subsidiaries, and the subsidiaries and affiliates of our principal shareholder;

vi) The scheme partner entities, domestic/international banks, support service providers and independent audit firms from which we procure services or with which we collaborate for the purpose of performance of our banking operations in cases where so allowed under the applicable regulations.

Method for collecting personal data: Your personal data may be collected either verbally, in writing or electronically through the channels such as the Head Office, Branches, kiosks, ATMs, the Internet branch, digital applications, our direct and indirect subsidiaries, as well as organizations, from which the Bank procures services, as per the Regulation on Procurement of Support Services by Banks, and the call centers. Furthermore, your personal data, which has been/will be provided to the subsidiaries of the bank by you, may be used by the bank for the purpose of processing any personal data and fulfilling the causes of action, as specified herein above, upon your approval thereto.

Your rights: As per Section 11 of the Law; you are entitled to apply to the Bank, and (a) to inquire whether your personal data has been processed, or not; and (b) to ask for information regarding any such processed personal data, and (c) to be informed about the purpose of processing of any such data, and also about the fact that whether such data has been used as appropriate to the purpose thereto, and (ç) to be informed about any 3rd party to which any such data has been transmitted, either domestically or internationally, and (d) to ask for correction of any imperfect or inaccurate data, in case of any imperfect or inaccurate processing thereof, and (e) to ask for deletion or disposal of any such personal data in accordance with the terms and conditions as prescribed under Section 7 of the Law, and (f) to ask for being informed about the transactions, which have been performed as per the sub-paragraphs (d) and (e) herein above, with respect to the persons to which any such personal data has been transmitted, and (g) to raise an objection against such outcome in case of emergence of an outcome that is to the detriment of you upon the analysis of any such processed personal data solely by any automatic systems, and (ğ) to claim for compensation of any and all damage and/or loss you might have incurred in case any such personal data has been processed in breach of the Law.

Any cost and expense, which might be incurred by the Bank in order to ensure that your requests are satisfied, may be claimed by you as based on the tariff specified under Section 13 "Application to the Data Controller" under the said Law.