QNBpay Payment Services Joint Stock Company Privacy Notice KVKK

QNBPAY PAYMENT SERVICES JOINT STOCK COMPANY PRIVACY NOTICE KVKK

This Privacy Notice has been prepared by QNBpay Payment Services Joint Stock Company (“Company”) in its capacity as the data controller, in accordance with Article 10 of the Law No. 6698 on the Protection of Personal Data (“Law”) and the Communiqué on the Principles and Procedures to be Followed in Fulfilling the Obligation to Inform, for the purpose of fulfilling its obligation to inform regarding data security.

Categories of Processed Personal Data, Purposes of Processing, and Legal Grounds

Your collected personal data may be processed for the purposes (“Purposes”) listed below, in accordance with the conditions and purposes for processing personal data set forth in Article 5 of the Law.

Category of Personal Data

Purpose and Legal Basis for Processing Personal Data

Identity, Contact, Financial, and Customer Transaction

Provided that it is directly related to the establishment or performance of a contract, the processing of personal data belonging to the parties to the contract is necessary

Presentation of payment services and offers to you or the company you are employed by
Fulfillment of all obligations arising from the provision of our payment services to you or your employer, and execution of related business processes, including contacting you when necessary
Creation of user accounts required for you to benefit from the payment services
Management of requests and complaints

Identity, Contact, Financial, and Customer Transaction

Provided that it does not harm the fundamental rights and freedoms of the data subject, processing of data is necessary for the legitimate interests of the data controller

Management of customer relations
Providing information regarding the offered payment services
Measuring customer satisfaction

Identity, Contact, Financial, Customer Transaction, Transaction Security, Risk Management

Processing of data is necessary for the establishment, exercise, or protection of a right

Managing all legal proceedings and litigation processes, particularly those before judicial and/or administrative authorities
Monitoring and following up on legal processes

Identity, Contact, and Customer Transaction

Explicitly stipulated by law and necessary for the Company to fulfill its legal obligations as the data controller

Carrying out identity verification and authentication processes
Confirming the accuracy and ensuring the up-to-dateness of customer information

Identity, Contact, Financial, Customer Transaction, Transaction Security, Risk Management

Explicitly stipulated by law and necessary for the data controller to fulfill its legal obligations

Conducting activities in compliance with applicable legislation and fulfilling related legal obligations
Providing information regarding the offered payment services
Monitoring financial, accounting, and/or invoicing processes
Taking necessary measures to ensure transaction security
Responding to requests from official authorities (including but not limited to public institutions such as the BRSA, CBRT, and MASAK to which we are legally obliged to provide information)
Providing information to authorized institutions as required by legislation (e.g., reporting suspicious transactions to MASAK)
Planning and/or conducting audit activities
Ensuring compliance with statutory data retention obligations
Responding to data subject applications in accordance with the law and carrying out the necessary procedures

Identity, Contact, Customer Transaction, Marketing, and Visual Data

Explicit Consent

Planning and execution of activities necessary for recommending and promoting the Company’s products and services to the data subjects by customizing them according to their preferences, usage habits, and needs
Sending commercial electronic messages via SMS, email, or phone call to the contact information provided (In cases where the recipient is a merchant or tradesperson, such messages may be sent within the scope of the Company’s legitimate interests)

Additionally, if you use the QNBPay mobile application, we may carry out certain additional data processing activities based on the permissions you grant through your device:

If you allow notifications: We may send updates regarding the status of your requests, information about collected payments, or announcements of campaigns we recommend for you
If you allow access to your photo gallery and camera: You may upload a photo to be used in your profile

Method of Collecting Personal Data

Your personal data is collected in accordance with the law and the principles of good faith, for the fulfillment of the Purposes stated above, through electronic means via the Company’s websites, contact/application forms, or through the Company’s support center via call center, SMS, and email channels; as well as from the Credit Bureau of Turkey (Kredi Kayıt Bürosu A.Ş.), the Identity Sharing System, and the Workplace Registration System, using automated and partially automated methods.

Recipients and Purposes of Personal Data Transfers

Your personal data may be transferred based on the purposes and legal grounds outlined below:

Categories of Transferred Data

Recipient Organizations

Legal Basis and Purpose of Data Transfer

Identity, Contact, Financial, Customer Transaction, Transaction Security, Risk Management

Legally Authorized Public Institutions, Private Entities, and Judicial Authorities (Central Bank of the Republic of Türkiye [CBRT], Financial Crimes Investigation Board [MASAK], Interbank Card Center Inc., Ministry of Treasury and Finance, Revenue Administration, Undersecretariat of Treasury, other public authorities, regulatory and supervisory bodies; Message Management System; Workplace Registration System; tax authorities; and, upon request, judicial authorities such as prosecutors, courts, arbitration/mediation bodies, relevant law enforcement agencies, and notaries)

Based on the legal ground that it is explicitly stipulated by law and necessary for the data controller to fulfill its legal obligations:

Fulfilling legal reporting and information requests
Conducting legal audit activities
Managing legal proceedings
Complying with obligations arising from applicable legislation

Identity, Contact, Financial, and Customer Transaction

Payment transaction service providers and other financial institutions (domestic partner banks, payment system institutions, and organizations)

Directly related to the establishment or performance of a contract:

Provision of payment services
Execution of payment transactions

Identity, Contact, and Customer Transaction

Service Providers

(Third-party service providers including support organizations, external service providers, IT infrastructure providers, legal consultancy firms, lawyers, translation offices, consultancy companies, independent audit firms, cargo/courier/delivery companies, supervision/audit/archiving firms, and organizations providing services for commercial electronic message delivery—engaged to ensure the provision of our services and the execution of our operations)

Based on the legal ground that processing is necessary for our legitimate interests, provided that it does not harm your fundamental rights and freedoms:

Provision of payment services to you
Execution of our business operations
Management of information systems and transaction security processes
Execution of financial, accounting, and archiving processes

Identity, Contact, Customer Transaction, and Financial

Our group companies (our main shareholder and our direct/indirect domestic affiliates)

Based on the legal ground that processing is necessary for our legitimate interests, provided that it does not harm your fundamental rights and freedoms:

Execution of our business operations
Conducting risk management and internal audit activities

Identity, Contact, Customer Transaction, and Financial

Our Business Partners

(Organizations we collaborate with for the provision and marketing of our services, including banks and other financial institutions)

Based on the legal ground that it is directly related to the establishment or performance of a contract:

Provision of payment services to you
Fulfillment of the obligations under the contract concluded with the Company
Execution of payment transactions

Based on the legal ground that processing is necessary for our legitimate interests, provided that it does not harm your fundamental rights and freedoms:

Execution of our business operations

Your Rights as a Data Subject

Pursuant to Article 11 of the Law, you have the following rights regarding your personal data:

To learn whether your personal data is being processed
If processed, to request information about such processing
To learn the purpose of processing and whether it is used in accordance with that purpose
To know the third parties to whom your personal data is transferred domestically or abroad
To request correction of incomplete or inaccurate data and to request notification of such correction to third parties to whom the data has been transferred
To request deletion or destruction of your personal data if the reasons requiring processing no longer exist, even if it was processed in accordance with the law, and to request notification of such deletion to third parties
To object to any outcome against you arising from the analysis of your data exclusively through automated systems
To request compensation if you suffer damage due to unlawful processing of your personal data

You may submit your requests regarding these rights, along with information identifying your identity, in accordance with the “Communiqué on the Principles and Procedures for the Request to Data Controller,” either in writing to QNBpay Ödeme Hizmetleri A.Ş. (MERSIS No: 0325108909500001) at Esentepe Mah. Büyükdere Cad. No:215 / İstanbul, or via registered electronic mail (KEP) to qnbpay@hs05.kep.tr.

For any questions or requests regarding your personal data, you can also contact kvkk@qnbpay.com.tr.