Gizlilik Politikası

ONLINE PRIVACY POLICY 

Last updated: 23/01/2026 

This online privacy policy (“Policy”) explains how T.C. Ziraat Bankasi A.S., London Branch (also referred to as the “Bank”, “we”, “us” or “our”) collects and uses Personal Data when you visit and use our website at https://ziraatbank.co.uk (the “Website”), or when you interact or communicate with us (for example, by making an enquiry or requesting information about our products and services).  

Please note that although this Privacy Policy describes the different processing activities that we carry out, it does not mean that your Personal Data is used for all these activities. 

1. Important information and who we are 

T.C. Ziraat Bankasi A.S., London Branch, with its registered office at 45–47 Cornhill, London, EC3V 3PF, United Kingdom, is registered in the UK under establishment number BR001736. For the purposes of applicable data protection laws, we act as the data controller of your Personal Data. 

We are committed to being transparent about how we use Personal Data. We process Personal Data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the UK General Data Protection Regulation) and the UK Data Protection Act 2018.  

For our contact details, and those of our Compliance Team, please see the “Contact Us” section below. 

2. Scope of this Privacy Policy 

This Privacy Policy does not apply to Personal Data collected or processed through our products or services. It applies solely to Personal Data collected when you interact with us online and communicate with us via our website, as described above. 

This Privacy Policy is supplemented by additional privacy notices that apply to specific products and services we offer. We therefore encourage you to review the privacy policies that are relevant to each product or service you use.  

If you’re ever unsure about which privacy policy applies to a particular activity, remember that the specific product or service privacy policy will take precedence over this Online Privacy Policy and will apply to the extent the activity relates to the processing of Personal Data related to your product or service. 

In other words, the specific product or service privacy policy governs the general use of your Personal Data in connection with such product or service by the Bank, while the Online Privacy Policy supplements our use of your Personal Data in connection with your use of digital services related to products and services you use and your communications with us. 

3. Changes to this Privacy Policy 

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or business operations. Where any changes are material, we will take appropriate steps to inform you. This may include, for example: (i) contacting you directly in writing (such as by post or email) and asking you to review the updated version; and/or (ii) displaying a prominent notice on our Website when you next visit. 

This version was last updated on the date set out above.  

4. Personal Data we collect about you 

“Personal Data” or “Personal Information” means any information relating to you as an identified or identifiable natural person, such as your name, addresses, telephone number, email address, IP address, and other information specific to your online behaviour. If you do not provide us with Personal Data that we tell you is mandatory (for example, if we need to collect Personal Data by law or if it is necessary to enter into a contract with you), we may not be able to provide you with our products and services. We will notify you if this is the case at the time. 

We collect and process various categories of Personal Data about you, depending on the type of online interaction you have with us (for example, when you only visit or browse our Website without purchasing any of our products or services, when you contact us via the Website) and beyond such an interaction, subject to appropriate retention periods as further explained below. 

Personal Data You Provide to Us 

We collect Personal Data directly from you, through the following means: from your online browsing through our Website and mobile applications; from an online application form; from your access to our online services and from other information you directly provide to us. These includes: 

  • Basic Personal Details: Your personal details, including name and address, contact details; 
  • Professional information: Where you interact with us on behalf of a customer or counterparty, information about your role, position, authority, responsibilities or relationship to that organisation, including your authorisation status. 
  • Communications: records of your communications and interactions with us, including emails, telephone calls, correspondence submitted via Website contact forms. 
  • Preferences: your communication preferences, marketing choices (where applicable) and cookie consent settings. 

Personal Data Collected Automatically 

When you visit or interact with our Website, we may automatically collect certain information using cookies and similar technologies. This information helps us operate the Website, maintain security, and improve performance and user experience. 

  • Device Information: Details about the device and software you use to access our service, such as device type and model, operating system and version, browser type and version, device identifiers, language and display settings, and time zone. 
  • Usage Information: Details of your activity when you visit or interact with our Website or services, including features used, pages or screens viewed, dates and times of access, navigation paths, and interaction patterns. 
  • Log and Security Data: Server logs recording requests made when you access our website or services (for example, IP address, access times, pages visited, and referring or exit pages). These logs are used for security, troubleshooting, and analytics purposes. 
  • Cookies and similar tracking technologies: information about your online preferences set through the configuration you choose regarding cookies and similar technologies. For further detail, please see the "Cookies and similar technologies" section below. 

Personal Data Collected from Third Parties 

We also collect your Personal Data from different sources, such as: 

  • Publicly Available Sources: Company registers, regulatory filings or other publicly accessible sources, where relevant to our business relationship or regulatory obligations. 

5. How we use your Personal Data and our legal basis 

The table below sets out what we use your Personal Data for and our legal basis for doing so. We may process your Personal Data for more than one legal basis depending on the specific purpose for which we are using your Personal Data.  

We use your Personal Data either on its own or combined with other information. We need a “lawful basis” under data protection laws to process your Personal Data.

These include:  

  • where it is necessary for the performance of a contract with you or to take steps at your request prior to entering into a contract with you;  
  • where necessary for compliance with legal obligations and where we are required by law to process your Personal Data. 
  • where necessary for our legitimate interests, such as to prevent fraud and/or enhance our products or services; or 
  • where we have obtained your consent, such as for marketing purposes when you opt-in to receive marketing from us.

Please note that we consider the potential impact on you and your rights before processing your Personal Data for our legitimate interests.

Purpose of Processing Legal Basis for Processing
To operate, administer and maintain our Website, including enabling access, ensuring functionality, managing content and responding to general enquiries. 
  • Legitimate interests (to operate and manage our Website and provide information efficiently) 
To assess, process and respond to enquiries or expressions of interest in our banking products and services, including corporate banking, lending, trade finance, treasury and related services. 
  • Performance of a contract or taking steps at your request prior to entering into a contract. 
  • Legitimate interests (to develop and manage business relationships) 
To manage relationships with customers, counterparties and authorised representatives. 
  • Legitimate interests (to manage corporate relationships and verify authority) 
  • Compliance with our legal obligation (where required for regulatory compliance) 
To analyse our customers' needs, preferences and behaviours in order to develop and improve our products and services and assess and analyse whether our ads, promotions and offers are effective. 
  • Legitimate interests to improve our products and services (for example, to make sure our products and services relevant for our customers) 
To improve and develop our services, to check we have carried out your requests correctly, and for compliance, training, and quality purposes, (including service design, operational planning and staff training) 
  • Legitimate interests (to improve our services and operations responsibly) 
To market products and services which we think you will be interested in based on your relationship with us (by email, SMS or other electronic means) 
  • Legitimate interests (to market products and services which we think you will be interested in, based on your relationship with us, and related to products or services similar to those for which you previously contracted with us) 
  • Consent (when we provide you with varied offers of our products and services) 
To ensure the security of our Website, systems, networks and information, including monitoring, logging, access controls, incident detection, investigation and prevention. 
  • Legitimate interests (to maintain security and prevent unauthorised access) 
  • Compliance with our legal obligation (where security measures are mandated) 
To maintain records for governance, audit, regulatory reporting, risk oversight and internal controls, including meeting supervisory, legal and regulatory expectations. 
  • Compliance with our legal obligation  
  • Legitimate interests (to ensure effective governance and accountability) 
To establish, exercise or defend legal rights or claims, including handling complaints, disputes, litigation, investigations and regulatory matters. 
  • Legitimate interests (to protect legal rights) 
  • Compliance with our legal obligation (where applicable) 
To comply with applicable laws and regulations and to cooperate with regulators, law enforcement and public authorities, including responding to lawful requests and investigations. 
  • Compliance with our legal obligations; 
  • Legitimate interests (to cooperate with regulators, law enforcement and other authorities in the detection and prevention of fraud and crime, particularly where it impacts our customers) 
We may collect and process publicly available information to identify and respond to (i) brand and reputation damage; (ii) security threats and fraud attempts; (iii) customer account servicing related issues; and (iv) litigation actions (such as information you publicly post on social media platforms). 
  • Legitimate interest to identify threats to our company, products and services and respond appropriately. 
To comply with relevant laws and regulations and to cooperate with regulators, law enforcement and any other authorities (for e.g., processing criminal data for the purpose of complying with a court order or subpoena). 
  • Compliance with our legal obligations that mandate us to cooperate with regulators, law enforcement and any other authorities 
  • Establishment, exercise or defence of legal claims 

6. Disclosure of Personal Data 

We only disclose Personal Data to third parties where this is necessary for the purposes described in this Privacy Policy, or where we are otherwise permitted or required to do so by applicable law. Whenever we share Personal Data, we ensure that appropriate contractual, organisational and technical safeguards are in place to protect it, in accordance with UK data protection law and our standards of confidentiality and security. 

We may disclose your Personal Data in the following circumstances: 

  • Corporate Customers: Where you interact with us or provide Personal Data in your capacity as a representative of a corporate customer or counterparty, we may disclose your Personal Data to the relevant corporate customer on whose behalf you act; and affiliates or third parties authorised by that corporate customer, where such disclosure is necessary for the management of the relationship, the provision of services, or to verify authority and instructions. 
  • Authorised Recipients: (including accountants, lawyers and other professional advisers) who you have authorised to represent you, or any other person you have told us is authorized to give instructions or use the account. 
  • Our Service Providers: We may disclose Personal Data to trusted third-party service providers who perform services for us and help us manage our online services and/or operate our business. These may include providers of: IT systems, hosting, cloud services, cybersecurity and data storage; audit, accounting, legal and other professional advisory services; and compliance, screening, risk management and operational support services.  
  • Law enforcement and regulatory authorities. We may disclose Personal Data to courts, regulators, supervisory authorities, law enforcement agencies, tax authorities, financial institutions and other public or governmental bodies where: we are required to do so by applicable law or regulation; disclosure is necessary to comply with a legal or regulatory obligation; disclosure is necessary to protect our rights, property or safety, or those of others; or disclosure is necessary to establish, exercise or defend legal claims. 
  • Business transfers and transactions. In the event of a reorganisation, restructuring, merger, acquisition, sale, transfer of business or assets, or similar corporate transaction, we may disclose or transfer Personal Data to prospective or actual counterparties, advisers and other relevant third parties. Any such disclosure will be limited to what is necessary for the transaction and subject to appropriate confidentiality and data protection safeguards. 

We require all third parties with whom we share Personal Data to implement appropriate security measures to protect it and to process it in compliance with applicable data protection laws. Where a third party acts as a data processor, it may only process Personal Data on our instructions and may not use it for its own purposes. 

7. International data transfers 

We may transfer your Personal Data to countries outside the United Kingdom (UK). Some of these countries may not provide the same level of data protection as is available under UK law.  

Whenever we transfer Personal Data internationally, we ensure that it is protected to a standard that is essentially equivalent to that required under UK data protection law. We do this by implementing appropriate safeguards, which may include: 

  • where the UK government has determined that the destination country ensures an adequate level of protection for Personal Data (please see the list of countries); or 
  • Where no adequacy regulation applies, we implement appropriate safeguards such as the International Data Transfer Agreement and/or UK Addendum to the European Commission’s Standard Contractual Clauses, together with any additional contractual, technical and organisational measures required to ensure an adequate level of protection 

We carry out transfer risk assessments to evaluate the legal and practical risks associated with international transfers, including the laws and practices of the destination country, and to determine whether additional safeguards are required, in line with guidance issued by the UK Information Commissioner’s Office. 

If you would like further information about the safeguards we use for international transfers, you may contact us using the details set out in the “Contact us” section below. 

8. Aggregate and de-identified information 

We may collect, use, and share aggregated or de-identified data, such as statistical or demographic information, for any lawful purpose. Although this type of data may be derived from your Personal Data, it is not considered Personal Data under applicable data protection laws if it does not directly or indirectly identify you. 

For example, we may aggregate usage data to analyse trends, monitor performance, or improve our services, without identifying any individual. 

9. Cookies and similar tracking technologies 

We use cookies and similar tracking technologies to automatically collect information about your browsing behaviour, device type, and interaction with our Portal and services. These technologies help us remember your preferences and settings to provide a more personalised experience, analyse usage patterns to improve functionality and performance, support authentication processes, and enhance security. Where required by law, we will seek your consent before placing non-essential cookies on your device. For more detailed information, including the types of cookies we use and how to manage your preferences, please see our Cookie Policy. 

10. Data security 

We have implemented appropriate technical and organisational security measures to protect your Personal Data from accidental loss, unauthorised access, misuse, alteration, or disclosure. These measures include, but are not limited to, access controls, encryption, secure storage, and regular system monitoring. 

Access to your Personal Data is limited to employees, agents, contractors, and other third parties who have a legitimate business need to access it. They will only process your data on our instructions and are bound by confidentiality obligations. 

11. Data retention 

Personal Data will be retained only for as long as necessary for the purposes for which it was collected, including to provide our website and services, and in accordance with applicable laws and regulatory requirements.  

Where Personal Data relates to services provided to a corporate customer, we will determine the appropriate retention period by considering factors such as the nature, sensitivity, and volume of the Personal Data; the potential risk of harm from unauthorised use or disclosure; the purposes for which the data is processed and whether those purposes can be achieved by other means; and applicable legal and regulatory requirements.  

For example, certain categories of Personal Data may be retained for longer periods where required to comply with legal or regulatory obligations. In such cases, relevant records may be retained for up to ten (10) years following the end of the relevant contractual relationship or transaction, in line with applicable statutory limitation periods.  

Where there are outstanding obligations, disputes, or unpaid amounts, we may retain relevant Personal Data for longer periods where necessary to pursue recovery, resolve disputes, or comply with legal obligations. 

12. Your legal rights 

To the extent permitted by applicable data protection laws and regulations, you have the following rights in relation to your Personal Data: 

  • Request access to your Personal Data. This enables you to receive a copy of the Personal Data we hold about you and to check that we are lawfully processing it. 
  • Request correction of the Personal Data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us. 
  • Request erasure of your Personal Data in certain circumstances. This enables you to ask us to delete or remove Personal Data where there is no good reason for us continuing to process it.  
  • Object to processing of your Personal Data where we are relying on a legitimate interest (or those of a third party) as the legal basis for that particular use of your data. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your right to object. 
  • Request the transfer of your Personal Data to you or to a third party. We will provide to you, or a third party you have chosen, your Personal Data in a structured, commonly used, machine-readable format. 
  • Withdraw consent at any time where we are relying on consent to process your Personal Data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. 
  • Request restriction of processing of your Personal Data. This enables you to ask us to suspend the processing of your Personal Data in one of the following scenarios: 
    • If you want us to establish the data's accuracy; 
    • Where you believe our use of the data is unlawful but you do not want us to erase it; 
    • Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or 
    • You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it. 

If you wish to exercise any of the rights set out above, please submit your request via our online Data Subject Request Form. If you have any questions about how we process your Personal Data, please see the “Contact Us” section below. 

Before we respond to any rights request, we may need to verify your identity to ensure that we are dealing with the correct individual. 

Where you are submitting a request on behalf of another person, we will require evidence that you are authorised to act on their behalf (for example, a written authorisation or power of attorney). This is to ensure that Personal Data is not disclosed to anyone who is not legally entitled to receive it. 

Where your Personal Data is processed in connection with your role at a corporate customer, and you submit a request in your capacity as an authorised representative, we may liaise with the relevant corporate customer to verify your authority before responding to the request. 

13. Complaints 

We are committed to protecting your Personal Data and to resolving any concerns you may have about how it is handled. If you have any questions, or if you believe that your Personal Data has been processed in a way that does not comply with applicable data protection laws, please contact us so that we can address the matter promptly. 

You also have the right to lodge a complaint with a supervisory authority. In the United Kingdom, this is the Information Commissioner’s Office (ICO), which can be contacted at www.ico.org.uk. 

14. Accuracy of Personal Data 

It is important that the Personal Data we hold about you is accurate and kept up to date. Please notify us promptly if your personal details change (for example, your contact information, postal address, or email address) during the course of your relationship with us. 

15. Contact us 

If you have any questions, comments or requests regarding this Privacy Policy or how we handle your Personal Data, please contact our Privacy Team at: info@ziraatbank.co.uk