CORPORATE CUSTOMER PRIVACY POLICY
Last updated: 17.10.2025
This Corporate Customer Privacy Policy (“Privacy Policy”) explains how T.C. Zirat Bankasi A.S., London Branch (also referred to as “we,” “us,” or “our”), in its capacity as data controller, collects, uses, and discloses personal data when you access and use our Corporate Client Portal (“Portal”) on behalf of a corporate customer (“Corporate Customer”).
This Privacy Policy applies solely to the services accessible through the Portal. It provides specific details on how we process information relating to your Corporate Customer Account and related services. For other interactions with us, please refer to our general Privacy Policy, which governs the processing of personal data across our main services and activities.
We are committed to being transparent about how we handle your personal data. We will only process it where we have a lawful basis to do so under applicable data protection laws, which may include obtaining your consent where required. From time to time, we may update this Privacy Policy. Where any changes are material, we will notify you either (i) by email, or (ii) by posting a prominent notice on the Portal.
We encourage you to review this Privacy Policy whenever you access our Portal or otherwise interact with us, so that you remain informed about our information practices and the choices available to you.
1) Important information and who we are
T.C. Ziraat Bankasi A.S., London Branch, with its registered office at 45–47 Cornhill, London, EC3V 3PF, United Kingdom, is registered in the UK under establishment number BR001736. For the purposes of applicable data protection laws, we act as the data controller of your personal data.
We process personal information in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the UK General Data Protection Regulation) and the UK Data Protection Act 2018.
For our contact details, and those of our Compliance Team, please see the “Contact Us” section below.
2) Personal information we collect about you
“Personal information” or “personal data” means any information relating to an identified or identifiable natural person, such as your full name, email address, telephone number, and other information specific to you such as transaction information, preferences, or professional details.
We collect, use, store, and transfer different categories of personal data about you in your capacity as an authorised user (referred to as “you”, “your”, or “Authorised Users”) including but not limited to main user, viewers, initiators, and approvers.
For the purposes of this Privacy Policy, “you” or “your” refers to any natural person acting as an Authorised User of a Corporate Customer who accesses or uses the Portal on its behalf. The Corporate Customer itself is not a data subject under this Privacy Policy, although its representatives’ personal data may be processed as described below.
The categories of data we process include the following:
Personal Information You Provide to Us
We may collect and process the following categories of personal data you provide directly:
- Basic Personal Details: Full name, date and place of birth, national identification details, nationality, and contact information.
- Financial information: financial status and history, bank account details, card numbers and expiry dates, and information about your transactions (e.g. payments you make or receive).
- Professional Information: Details of your role, authority, responsibilities, or function within the Corporate Customer’s business including your authorisation level and role details as specified in the Account Mandate (for example, whether you are an account administrator, director, officer, employee, agent, or any other Authorised User).
- Contractual Information: Details relating to the products and service we provide to Corporate Customer;
- Communications: Correspondence such as emails and letters, as well as records of conversations and interactions through our Portal chat.
- Preferences: information about your permission and preferences (including cookie configurations and marketing preferences).
Personal Information Collected Automatically
Depending on your interactions with the Portal and our services, we may automatically collect and process certain categories of personal data. This information helps us ensure the security of the Portal, maintain service functionality, and improve the user experience.
- Device Information: Details about the device and software you use to access our service, such as device type and model, operating system and version, browser type and version, device identifiers, internet service provider, language and display settings, time zone, push notification settings.
- Usage Information: Details of your activity within our Portal, including features used, pages or screens viewed, dates and times of access, navigation paths, and interaction patterns.
- Log Files: Server logs recording requests to our services (e.g. IP address, access times, pages visited, referring/exit pages). These are used for security, troubleshooting, and analytics.
- Cookies and similar tracking technologies: We use cookies, pixels, and other tracking technologies to collect certain personal data about your browsing behaviour and interaction with the Portal. For more detailed information, including the types of cookies we use and how you can manage your preferences, please refer to our Cookie Policy.
Personal Information Collected from Third Parties
We also collect various categories of Personal Information from different sources, such as:
- Open Data and Public Records: Information available in official registers (e.g. Electoral Register) or publicly accessible online sources..
- Business Partners: Third parties with whom we conduct business, such as service providers (e.g, media monitoring, sanctions or background screening, compliance monitoring, due diligence or online reputation management firms).
- Credit and Fraud Prevention Agencies: Information we receive from credit reference and fraud prevention agencies, for example, to carry out identity verification, due diligence, and fraud prevention checks, and to assess and approve service requests.
3) How we use your personal information and our legal basis
We may use your personal information either on its own or in combination with other information. Under data protection laws, we must always identify and rely on a valid “lawful basis” for processing your personal information.
The lawful bases we rely on include: (i) where the processing is necessary for the performance of a contract with you (the Corporate Client Portal Agreement), or to take steps at your request prior to entering into a contract; (ii) for compliance with legal obligations and where we are required by law to process your Personal Information; (iii) where necessary for our legitimate interests (for example, to prevent fraud, maintain the security of our business operations, or improve our services); or (iv) where we have obtained your consent.
The table below sets out how we use your personal data, together with the relevant lawful bases. Please note that a single processing activity may rely on more than one lawful basis depending on the circumstances.
| Purpose of Processing | Legal Basis for Processing |
|---|---|
| To process applications for access to the Portal and the services submitted by the Corporate Customer and its designated Authorised Users. | Necessary to perform our contract with you or to take steps to enter into a contract with you (Corporate Client Portal Agreement) |
| To maintain records of all applications for audit, analysis, quality control, and reporting purposes. | To comply with our legal obligations; Necessary for our legitimate interests (to ensure the proper management of our business operations and safeguard the integrity of our systems and services) |
| To provide the services to the Corporate Customer, including enabling Authorised Users to manage accounts, submit Instructions, and complete transactions through the Portal. | Necessary to perform our contract with you or to take steps to enter into a contract with you; Necessary for our legitimate interests (to manage our business, fulfil obligations towards Corporate Customers, and validate User authorisation) |
| To verify and maintain Authorised User details in accordance with the Account Mandate, including their access rights and approval levels within the Portal. | Necessary for our legitimate interests (to ensure the accuracy, integrity, and security of user authorisations); To comply with our legal obligations relating to identity verification and record-keeping. |
| To provide reports to enable Corporate Customers to uphold effective administration. | Necessary for our legitimate interests (to manage our relationship with Corporate Customers and fulfil obligations) |
| To communicate with you and Corporate Customer through email, Portal or any other electonic methods, about our services (such as confirmations, notices of changes to our terms or privacy policy, updates to Portal features, and security alerts). | Necessary to perform our contract with you; To comply with our legal obligations; Necessary for our legitimate interests (to maintain operational efficiency and keep the Authorised Users and Corporate Customer informed) |
| To communicate with you (as an Authorised User of the Corporate Customer) through email, the Portal, or any other electronic means about the Services, including to advertise, market, and send promotions and offers relevant to the Corporate Customer. | Necessary for our legitimate interests (to send you relevant updates about similar services you already use, where permitted, to help grow our business responsibly) |
| To monitor usage trends, measure feature effectiveness, analyse engagement, and enhance our products and services provided through the Portal. | Necessary for our legitimate interests (to analyse usage and feedback in order to improve functionality, security, and user experience of the Portal) |
| To detect, investigate, and prevent fraud and other criminal activities, and to protect the rights, property, and safety of the Branch, Corporate Customers, Authorised Users, and others. | To comply with our legal obligations; Necessary for our legitimate interests (to manage operational and security risks and prevent/detect fraud and criminal activities) |
| To establish, exercise, or defend legal rights or claims and assist in dispute resolution. | Necessary for our legitimate interests (to protect the rights, property, and safety of the Branch, Corporate Customers, and Authorised Users) |
| To understand the Corporate Customer’s financial circumstances and behaviour to manage our relationship and identify additional services or products. | Necessary for our legitimate interests (to improve our services and manage financial operations); To comply with our legal obligations. |
| To comply with our legal and regulatory obligations. | To comply with our legal obligations; Necessary for our legitimate interests (to manage business operations and ensure compliance) |
| To develop and enhance our services and Portal, including to better understand Corporate Customers and Authorised Users, their needs, preferences, and behaviours. | Necessary for our legitimate interests (to improve our services and Portal) |
| To process personal data in connection with merger or acquisition activities, including disclosure to third parties. | Our primary legal basis is legitimate interests (for example, to facilitate discussions with third party stakeholders). |
| To investigate and collate evidence about suspected crime, including criminal offence data, to establish, exercise, or defend our rights. | Where necessary to establish, exercise, or defend legal rights |
| To comply with relevant laws and regulations and cooperate with regulators, law enforcement, and other authorities. | To comply with our legal obligations (including in the establishment, exercise, or defence of legal claims or when required by courts or regulators) |
4) Disclosure of Personal Information
We only share your personal data with third parties when it is necessary for the purposes described in this Privacy Policy. Whenever we share your data, we ensure that appropriate contractual, organisational, and technical safeguards are in place, consistent with our legal obligations and our standards of confidentiality, security, and data protection.
We may disclose your personal information in the following circumstances:
- Corporate Customers: to the Corporate Customer on whose behalf you are acting, and to any affiliates or third parties that the Corporate Customer has expressly authorised.
- Our Service providers. To trusted third-party service providers who help us operate our business and deliver the services. These may include IT hosting and security providers, communication services, auditors, and professional advisers (such as legal counsel, accountants, and consultants). These parties generally act as our data processors and must process your personal data only on our instructions, for the specified purposes, and in compliance with applicable data protection laws.
- Group Companies: To other companies or services within the Ziraat Finance Group, where those companies provide services to us and/or where it is necessary for us to lawfully carry out our business activities. These data sharing is subject to appropriate safeguards.
- Law enforcement and regulatory authorities. To law enforcement agencies, courts, regulators, governmental agencies, tax authorities, financial institutions, and other third parties where disclosure is required by law or regulation, or where it is necessary to: (i) comply with a legal or regulatory obligation, (ii) protect our rights, property, or safety (or those of others), or (iii) establish, exercise, or defend legal claims.
- Business transfers and transactions. In the event of a reorganisation, merger, acquisition, sale, or other corporate transaction involving our business or assets, we may share or transfer your personal data to the relevant third party involved. Any such recipient will be required to process your personal data in a manner consistent with this Privacy Policy, unless and until you are notified otherwise.
We require all third-party service providers with whom we share personal data to keep it secure, process it only in line with our written instructions (unless they act as independent controllers), and not use it for their own purposes.
5) International data transfers
We may transfer your personal data to countries outside the United Kingdom (UK). Some of these countries may not provide the same level of data protection as is available under UK law.
Whenever we transfer personal data internationally, we take appropriate steps to ensure that it remains protected to a standard essentially equivalent to that required under applicable data protection laws. In particular, we rely on the following safeguards:
- where the UK government has determined that the destination country ensures an adequate level of protection for personal data (please see the list of countries); or
- where no adequacy regulation applies, we implement appropriate contractual safeguards, such as the UK Addendum to the European Commission’s Standard Contractual Clauses, supplemented with additional technical and organisational measures where necessary.
These safeguards are designed to ensure that your personal data is protected to a level equivalent to that guaranteed under the UK GDPR. We will also conduct transfer risk assessments to evaluate the legal and practical risks associated with the transfer, as recommended by the ICO.
6) Aggregate and de-identified information
We may collect, use, and share aggregated or de-identified data, such as statistical or demographic information, for any lawful purpose. Although this type of data may be derived from your personal data, it is not considered personal data under applicable data protection laws if it does not directly or indirectly identify you.
For example, we may aggregate usage data to analyse trends, monitor performance, or improve our services, without identifying any individual.
7) Manage Preferences
From time to time, we may contact you with information about our products and services. We will only send you these communications where we have a lawful basis to do so.
- We may contact you about services or features that are similar to those you have already used. We do this to promote our services and to keep you informed. In this case, we rely on our legitimate interests, provided that this does not override your rights and freedoms. You can opt out of these communications at any time by adjusting your account settings in the Portal, using the unsubscribe link in our emails, or contacting us directly.
8) Cookies and similar tracking technologies
We use cookies and similar tracking technologies to automatically collect information about your browsing behaviour, device type, and interaction with our Portal and services. These technologies help us remember your preferences and settings to provide a more personalised experience, analyse usage patterns to improve functionality and performance, support authentication processes, and enhance security. Where required by law, we will seek your consent before placing non-essential cookies on your device. For more detailed information, including the types of cookies we use and how to manage your preferences, please see our Cookie Policy.
9) Data security
We have implemented appropriate technical and organisational security measures to protect your personal information from accidental loss, unauthorised access, misuse, alteration, or disclosure. These measures include, but are not limited to, access controls, encryption, secure storage, and regular system monitoring.
Access to your personal information is limited to employees, agents, contractors, and other third parties who have a legitimate business need to access it. They will only process your data on our instructions and are bound by confidentiality obligations.
10) Data retention
Personal data associated with Authorised Users will generally be retained for as long as the Corporate Customer maintains its account relationship with us and for a reasonable period thereafter, in accordance with applicable laws and regulatory requirements.
Once our relationship with Corporate Customer has ended, we will determine the appropriate retention period by considering factors such as the nature, sensitivity, and volume of the personal data; the potential risk of harm from unauthorised use or disclosure; the purposes for which the data is processed and whether those purposes can be achieved by other means; and applicable legal and regulatory requirements.
For example, personal information required to comply with legal obligations, such as anti-money laundering laws, will be retained for 10 (ten) years after the closure of your account. This period aligns with statutory limitation periods for legal claims. If your account is in default or the balance remains unpaid, we may retain your personal data beyond this period to pursue recovery or comply with legal obligations.
We will securely delete or anonymise your personal data once it is no longer required, including removing it from backups where feasible. In cases where immediate deletion from backups is not possible, we will ensure the data is put beyond use and not processed further.
11) Your legal rights
To the extent permitted by applicable data protection laws and regulations, you have the following rights in relation to your personal information:
- Request access to your personal information. This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
- Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
- Request erasure of your personal information in certain circumstances. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it.
- Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) as the legal basis for that particular use of your data. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your right to object.
- Request the transfer of your personal information to you or to a third party. We will provide to you, or a third party you have chosen, your personal information in a structured, commonly used, machine-readable format.
- Withdraw consent at any time where we are relying on consent to process your personal information. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you.
- Request restriction of processing of your personal information. This enables you to ask us to suspend the processing of your personal information in one of the following scenarios:
If you want us to establish the data's accuracy;
Where you believe our use of the data is unlawful but you do not want us to erase it;
Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or
You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
If you wish to exercise any of the rights set out above, please submit your request via our online Data Subject Request Form. If you have any questions about how we process your personal information, please see the “Contact Us” section below.
Before we respond to any rights request, we may need to verify your identity to ensure that we are dealing with the correct individual. Where you are acting on behalf of another individual, we may ask for evidence of your legal authority to do so. This is to ensure that personal information is not disclosed to anyone who is not entitled to receive it.
Where your personal data is processed in connection with your role at a Corporate Customer, we may need to inform that Corporate Customer of your request where necessary to verify your identity or authorisation status.
You will not be required to pay a fee to access your personal information (or to exercise any of your other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. In certain circumstances, we may refuse to comply with your request on these grounds.
12) Complaints
We are committed to protecting your personal data and to resolving any concerns you may have about how it is handled. If you have any questions, or if you believe that your personal data has been processed in a way that does not comply with applicable data protection laws, please contact us so that we can address the matter promptly.
You also have the right to lodge a complaint with a supervisory authority. In the United Kingdom, this is the Information Commissioner’s Office (ICO), which can be contacted at www.ico.org.uk.
13) Accuracy of Personal Information
It is important that the personal data we hold about you is accurate and kept up to date. Please notify us promptly if your personal details change (for example, your contact information, postal address, or email address) during the course of your relationship with us.
14) Contact us
If you have any questions, comments or requests regarding this Privacy Policy or how we handle your personal information, please contact our Privacy Team at: clientportal@ziraatbank.co.uk