Insights: IP and data protection for fintech companies in Turkey

All questions

Intellectual property rights and data protection

The Turkish jurisdiction does not grant patent protection to software-implemented inventions and business methods. Copyright protection is the method that can be used to protect ownership rights over software. Copyright protection is a natural protection offered to the creator from the moment the property is offered or made available to the public. There is no application similar to a patent application required by a licensee.

In principle, according to Act No. 6769, unless otherwise agreed in separate contracts entered into between employer and employee or the nature of the work, the rights to any design created by employees shall belong to the employer in accordance with the employees’ job descriptions and obligations as follows of the employment contract or because of the experience and operation of the business organisation. For an invention to qualify as an “employee service invention”, it must be realized during the employment relationship. The employee is obliged to report the invention in writing to his employer without delay.

There are two distinct regulations regarding the duty of confidentiality: Act No. 5411 regulates the confidentiality of banking and financial information, and the Personal Data Act (Act No. 6698) prohibits or places restrictions on the disclosure, processing and transfer of personal data, which will also include client information.

The Regulation on Payment Services and Issuance of Electronic Money and Payment Service Providers includes the term “sensitive customer data” and defines it as personal data and customer security information used to issue payment orders or verify the identity of the customer, which, if captured or altered by third parties, may allow fraud or fraudulent transactions on behalf of the customer. In this context, fintech companies are obliged to take the necessary measures for the protection of secrets and personal data, especially sensitive customer data and data belonging to themselves, when procuring external services.

In addition, with Law No. 6493 on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions, the CBRT is authorized to determine all procedures and principles regarding the service of presenting consolidated information about one or more payment accounts to the payment service user with payment service providers on online platforms, provided that the payment service user’s approval is obtained and the payment order initiation service is offered for the payment account in another payment service provider at the request of the payment service user.

The regulation for the publication of confidential information was published in the Official Gazette dated 4 June 2021. With the regulation also referred to Act No. 6493, it is aimed at determining the scope, procedures and principles for the sharing and transfer of confidential bank and customer data. Furthermore, Article 73 of Act No. 5411 regulates the duty of confidentiality, the exceptions and the definition of confidential customer data.

The guideline for good practice on the protection of personal data in the banking sector (Guideline for good practice) was published on 5 August 2022 by the Norwegian Data Protection Authority. The purpose of the Guidelines for good practice is to guide the banks responsible for processing their personal data in accordance with the legislation and to set good examples within these frameworks. The cases include data processing agreements to be entered into between the data controller and the data processor, support services, affiliated companies and subsidiaries, open banking and situations where the banks act as agents, have been evaluated within the processing area. data processor relationship.

The guideline for the use of cookies was published by the Norwegian Privacy Board in June 2022. This guideline includes topics such as the definition of cookies and the type of cookies in general, the relationship between the Electronic Communications Act No. 5809 (ECL) and the PDPL, rules to be considered when using cookies, and cookies that require or do not require the granting of explicit consent.

In addition, according to the Regulation on Banks’ Information Systems and Electronic Banking Services, banks may take advantage of cloud computing systems as an external service tool, provided that these systems are maintained in Turkey in accordance with the provisions of the Regulation. According to the Communiqué on the Management and Supervision of Information Systems for Payment Institutions and Electronic Money Institutions, payment institutions and electronic money institutions must mandatorily have their primary and secondary systems located in Turkey, and cloud computing must be within the scope of these systems. Guidelines for external service providers offering cloud services to payment and e-money institutions were published by CBRT in July 2022, and set additional qualification requirements for external service providers wishing to offer services.

According to the regulation on the independent audit of information systems and business processes, published in the Official Gazette dated 31 January 2022, the audit of the information systems and business processes of the institutions under the supervision and control of BRSA shall be carried out by the independent audit companies.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *