Clarification Text on Personal Data Processing

Published on Dec 1, 2023Updated on May 7, 202414 min read

Last updated: 18.02.2024

Our company, OKX Teknoloji Anonim Şirketi ("Company" or "OKX TR"), in the capacity of the "Data Controller", pursuant to the Personal Data Protection Law No. 6698 ("PDPL") published in the Official Gazette numbered 29677 on 07.04.2016, may process your personal data within the limits and for the instances determined under the PDPL. We, as the Company, would like to inform and enlighten you about our personal data processing activities in line with Article 10 of the PDPL.

In accordance with the PDPL as OKX TR acting in the capacity of a data controller, we may process, record, store, classify, update your personal data in a lawful and fair manner, ensuring they are accurate and up-to-date, related to, limited and measured for the purposes explained below. Furthermore, in cases permitted by the law and/or limited to the purposes they are processed, we may disclose/transfer your personal data to third parties.

The term "processing" refers to any operation performed on data, including but not limited to those regulated in the PDPL, such as obtaining, recording, storing, preserving, changing, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data, wholly or partially automatic or, provided that it is a part of any data recording system, in non-automatic ways. Your personal data may be processed by personnel authorized within the Company.

1. Processed Personal Data

The data we process consists of the following main categories:

  • Identity Data: Includes name, surname, date and place of birth, nationality, type and serial number of the identity card, identity number, signature sample, for Turkish citizens additionally mother's and father's name and T.C. identification number, and other identification information.

  • Contact Data: Includes mobile phone number, email address, and postal address.

  • Location Data: Includes location information.

  • Legal Transaction Data: Includes information in the case file and correspondence with judicial authorities.

  • Customer Transaction Data: Includes the date, type, amount, method, and type of transactions, the method in which the transaction was made, and records of conversations with customer services.

  • Transaction Security Data: Includes the type of your device, its identity, tracking information related to its usage, IP address, information obtained from WLAN, transaction history, access date and time, browser type and version.

  • Financial Data: Includes cryptocurrency balance, wallet number, address, account information, bank account information, movements, balance information, income status, and bank account details.

  • Professional Information Data: Includes professional information like employment status and occupation.

  • Marketing Data: Includes your marketing information.

  • Visual Data: Includes identification card, identity card, driver's license, passport, residence permit, photographs, video data within the scope of video calls and any type of visual data included on the identity card considered proper by the Ministry for non-Turkish citizens.

  • Biometric Data: Includes selfie images and biometric photos included in official identification cards processed by the facial recognition system.

  • Other: Transaction volume/amount information, profile photo if uploaded on the platform incase of creation of a profile

2. Purpose of Processing

Processed Personal Data The Purpose of Processing Legal Reason
Identity Data
Contact Data
Location Data
Legal transaction Data
Customer Transaction Data
Transaction Security Data
Finance Data
Professional Information Data
Visual Data
  • Execution of customer account opening processes,
  • verification of customer identity,
  • monitoring and confirmation of transactions performed by the customer,
  • conducting activities in compliance with regulations, all legal and administrative measures,
  • fulfilling retention and reporting obligations,
  • Detection, monitoring, and prevention of suspicious transactions,
  • Identification and profiling of customers engaging in suspicious transactions, reporting of suspicious transactions to the Financial Crimes Investigation Board (“MASAK”),
  • Provision of information requested by prosecutors, law enforcement officers, courts regarding customers, preparation of the supporting documents regarding the work and transactions to be performed,
  • Performing request procedures.
PDPL Art. 5/2 a:
“Being expressly stipulated in the law”
Identity Data
Contact Data
Customer Transaction Data
Visual Data
  • Execution and evaluation of customer account opening procedures,
  • Informing customers via SMS and email about transactions within the scope of our services,
  • Monitoring and confirmation of transactions performed by the customer,
  • Upgrading the account level of the customer,
  • Monitoring of assets in customers' cryptocurrency virtual wallet addresses,
  • Ensuring the security of customer accounts, preventing unauthorized access to customer accounts,
  • Provision of services by our Company,
  • Execution of the operation processes, invoicing process,
  • Execution of contract processes,
  • Provision of customer support services, receipt, following up and resolution of complaints and requests,
  • Preparation of supporting documents for intended tasks and transactions.
PDPL Art. 5/2 c:
“Provided that it is directly related to the establishment or performance of a contract, it is necessary to process the personal data of the parties to the contract”
Transaction Security Data
  • Execution of operation process, execution of customer support services,
  • Storage and archiving activities, ensuring the security of customer accounts,
  • Preparation of supporting documents for intended tasks and transactions.
Finance Data
  • Execution of financial and accounting tasks,
  • Monitoring of assets in customers' cryptocurrency virtual wallet addresses,
  • Preparation of supporting documents for intended tasks and transactions,
  • Execution of contract processes,
  • Arrangement and modification of the customer's account
  • Information, upgrading of customer's account level.
Identity Data
Contact Data
Location Data
Legal Transaction Data
Customer Transaction Data
Transaction Security Data
Finance Data
Professional Information
Visual Data
  • Ensuring customer account security and system security,
  • Following-up and execution of litigation matters and other legal proceedings,
  • Execution of storage and archiving activities,
  • Execution of financial and accounting tasks
  • Notifying the competent authorities to detect and prevent violations of the membership agreement and the law, ensuring that requests or decisions from the competent authorities are fulfilled, conducting audit activities
  • Performing request procedures.
PDPL Art. 5/2 f:
“Processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject”
Identity Data
Contact Data
Location Data
Customer Transaction Data
Transaction Security Data
Financial Data
Professional Information Data
  • Ensuring customer account security and system security,
  • Ensuring the security of our products and services,
  • Monitoring of assets in customers' cryptocurrency virtual wallet addresses,
  • Ensuring accessibility of our products and services across all operating systems,
  • Verification of customer identity, monitoring and confirmation of transactions performed by the customer,
  • Measuring system performance for service improvement, conducting modelling, reporting, scoring, risk monitoring, and intelligence activities,
  • Conducting efforts for identifying potential customers,
  • Conducting audit activities.
PDPL Art. 5/2 f:
“Processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject”
Marketing Data
  • Improvement of the services of our Company,
  • Conducting efforts for identifying potential customers,
  • Customizing the products and services offered by the company according to the preferences, usage habits, and needs of relevant individuals,
  • Providing recommendations to these individuals, send commercial electronic communication, if necessary.
PDPL Art. 5/1:
Explicit consent
Identity Data
Contact data
  • Execution of marketing processes related to the services provided by the Company and management of advertising/campaign/promotion processes, to send commercial electronic communication if necessary.
Biometric Data
  • Upgrading the account level of the customer,
  • Confirming the customer performing the transaction,
  • Performing the account opening/approval procedures,
  • Provision of services by our Company,
  • Execution of our Company’s operation processes,
  • Performing request procedures
PDPL Art. 5/1:
Explicit consent
Other: Transaction volume/amountinformation, and profilephoto if uploaded on the platform in case of creation of a profile
  • Performing influencer/affiliate collaboration processes
  • Performing marketing processes
  • Performing processes related to the Affiliate program
PDPL Art. 5/1:
Explicit consent

3. Transfer of Your Personal Data

Your personal data processed for the purposes described above may be transferred to, shared with and/or given access to business partners, consultants, authorized courts and/or institutions and public institutions and organizations within the scope of audit, risk management and consultancy services in Türkiye in accordance with the basic principles stipulated in the PDPL and within the personal data processing conditions and purposes specified in Articles 8 and 9 of the PDPL. In addition, your data may be transferred directly or indirectly by OKX TR to any third party, authorized institutions and organizations from which consultancy, support or other services are received within the framework of certain personal data processing conditions and purposes.

  • Identity, contact, location, legal transaction, customer transaction, transaction security, financial, professional information, and visual data may be shared with public legal entities and authorities, such as MASAK, prosecution offices, courts, and any other public legal entities and authorities that have the authority to obtain personal data within the scope of regulations, for the purposes of conducting activities in compliance with regulations, all legal and administrative measures, fulfilling reporting obligations within this scope, making suspicious transaction notifications, conducting risk management processes, based on the legal basis of Article 5/2(a) of the PDPL, “being expressly stipulated in the law”

  • Personal data including identity, contact, customer transactions, transaction security, finance, and visual data may be shared with any third parties and external service providers from whom legal, tax, or other consultancy, support, or other services are obtained, in the field of law, taxation or any other field, for the purposes of ensuring customer account security and system security, following-up and execution of litigation matters and other legal proceedings, conducting storage and archival activities, execution of financial and accounting tasks, and conducting customer relationship processes, based on the legal basis of Article 5/2(f) of the PDPL: “Processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.

  • Identity, contact, finance, transaction security, and visual data may be shared with business partners, cooperating institutions, banks, and funds, as well as other real and legal persons who are parties to contracts with the Company, for the purposes of ensuring customer account security and system security, execution of financial and accounting tasks, management of service and operational processes, and conducting audit activities, based on the legal basis of Article 5/2(ç) of the PDPL: “it is mandatory for the data controller to fulfil its legal obligations.”

  • In relation to the commercial electronic messages that will be sent to you based on your explicit consent, the Company is obliged to register your contact information with the national Commercial Electronic Message Management System (IYS) established by the Ministry of Commerce of the Republic of Türkiyein accordance with relevant legislation. In order to fulfil our legal obligation arising from the law, without the requirement of explicit consent, based on the legal basis of Article 5/2(ç) of the PDPL, “it is mandatory for the data controller to fulfil its legal obligations,” your contact data will be registered with the Commercial Electronic Message Management System (IYS) and may be shared with the Ministry of Commerce of the Republic of Türkiye and the Union of Chambers and Commodity Exchanges of Türkiye.

  • Identity, contact, location, customer transaction, transaction security, finance, professional information, customer account security, and system security data may be shared with business partners, cooperating institutions, banks, and funds, as well as other real and legal persons who are parties to contracts with the Company, for the purposes of monitoring of assets in customers' cryptocurrency virtual wallet addresses. ensuring the security of our products and services, accessibility of our products and services across all operating systems, monitoring and confirmation of transactions performed by the customer, measurement of system performance for service improvement, conducting modelling, reporting, scoring, risk monitoring, and intelligence activities, conducting efforts for identifying potential customers, and conducting audit activities, based on the legal basis of Article 5/2(f) of the PDPL: “Data processing is mandatory for the legitimate interests of the data controller.”

  • Other: data relating to transaction volume/amount information, profile photo if uploaded on the platform in case of creation of a profile may be shared with affiliates that we cooperate with and who are referring you, for the purposes of performing influencer/affiliate cooperation processes, marketing processes, and processes related to the affiliate program based on your explicit consent.

4. Transfer of Your Personal Data Abroad

  • Identity, contact, location, legal transaction, customer transaction, transaction security, financial information, professional information, marketing, visual, and biometric data and other data (transaction volume/amount information, profile photo if uploaded on the platform in case of creation of a profile) are transferred abroad to the affiliates of OKX TR located abroad or its group companies for the purpose of providing services, performing operational processes, influencer/affiliate cooperation processes, marketing processes and processes related to affiliate program based on your explicit consent.

  • Identity, contact, location, legal transaction, customer transaction, transaction security, financial information, professional information, marketing, visual, biometric and other data (transaction volume/amount information, profile photo if uploaded on the platform in case of creation of a profile) are transferred abroad to the contracted third parties and other external service providers from which services are received, due to the fact that the infrastructure and databases of cloud systems, e-mail softwares and other information technology systems are located abroad, for the purpose of, performing request procedures and storing your data securely based on your explicit consent.

  • Identity and biometric data are transferred to affiliates of OKX TR located abroad or its group companies in order to receive support services for the execution of Know Your Customer (KYC), Know Your Business (KYB), Customer Due Diligence (CDD)-Enhanced Due Diligence (EDD) and Transaction Monitoring (TM) processes and research on suspicious transactions as well as any research and/or evaluation to be made as per the Regulation on Measures For Prevention of Laundering Proceeds of Crime And Financing of Terrorism, relevant guidelines of MASAK and/or the applicable legislation.

  • Given that crypto custody services are provided by service providers located abroad, data regarding your crypto asset wallet address will be transferred to such service providers located abroad based on your explicit consent.

We collect and process your data through our website and mobile applications, conversations conducted with our call centre or through third-party service providers we use, electronic means such as SMS or e-mail, in verbal, written, or electronic format, using fully or partially automated methods, relying on the legal reasons specified for processing and transfer in Sections 2 and 3.

6. Your Rights Under Article 11 of the PDPL

You may submit your written requests as personal data owners to exercise the rights related to your personal data, along with documents identifying your identity, and your written petition containing your explanations related to the right you wish to exercise, directly or via registered mail to our company's address at Esentepe Mah. Büyükdere Cad. Ferko Signature Blok No: 175 İç Kapı No: 12 Şişli/İstanbul or to destek@turkiye.okx.com

Upon receipt, your request will be evaluated by OKX TR and concluded within a maximum of 30 (thirty) days in accordance with the provisions of the PDPL.

We inform you, as the "Data Controller" within the scope of PDPL, that subject to the exceptions stipulated in Article 28 of PDPL titled "Exceptions", you have the right to apply to our Company and;

  • Learn whether your personal data is processed,

  • Request information regarding your personal data if it has been processed,

  • Learn the purpose of processing your personal data and whether it is used appropriately for its purpose;

  • Know who the third parties are, both domestically and abroad, to whom your data is transferred; request to be informed about the operations performed by these third parties;

  • Request the correction of your personal data in case it has been processed incompletely or inaccurately,

  • Request deletion or destruction of your data when the reasons necessitating its processing no longer exist;

  • Request notification of the processes carried out to third parties to whom your personal data has been transferred,

  • Object to the emergence of a result against you by means of analysis of your personal data exclusively through automated systems,

  • Demand compensation for the damages in case you incur damages due to the processing of your personal data against the law.

Within the scope of your right to obtain information as stated above, you may access information and the OKX Teknoloji Anonim Şirketi Data Owner Application Form at tr.okx.com.

Trade Name: OKX Teknoloji Anonim Şirketi

Address: Esentepe Mah. Büyükdere Cad. Ferko Signature Blok No: 175 İç Kapı No: 12 Şişli/İstanbul

Mersis No: 0638-0685-9810-0001