The Principle Decision on the Posting of Debt Information of Apartment/Site Residents in Common Areas (“Principle Decision”), issued by the Turkish Personal Data Protection Authority (“Authority”), was published in the Official Gazette dated 31 March 2026 and includes significant assessments regarding the protection of personal data.
The Principle Decision emphasizes that the disclosure of information relating to dues, debts, and similar financial obligations by apartment and site managements in common areas such as notice boards, elevators, or other shared spaces may result in the unlawful processing of personal data of the relevant individuals.
The Authority stated that such practices must be evaluated within the scope of the Law No. 6698 on the Protection of Personal Data (“Law”) and highlighted the following key considerations:
- Dues and debt information constitute personal data, as they relate to identified or identifiable natural persons.
- The publication of such data in common areas is incompatible with the principles of data security and confidentiality.
- The processing of personal data requires the existence of at least one of the legal bases set out under Article 5 of the Law; otherwise, such processing will be deemed unlawful.
- The public disclosure of financial data such as debt information in a manner accessible to everyone may violate the principles of proportionality and purpose limitation.
The Principle Decision further notes that apartment and site managements should prefer less intrusive methods in debt collection processes. In this regard, the following alternatives are recommended:
- Providing individual notifications to the relevant persons,
- Informing individuals through digital management systems or secure platforms,
- Using communication methods accessible only to authorized persons.
Through this Principle Decision, the Authority clearly establishes that the common practice of publicly displaying debt lists is not compliant with the law and reminds data controllers of their significant obligations.
In this context, apartment and site managements, acting as data controllers, must comply in particular with the general principles set forth under Article 4 of the Law and the data security obligations under Article 12. Otherwise, administrative sanctions may be imposed pursuant to Article 18 of the Law.
You may access the full text of the relevant public announcement and the Principle Decision via the link below:
For detailed information and professional support during the compliance process, feel free to contact us.
This Legal Alert has been prepared for general information purposes only on current legal issues, and the evaluations contained in this Legal Alert do not constitute legal advice or a legal opinion. It is not possible to impose any liability on SRP-Legal Law Office due to the content of this Legal Alert. It is recommended to obtain the opinion of a legal advisor regarding your questions and enquires within the scope of this Legal Alert.
