KVKK Principle Decision on Posting Residents' Debt Information in Common Areas of Apartment and Residential Sites

With its Principle Decision dated February 18, 2026 and numbered 2026/348, the Turkish Personal Data Protection Board ("Board") has made significant assessments regarding a practice frequently encountered in apartment and residential site managements. The relevant Principle Decision was published in the Official Gazette dated March 31, 2026 and numbered 33210.

In the Decision, it is stated that the processing of personal data through posting lists containing personal data such as name-surname, apartment number, amount of debt, and delay information related to dues, advances, and similar receivables in common areas such as elevators, building entrances, and corridors does not constitute a disclosure limited to a specific and identifiable group of recipients, but may instead lead to disclosure to an indefinite number of third parties. In this context, it has been emphasized that such practice cannot rely on any of the legal grounds for processing set forth under Article 5 of The Law numbered 6698 on the Protection of Personal Data and that making personal data accessible to unauthorized persons constitutes a breach of the obligation to implement adequate technical and administrative measures for data security under Article 12 of the Law.

While the Board acknowledges that informing condominium owners is permissible, it underlines that such processing activities must be carried out in compliance with the general principles set forth under Article 4 of the Law, particularly the principles of purpose limitation, proportionality, and data minimization. Accordingly, it is clearly established that such notifications must be conducted through methods that ensure access is limited only to the relevant individuals.

The Decision demonstrates that commonly used open announcement practices are no longer sustainable and requires apartment and residential site managements to carry out personal data-related notifications through more controlled and secure communication channels. Continuation of such unlawful practices may result in administrative sanctions against data controllers pursuant to Article 18 of Law No. 6698.

In this respect, the Decision particularly highlights the following points in practice:

• Announcements made by posting debt-related personal data in common areas are not compliant with the law,
• Such disclosures are not limited to a specific audience and may result in unlawful disclosure to third parties,
• These practices do not rely on a valid legal basis under Article 5 of the Law,
• Making personal data accessible to unauthorized persons constitutes a violation of data security obligations under Article 12 of the Law,
• Informing condominium owners is permissible; however, such processing must be carried out in a limited and proportionate manner in line with the general principles of the Law,
• Controlled and restricted communication methods that limit access only to relevant individuals must be preferred

On the other hand, although not explicitly addressed in the Principle Decision, if such notification processes are carried out through platforms based abroad, cross-border data transfers may arise. In such cases, data controllers will be required to establish appropriate transfer mechanisms under Article 9 of Law No. 6698, including the execution of standard contractual clauses, ensuring compliance with transfer conditions, and implementing additional technical and administrative safeguards.

In conclusion, the Principle Decision confirms that while the obligation of transparency in apartment and residential site managements continues, the methods used to fulfill this obligation must be brought into compliance with the Turkish Data Protection Law.

You may access the full text of the Principle Decision here (In Turkish), and the public announcement published by the Turkish Data Protection Authority here (In Turkish).