Principle Decision of the Turkish DPA on the Disclosure of Residents’ Debt Information in Common Areas

The Turkish Data Protection Authority (“Board”) has issued a Principle Decision dated 18 February 2026 and numbered 2026/348 (“Decision”), addressing a commonly encountered practice in residential complexes. The Decision evaluates the lawfulness, under the Law No. 6698 on the Protection of Personal Data (“Law”), of displaying residents’ debt information such as maintenance fees and advance payments in common areas including entrances, elevators and notice boards.

Within the scope of its assessment, the Board determined that information such as name, surname, apartment number and debt details constitute personal data, and that displaying such information in common areas amounts to disclosure of personal data to third parties.

Following its evaluation, the Board emphasized the following key points:

• Personal data processing must comply with the general principles set out under Article 4 of the Law. In this context, announcing debt-related information in a manner accessible to all residents may violate the principle of being “relevant, limited and proportionate to the purpose”.
• Such processing activities generally do not rely on a valid legal basis under Article 5 of the Law. In the absence of explicit consent or a clear legal obligation, these practices may constitute unlawful data processing.
• Although the Condominium Law No. 634 imposes certain obligations on property owners regarding common expenses, this does not justify the disclosure of personal data to other residents or third parties.
• Making such lists publicly available in common areas, thereby enabling access by unauthorized individuals, may result in a breach of data security obligations under Article 12 of the Law.

In light of the above, the Board concluded that such practices must be immediately ceased, that all posted lists should be removed, and that any communication regarding debt information should be carried out through alternative methods accessible only to the relevant individuals.

Accordingly, it is important for apartment and site managements to review their current practices and ensure compliance with data minimisation and data security principles under the Law.