Two-Minute Recap Data Protection Law Matters In Türkiye

Data Protection Authority Warns Against Disclosure of Debtors' Information to Relatives

The Turkish Data Protection Authority (“Authority”) has issued a public notice following complaints that creditor representatives were contacting the relatives of debtors and sharing details of outstanding debts. Reports indicated that personal data such as names and debt amounts were disclosed via phone calls or text messages to individuals who had no direct connection with the debt.

Under Personal Data Protection Law numbered 6698 (“PDPL”), personal data must be processed fairly, lawfully, and only for legitimate purposes.

Sharing debt information with third parties— such as relatives—without a valid legal basis or the debtor's explicit consent falls outside these principles. The PDPL also places strict obligations on data controllers to prevent unauthorized access and to ensure appropriate security measures are in place.

The Authority underlined that if personal data is processed without consent or without meeting one of the limited legal grounds provided under the PDPL, such actions could constitute a violation and trigger administrative fines of up to TRY 1,000,000. Importantly, the guidance reminds creditor representatives that their professional activities do not exempt them from compliance obligations.

The announcement concludes with a clear warning: during debt collection activities, both debtors' and unrelated third parties' personal data must be handled in line with the PDPL. Failure to do so may result in significant legal consequences.

The DPA announced the following data breach notifications in August:

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.