Posting Debt Lists In Residential Complexes Deemed Unlawful Under The Turkish Privacy Law

The article examines the legality of posting debt lists in apartment and residential complexes under Turkish data protection law (KVKK), in light of the Personal Data Protection Board’s 2026 principle decision. It explains that such practices go beyond administrative convenience and may constitute unlawful data processing and disclosure, particularly where personal financial information is made accessible to an indefinite group of individuals. The analysis highlights the limits imposed by principles such as proportionality and purpose limitation, addresses common misinterpretations relied upon by management bodies, and outlines the legal risks including administrative fines and compensation claims. It concludes by emphasizing the need for residential managements to adopt compliant alternatives and reassess their data processing practices within a structured legal framework.

The posting of debt lists in common areas within residential complexes is not merely a matter of “administrative convenience”; it constitutes a direct act of personal data processing and, in many cases, qualifies as a data breach. Such practices, often carried out reflexively under traditional property management habits, are in clear conflict with the principles of data security and proportionality set forth under Law No. 6698 on the Protection of Personal Data. Accordingly, the issue is not limited to expediting the collection of dues, but rather concerns whether personal data is being processed in compliance with applicable law.

As a matter of fact, the principle decision of the Personal Data Protection Board, published in the Official Gazette dated March 31, 2026, directly addresses this entrenched practice and redraws the legal boundaries concerning the posting of debt lists in common areas. This article examines the legal reasoning underlying the decision, the flawed assumptions observed in practice, and the manner in which apartment and site managements should proceed going forward, within an analytical framework.

The Invisible Conflict Between Property Management Practices and Data Protection Law

The posting of debt lists in apartment buildings and residential complexes has long been a method applied almost unquestioningly in practice. Displaying the names of individuals who have failed to pay their dues, along with their apartment numbers and outstanding amounts, at building entrances, elevators, or notice boards is often regarded by property managers as a tool for “transparency” and “collection pressure.” This approach is frequently perceived as a practical solution, particularly in large residential complexes, to ensure payment discipline.

However, from a legal standpoint, this practice is grounded in a fundamentally flawed assumption: the belief that debt-related information may be shared with the public at large.

Under personal data protection law, the critical issue is not whether the information is accurate, but rather with whom and by what means such information is shared. Information relating to an individual’s unpaid dues, delay status, or payment habits constitutes data that directly identifies the individual and reflects their financial condition. Therefore, such information clearly qualifies as “personal data” within the scope of Law No. 6698. In this context, what is carried out by the property management is not a mere announcement, but a data processing activity for a specific purpose, and in most cases, an act of unlawful disclosure.

The core problem in practice lies in the fact that this data processing activity is carried out without awareness. Property managements often fail to position themselves as “data controllers” and do not assess whether their actions fall within the scope of data protection legislation. As a result, critical questions such as which data may be shared, what limits must not be exceeded, and who may have access to such data are never properly addressed. Consequently, a legally sensitive area is managed entirely on the basis of habit and practicality.

At precisely this point, the Board’s 2026 principle decision has rendered this previously invisible conflict explicit. The decision demonstrates why traditional management practices are unsustainable in light of data protection law and clarifies a reality that has long been overlooked. Within this framework, the key issue becomes the limits imposed by the KVKK on such data processing activities and the reasons why these limits have been consistently misinterpreted in practice.

Limits of Data Processing Under the KVKK and Misinterpreted Legal Grounds

The Law on the Protection of Personal Data does not establish a system that entirely prohibits data processing; rather, it permits such processing under specific conditions. However, this permission does not grant unlimited discretion. The general principles set forth under Article 4 of the Law—particularly those of a “specific, explicit and legitimate purpose,” “being relevant, limited and proportionate to the purpose,” and “processing only as much data as necessary”—define the boundaries of lawful processing. These principles govern not only why data is processed, but also how it is processed. Accordingly, for the disclosure of information to be considered lawful, both the purpose and the method must be assessed together.

In this context, the most frequently invoked legal ground by apartment and site managements is the exception allowing data processing “for the establishment, exercise or protection of a right.” Indeed, the collection of maintenance fees constitutes a legally protectable interest, and certain data processing activities may be justified on this basis. However, the fundamental error in practice lies in the assumption that this justification confers an unlimited right to disclose such data. In reality, this exception only covers necessary and proportionate data processing activities; it does not extend to making such data publicly accessible without restriction.

The significance of this distinction lies in the substantial difference between processing data for the protection of a right and disclosing that data indiscriminately to third parties. Notifying the relevant individual of their outstanding dues, initiating enforcement proceedings, or sharing limited information within a confined group may be legally permissible. However, displaying the same information at the entrance of a building, thereby making it accessible to anyone present within or around the premises, exceeds the principle of proportionality. At that point, the data processing activity goes beyond its intended purpose and transforms into an independent risk of violation.

Another commonly misinterpreted argument in practice is the notion that “everyone already knows this information.” Under personal data protection law, however, the fact that certain information may be widely known does not render it freely shareable. The Law focuses on who processes the data, within what scope, and by which method. Therefore, apartment and site managements must reassess their existing practices not on the basis of habit, but within the framework of lawful data processing conditions and limitations. As clearly demonstrated by the Board’s decision, the issue is often not the act of processing itself, but the incorrect delineation of its boundaries.

The Board’s Approach and the Re-Definition of the Concept of “Disclosure”

The 2026 decision of the Personal Data Protection Board not only directly targets this entrenched practice within apartment and residential complex managements, but also effectively redefines the concept of “disclosure” at the level of practical application. The decision makes it clear that posting information regarding unpaid dues in common areas cannot be regarded merely as an informational activity. Such practices result in making personal data accessible to an indeterminate number of individuals, rather than limiting access to a defined group. Accordingly, the issue is not the accuracy of the content, but the lack of control over its accessibility.

A particularly notable aspect of the Board’s reasoning is the criterion of “access by an indefinite number of persons.” A debt list posted on a building notice board is not accessible solely to property owners; it is effectively open to visitors, delivery personnel, tenants, and even unrelated third parties. This transforms what might otherwise be a closed-circuit informational activity into an uncontrolled dissemination of data. For this reason, the Board evaluates such practices as a violation of data security obligations.

This approach further demonstrates that the concept of data security is not limited to technical safeguards alone. While many management bodies tend to associate data security exclusively with system-based measures, the Board’s decision clearly establishes that this obligation also encompasses organizational and procedural dimensions. The manner in which data is shared, where it is displayed, and to whom it is made accessible are just as critical as technical protections. In this respect, posting data in common areas is not merely a matter of method; it constitutes a direct breach of data security obligations.

In conclusion, the decision not only renders a long-standing practice of apartment managements legally untenable, but also clarifies the distinction between data processing and data disclosure. Failure to properly understand this distinction may result in even the most routine administrative actions giving rise to significant legal consequences. It therefore becomes essential, at the next stage, to assess the practical implications of this decision and the risks it introduces for management bodies.

Risks and Legal Compliance for Residential Complex Managements

The approach adopted by the Board is not merely a theoretical assessment for apartment and residential complex managements; it represents a clear turning point that directly alters established practices. The posting of debt lists in common areas can no longer be regarded as a “customary method,” but must instead be treated as an activity carrying a clear risk of data violation. This shift has made the responsibilities of property managers and management boards significantly more visible. In cases where data processing activities are conducted unlawfully, liability will rest directly with those individuals who have made or implemented such decisions.

At this stage, the primary risk is not limited to administrative fines. Property owners or tenants whose personal data has been disclosed may also bring claims for both pecuniary and non-pecuniary damages. In particular, the disclosure of debt-related information to third parties may adversely affect an individual’s financial reputation, thereby giving rise to broader legal consequences before the courts. In practice, many management bodies tend to underestimate this risk; however, once a complaint process is initiated, control over the situation may be rapidly lost.

Moreover, the availability of lawful alternative methods makes this risk even more critical. The monitoring and collection of maintenance fee receivables may be carried out through closed communication systems, individual notifications, secure digital platforms, or notification mechanisms directed solely at the relevant individual. Resorting to formal legal remedies for debt collection in Turkey also ensures compliance with data protection obligations while preserving the objective of recovery. Accordingly, the issue is not the sharing of information per se, but rather the method and scope of such sharing. Where an improper method is chosen, a routine administrative action may easily transform into an act giving rise to legal liability.

In conclusion, following the Board’s decision, the continuation of prior practices in their existing form is no longer legally defensible. Management bodies must restructure their data processing activities and systematically assess the question of who may access which data and to what extent. Otherwise, even seemingly minor practices may lead to significant legal sanctions. For this reason, it is of critical importance that residential complex managements structure their legal compliance from the outset, preferably with the guidance of a qualified real estate lawyer in Turkey, and manage the process with due diligence.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.