Principle Decision of the Personal Data Protection Board on the Disclosure of Debt Information Containing Personal Data in Common Areas of Multi-Unit Buildings Published

The “Principle Decision on the Posting of Debt Information of Apartment/Site Residents in Common Areas” (Principle Decision), dated 18 February 2026 and numbered 2026/348, issued by the Personal Data Protection Board (Board), was published in the Official Gazette dated 31 March 2026 and numbered 33210.

The Principle Decision evaluates, from the perspective of personal data protection law, the practice of announcing information regarding dues, advances and similar debts within apartment and site management processes in common areas, and sets forth the principles to be followed in this regard.

The key points are summarized below:

• It is considered that posting lists containing personal data such as name, surname, apartment number and debt amount of apartment/site residents in common areas such as elevators, building entrances and corridors constitutes unlawful data processing.
• The Decision emphasizes that such postings may be viewed by guests, delivery personnel, couriers and other third parties, thereby creating a risk of unauthorized access to personal data.
• The Board states that informing individuals about debt information is not entirely prohibited; however, such notifications must be carried out in compliance with the general principles set forth under the Law No. 6698 on the Protection of Personal Data, particularly the principle of proportionality and data security obligations.
• In this context, it is indicated that notifications should be made via closed email groups, restricted-access messaging groups or digital systems accessible only to the relevant individuals.
• The Board clearly sets out that existing practices must be terminated without delay, announcements and lists containing personal data in common areas must be removed, and alternative methods ensuring data security must be adopted going forward.
• The Decision also reminds that non-compliance with these obligations may be considered a breach of data security obligations and may result in administrative sanctions.