The Personal Data Protection Authority (KVKK) in Türkiye has ruled that announcements detailing residents’ debts such as maintenance fees, advances or inventory costs must not be posted in shared spaces like elevators, building entrances or corridors.
Published in the Official Gazette on March 31, the decision underscores the need for this rule due to the handling of personal data in apartment and site management processes.
Accordingly, it was stated that announcements regarding residents’ debts, including maintenance fees, advances, inventory expenses and similar obligations, and the disclosure of personal data such as residents’ names, surnames, apartment numbers, debt amounts, payment delay periods, number of overdue installments, and ownership or tenancy status, were being posted in elevators, building entrances and corridors to inform other residents.
The decision emphasized that these areas are frequently accessed by people who do not live in the building, such as delivery personnel, couriers or other unfamiliar individuals, meaning that the posted announcements, documents or lists containing personal data could be seen by unauthorized persons.
It was stated that posting lists containing personal data in common areas and exposing them to an unidentified group of people constitutes a violation of Article 12 of the Law on the Protection of Personal Data No. 6698, which requires “necessary technical and administrative measures to ensure data security.”
The decision further noted, “To ensure that such notifications are carried out in accordance with Article 12 of the Law, methods should be used in which third parties cannot access the information, such as closed email or messaging groups, or applications specifically designed for this purpose."
The decision included: "It has been concluded that the use of such applications should be immediately discontinued, that announcements, lists, or documents should be promptly removed from the common areas of collective housing, and that alternative procedures or methods that comply with Article 12 of the Law and are accessible only to the relevant individuals should be applied for notifications and information to be provided to property owners.”
The decision also stated that data controllers who fail to act in accordance with the principles outlined will be subject to administrative and criminal sanctions.
