KVKK Compliance for Residential Site and Apartment Management in Türkiye

Short answer: Residential site and apartment managements in Türkiye long struggled with a basic question — who is the “data controller”? Türkiye’s Personal Data Protection Board (KVKK) opened up its framework with its decision 2020/560 of 22 July 2020, and with principle decision 2026/348 — published in the Official Gazette on 31 March 2026 — it expressly ruled one of the most common field violations unlawful: posting dues/debt lists in common areas. Drawing on compliance work across sites of varying scale, this article sets out what managements need to watch.

A site management is, in fact, a dense data machine

An apartment — and especially a large gated community — looks simple from outside but is an intensive personal-data hub: security cameras (entries, parking, social areas), resident lists and contact details, dues and debt records, visitor and courier logs, access records for amenities (pool, gym), card- or plate-recognition gates, and visitor flows that mingle in blocks shared with businesses. Each is a separate friction and risk surface.

That multiplicity turns compliance from a “write a policy once and shelve it” task into an ongoing governance discipline: the more collection points, the larger the error and breach surface.

The structural problem: “management” is not, in practice, a legal entity

This was the biggest early-years friction. Under the Condominium Ownership Law (No. 634), an apartment or site management is not a legal person in its own right; it operates through the assembly of unit owners and the manager or board it elects. So who is the “data controller” the law looks for — the unit owners, the manager, or the professional facility-management company that steps in?

This ambiguity blurred every step, from VERBİS registration and the duty to inform, to retention periods and breach notification — and the sense that “responsibility sits with no one” weakened accountability.

2020/560: the Board opened up its framework

In its decision 2020/560 of 22 July 2020, the Personal Data Protection Board assessed the position of site managements within the framework of Law No. 6698 (KVKK) and Law No. 634 (Condominium Ownership) and shared that assessment publicly (KVKK 2020/560).

That step at least gave direction on “who is responsible, in what capacity, with what obligations,” marking the turning point where the topic moved from de facto ambiguity toward clarity — and where managements could no longer ignore their controller status and the duties that come with it.

2026/348: the debtor-list era is over

Principle decision 2026/348, dated 18 February 2026 and published in the Official Gazette on 31 March 2026 (Official Gazette, 31 March 2026), squarely targeted the violation I encountered most often in the field: posting dues or debt information in common areas — lifts, building entrances, corridors — or in WhatsApp groups, on noticeboards and digital screens.

Under the decision, a resident’s name, apartment number, debt amount and payment status are personal data; displaying them in shared spaces — “collection by disclosure” — is unlawful. Debt notices must be delivered through individual channels: personalised email or SMS, a direct message via a messaging app, or management-specific closed software. Lists already on the wall must be removed without delay, or administrative fines and compensation claims become a real risk.

From the field: what I have seen

I previously spoke on this at the 1st International Facility Management Summit organised by the Turkish Urban Facility Management Association (TRKTYD), and have run compliance programs at sites from mid-sized to very large. Each visit revealed a different picture: cameras positioned to overlook amenity or changing areas; every resident’s ID and phone number kept in an open spreadsheet at the security booth; data inherited from a previous manager retained for years without deletion; a visitor logbook sitting open on a desk for anyone to read.

Some were minor lapses, some serious breaches. Most stemmed not from bad intent but from “this is how it has always been done” — which is precisely why, with the right setup, they are preventable.

What to do in practice: a compliance map

The headline items for managements: (1) Pin down the data controller — define, in a written agreement, the position of the management/owners’ assembly and, where a professional facility company is involved, whether it is a processor or a separate/joint controller. (2) VERBİS — assess the registration duty if thresholds are met. (3) Notices — to residents, staff, visitors and couriers; plus a separate camera notice and placement that avoids private areas. (4) Dues/debt collection — no lists in common areas; individual notification channels; pursue genuine debt through counsel or enforcement. (5) Cameras — purpose limitation, reasonable retention, restricted access, a procedure for footage requests. (6) Visitor/courier/access logs — minimum data, never left in the open, time-limited deletion. (7) Retention and disposal policy plus a handover protocol from the prior management. (8) Processor agreements with the facility company, software vendor and security firm. (9) A breach-response plan.

The Vircon take

2026/348 is no surprise; it crystallises a direction signalled since 2020. The real point lies beyond the “don’t post lists” headline: it forces managements to accept their controller identity and an ongoing compliance discipline. The good news is that the fix is not a big budget but the right design — clear role definition, individual collection channels, and proportionality in cameras and access logs. Done well, it sharply reduces both administrative-penalty exposure and resident complaints.

Recent development: the KVKK Board’s 8 June 2026 announcement on apartment CCTV

On 8 June 2026 the Turkish Data Protection Board issued a public announcement — prompted by a wave of complaints about unlawfully installed cameras in apartment buildings — clarifying how residential site and apartment managements may use security cameras. The Board confirms that capturing footage is plainly personal-data processing: cameras may be installed in common areas for legitimate purposes (protecting common areas, ensuring safety, safeguarding owners’ interests), but the processing must comply both with Law No. 6698 (Article 4 general principles, Article 5 lawful bases, Article 12 security measures) and with Condominium Law No. 634 (common areas, decisions of the owners’ assembly, the manager’s agent-like responsibility).

The Board’s key points:

• Placement and privacy: respect residents’ reasonable expectation of privacy; do not place cameras in stairwells or facing apartment doors where the interior becomes visible when the door opens.
• Proportionality: only features connected to the purpose; avoid facial recognition and audio recording; prefer a narrow angle and mask unnecessary areas.
• Lifts: although a common area, a lift is a confined, unavoidable space that creates intense surveillance; if a camera is installed, the justification must be stated explicitly.
• Retention and deletion: keep footage for a reasonable period and destroy it once the purpose ends; in an incident, retain only the relevant footage for the duration of the legal process.
• Access and sharing: only authorised persons may access footage; no unauthorised sharing with third parties.
• Notice: under Article 10, inform people that the area is being recorded (signage).
• Technical and organisational measures: the management, as data controller, must meet its Article 12 obligations.

The Board reminded that, where non-compliance is found, it may act under Article 18 of Law No. 6698, including imposing an administrative fine. In short, the announcement operationalises, for apartment and site cameras, the very principles set out in this article: CCTV is legitimate but conditional — correct placement, proportionality, notice, limited retention and strict access control are essential.

This article is for general information only and does not constitute legal advice. We recommend obtaining professional support for your specific situation.