Autors: Berfu Yalçın, Beyza Büyükağaçcı

It is analyzed that “processing of personal data by means of sending lien notification to a related person, who is a relative of the debtor, by the attorney of the bank” is legal or not in the decision[1] of Personal Data Protection Authority (hereinafter referred to as "The Authority"), which is dated 21/10/2021 and numbered 2021/1069, published on 23.05.2022.

The topic of the aforementioned decision is whether the legality of sharing the debtor’s relatives’ personal data with 3rd parties without their express consent in lien notification in accordance with the Code of Bankruptcy and Enforcement art. 89/1. 

In the review of the Authority, the Bank’s Attorney is determined as a data controller because of submitting 3rd parties in lien notification to the enforcement office. This determination is based on responsibility for defining the purpose and means of processing personal data and establishing and managing the data recording system.


In compliance with the Code art. 5/2, it is listed exceptions for processing personal data without express content. “In case of that data processing is a must for the legitimate interest of the data controller conditionally necessity for the establishment, use or protection of a right, and not to impair related person’s fundamental rights and freedoms” is considered within this scope.

Lien notification is defined in The Code of Bankruptcy and Enforcement art. 89. Accordingly, The Authority mentioned that when the Bank’s attorney who is the data controller sends 89/1 lien notification to relatives of the Debtors on behalf of the bank, he/she acts for the Bank’s rights and benefits. Therefore, he/she is entitled to inform relevant departments in order to fulfill the obligations arising from the Attorney Law, the Bankruptcy and Enforcement Law or secondary legislations. Finally, it is stated that the data controller can process them without express consent and there is no action to be taken about the Attorney within the scope of the Law.          



It is decided by the Authority that it is not necessary to get one’s consent expressly when the Bank’s Attorney who is the data controller exercises rights and power arising from the Law in order to protect his client’s rights and benefits, and the aforementioned activity about data process is not illegal.