Personal Data Protection in Turkish Real Estate and Property Transactions

Introduction

Personal data protection in Turkish real estate and property transactions is an increasingly important legal issue for real estate agencies, property developers, construction companies, landlords, tenants, buyers, sellers, property management companies, valuation experts, banks, mortgage providers, lawyers, notaries, online listing platforms, and foreign investors. Real estate transactions involve some of the most sensitive and valuable personal data in commercial life: identity documents, title deed information, addresses, family details, financial capacity, bank account information, tax numbers, citizenship status, marital status, power of attorney documents, property ownership records, payment documents, valuation reports, and sometimes residence permit or citizenship-by-investment documents.

Turkey’s main data protection legislation is Law No. 6698 on the Protection of Personal Data, commonly known as KVKK. KVKK applies to personal data processed wholly or partly by automated means or by non-automated means forming part of a data filing system. It defines personal data broadly as any information relating to an identified or identifiable natural person and imposes obligations on data controllers and processors. The law requires personal data to be processed lawfully, fairly, for specified and legitimate purposes, in a limited and proportionate manner, and only for the period required by law or the processing purpose.

In real estate practice, KVKK compliance is not limited to adding a short privacy clause to a sale or lease contract. A compliant structure requires identifying who processes the data, why the data is collected, which legal basis applies, whether the data is transferred to third parties, whether electronic listing systems are used, how long documents are retained, whether copies of identity and title deed documents are necessary, whether foreign buyers’ data is transferred abroad, and how data subjects may exercise their rights.

Why Real Estate Transactions Involve High-Risk Personal Data

Real estate transactions reveal important details about a person’s private, financial, and family life. A title deed record may show ownership of valuable assets. A lease file may show where a person lives. A mortgage application may show income, debt, employment, and credit history. A power of attorney may reveal legal representation and transaction authority. A property valuation file may contain photographs, address details, market value, and investment information. A foreign investor file may include passport copies, tax numbers, bank transfers, residence permit documents, family records, and citizenship application documents.

This type of data can cause serious harm if misused. Unauthorized disclosure may lead to fraud, identity theft, stalking, financial manipulation, fake listings, unlawful property transfers, targeted scams, family disputes, or commercial exploitation. Real estate businesses therefore need a stronger privacy culture than ordinary marketing businesses because property data is directly connected to wealth, address, ownership, and legal rights.

Main Actors in Real Estate Data Processing

Many actors may process personal data in a Turkish property transaction. These include the property owner, buyer, tenant, landlord, real estate agent, property developer, construction company, title deed office, notary, lawyer, bank, mortgage provider, valuation company, municipality, tax office, online listing platform, property management company, insurance company, translator, sworn interpreter, and foreign consulate or public authority in cross-border files.

The role of each actor must be assessed separately. A real estate agency may act as a data controller for its own customer records, marketing activities, property showings, listing files, and brokerage agreements. A property developer may act as a controller for buyer files, sale contracts, payment records, construction delivery documents, and after-sale services. A lawyer may process data under professional obligations and legal representation. A bank acts as a controller for loan and payment processing. A listing platform may act as a controller for user accounts, identity verification, listing publication, cookies, and platform security.

This role analysis matters because the data controller is responsible for determining purposes and means of processing, providing privacy notices, ensuring legal bases, protecting data, responding to data subject requests, and managing transfers under KVKK.

Personal Data Commonly Processed in Real Estate Transactions

Real estate transactions may involve identity data such as name, surname, Turkish identity number, passport number, nationality, date of birth, marital status, signature, tax number, and copies of official documents. Contact data may include phone number, email address, residential address, workplace address, registered notification address, and emergency contact details.

Property-related data may include title deed information, independent section number, block and parcel details, property address, ownership share, encumbrances, mortgages, annotations, easements, zoning status, municipal value, appraisal reports, building permits, condominium records, and occupancy documents. Financial data may include sale price, deposit amount, rent amount, bank account details, payment receipts, loan documents, tax payments, income documents, and credit assessment records.

Transaction files may also include power of attorney documents, marital consent documents, inheritance certificates, company authorization documents, board resolutions, shareholder documents, residence permit or citizenship documents, sworn translations, photographs, video tours, CCTV footage from property showings, WhatsApp correspondence, email records, and call recordings.

Core KVKK Principles in Property Transactions

KVKK Article 4 principles apply directly to real estate transactions. Personal data must be processed lawfully and fairly, kept accurate where necessary, processed for specified and legitimate purposes, limited and proportionate to those purposes, and retained only for the required period.

For real estate professionals, this means that data collection must be purpose-based. A real estate agent may need a buyer’s contact details to arrange a property viewing, but may not need a passport copy at the first inquiry stage. A landlord may need tenant identity and contact details for a lease contract, but should not collect excessive family, health, or financial details unless legally justified. A property developer may need buyer identity and payment records for sale and tax obligations, but should not retain unnecessary copies forever after the transaction ends.

The principle of proportionality is particularly important. Real estate actors often collect entire document sets “just in case.” Under KVKK, this is risky. The correct question is not whether a document may be useful one day, but whether it is necessary for a specific, lawful, and current purpose.

Legal Bases for Processing Real Estate Data

Not every processing activity requires explicit consent. KVKK Article 5 allows personal data to be processed without explicit consent where processing is necessary for contract performance, compliance with a legal obligation, establishment or protection of a right, legitimate interests of the controller without harming fundamental rights and freedoms, or another statutory ground.

For example, processing buyer and seller identity data may be necessary for preparing a sale file. Processing tenant identity and contact information may be necessary for a lease agreement. Processing invoice and payment records may be necessary for legal and tax obligations. Processing title deed and transaction documents may be necessary for the establishment, exercise, or protection of rights. Processing correspondence with a buyer or tenant may be necessary for contract performance or legitimate interest.

However, explicit consent may be required for optional activities such as marketing newsletters, sharing customer information with unrelated third-party commercial partners, publishing customer testimonials or photos, using non-essential advertising cookies, or transferring data abroad in limited situations where no other transfer mechanism applies.

Privacy Notices for Real Estate Agencies and Property Developers

Under KVKK Article 10, data controllers must inform data subjects at the time personal data is obtained. The notice must include the identity of the controller, processing purposes, recipients and transfer purposes, method and legal basis of collection, and data subject rights under Article 11.

A real estate privacy notice should be specific to the transaction process. It should explain how personal data is processed for property inquiries, portfolio registration, property viewing, brokerage agreements, sale or lease negotiations, title deed preparation, payment follow-up, legal documentation, customer support, marketing, online listings, and dispute management.

A property developer’s privacy notice should additionally cover project sales, reservation forms, pre-sale agreements, installment records, delivery protocols, defect notifications, title transfer procedures, condominium management, after-sale services, and construction-related documentation.

The notice should not be hidden inside a long contract. It should be provided before or at the time data is collected, such as when a customer fills out an inquiry form, signs a brokerage agreement, visits a sales office, submits documents for a lease, or shares identity documents for title deed procedures.

Real Estate Agents, Authorization Certificates, and Data Governance

Real estate brokerage in Turkey is regulated under the Regulation on Real Estate Trade. The Ministry of Trade’s provincial guidance states that real estate trade is carried out by enterprises and contracted enterprises holding an authorization certificate, and that the certificate is issued, renewed, or cancelled through the information system by the provincial directorate.

This sectoral framework is relevant to privacy because authorized real estate businesses are expected to operate through formal brokerage documentation, information systems, and verified transaction processes. The Ministry of Trade’s TTBS system allows queries regarding enterprises holding real estate trade authorization certificates.

A licensed real estate business should therefore maintain professional data governance. Customer files should be organized, access should be limited to authorized staff, documents should be retained only as necessary, and personal data should not be shared informally through unsecured messaging groups, uncontrolled spreadsheets, or personal devices.

Online Listings and Electronic Listing Verification System

Online property listings create specific privacy risks. Fake listings, unauthorized listings, copied property photos, misuse of owners’ contact details, and publication of addresses can create serious problems. In Turkey, the Electronic Listing Verification System, known as EİDS, was introduced to increase the accuracy and reliability of property listings. The Ministry of Trade states that the Regulation on Real Estate Trade was amended on 31 August 2023 to impose identity and authorization verification obligations on listing platforms, and that EİDS was created for this purpose.

The EİDS platform explains that it is used to verify the identity information of persons marketing immovable property or second-hand motor vehicles through electronic platforms and whether they are authorized to market the relevant property or vehicle.

From a KVKK perspective, EİDS-related processes involve identity and authorization data. Online platforms and real estate agencies must process this data only for lawful verification and listing purposes. They should not use verification data for unrelated marketing or profiling. They must also inform users about identity verification, authorization checks, data transfers, retention, and platform security.

EİDS Authorization Does Not Replace Real Estate Contracts

A key practical point is that electronic listing authorization does not replace required real estate brokerage documents. The Ministry of Trade’s provincial guidance states that authorization granted through EİDS for publishing a property listing does not replace documents that real estate businesses must prepare under the Regulation, such as authorization agreements, property showing documents, and sale or lease brokerage agreements.

This matters for data protection because each document creates a separate data processing point. A property showing form may include names, phone numbers, property address, viewing date, and signatures. A brokerage agreement may include identity data, commission terms, property details, and transaction authority. A sale or lease brokerage agreement may include further financial and contractual data.

Real estate businesses should prepare privacy notices and retention policies that cover all these documents, not only online listing data.

Title Deed and Land Registry Data

Title deed and land registry data are highly sensitive because they reveal property ownership and legal rights. The General Directorate of Land Registry and Cadastre provides digital services such as parcel inquiry and other title-related systems. Its English website states that parcel inquiries for immovable properties such as lands and plots can be made through an online platform.

The confidentiality of title deed data is also emphasized in official documentation. A TKGM confidentiality undertaking states that, under KVKK and TKGM information security policies, licensed offices sign confidentiality undertakings to ensure the security of title deed information and prevent disclosure; it includes commitments not to print Web Tapu data unless required by the work and not to share such information with unauthorized persons.

This principle should guide all private-sector real estate actors. Title deed records, parcel details, ownership information, mortgage data, and official registry documents should be shared only with persons who have a lawful reason to access them. Real estate agents should avoid sending title deed screenshots or ownership documents broadly through informal channels.

Identity Documents and Document Minimization

Real estate transactions often require identity verification. However, copying, scanning, or storing identity documents should not be automatic at every stage. A buyer making a first inquiry does not usually need to provide a passport copy. A visitor viewing a property may need basic contact details, but a full identity document may be excessive unless there is a specific legal or security reason.

Document minimization is essential. If the transaction requires identity data for title deed preparation, notarized power of attorney, bank loan process, or official reporting, the controller should collect only the required information and retain it only for the necessary period. If a copy of an ID card or passport is legally required, access should be restricted and storage should be secure. If only verification is required, recording limited information may be more proportionate than storing a full copy.

Sale Transactions and Buyer-Seller Data

A property sale file may include both buyer and seller data. Real estate agents, developers, lawyers, notaries, banks, and title deed offices may process data during price negotiation, deposit payment, sale promise agreement, valuation, loan approval, title deed appointment, tax payment, and transfer of ownership.

Each party should process only the data necessary for its role. For example, a real estate agent may need contact, identification, property, and commission-related information. A bank may need financial and credit information. A lawyer may need broader legal documentation to conduct due diligence. A property developer may need buyer identity, payment, and delivery information.

The sale file should not be accessible to every employee in the company. Access should be limited to sales, legal, finance, and authorized management personnel who need the information.

Lease Transactions and Tenant Data

Rental transactions involve tenant, landlord, guarantor, property, payment, deposit, and sometimes family or employment data. Landlords and real estate agents often request income documents, employment information, identity details, references, and guarantor information. These requests must be proportionate.

A landlord may have a legitimate interest in evaluating payment capacity, but should not collect excessive or irrelevant documents. For example, requesting a tenant’s full bank transaction history may be excessive if a limited income document is sufficient. Guarantor data should be collected only where a guarantor is actually used. Family member data should not be collected unless required for the lease purpose.

Lease files should include clear privacy notices, especially where a real estate agency collects tenant data before presenting it to the landlord. Tenants should know who receives their data, why it is processed, how long it will be retained, and whether it will be used for future marketing.

Property Management and Site Administration

Property management companies and residential site administrations process data of owners, tenants, visitors, employees, contractors, and debtors. They may process dues records, payment status, vehicle plate numbers, visitor logs, CCTV footage, access cards, complaint records, repair requests, legal enforcement files, and communication lists.

These entities should not publish debtor lists or resident information in a way that exposes personal data unnecessarily. Notices regarding unpaid dues should be handled carefully. WhatsApp groups, notice boards, and shared spreadsheets can easily create KVKK risks if personal data is disclosed to all residents without a proper legal basis.

CCTV systems in residential buildings also require privacy notices, limited retention, restricted access, and proportionate camera placement.

Valuation Reports, Banks, and Mortgage Data

Real estate valuation and mortgage processes involve financial and property-related data. A valuation report may include photographs, address details, title deed data, zoning status, market analysis, ownership information, and sometimes occupant information. Banks may process income records, employment data, credit history, marital status, property value, loan amount, mortgage details, and payment history.

Valuation companies and banks must define their roles and legal bases. A valuation company may process data under the bank’s instruction for a loan file or as an independent professional service provider depending on the structure. Contracts should regulate confidentiality, security, retention, and data sharing.

Mortgage and valuation files should not be used for unrelated marketing without proper legal basis and transparency.

Foreign Buyers and Cross-Border Data Transfers

Turkish property transactions involving foreign buyers often require passports, tax numbers, translated documents, bank transfer records, residence permit documents, citizenship-by-investment files, family records, and foreign address details. These files may involve cross-border communication with foreign banks, lawyers, translators, consulates, agencies, or family members.

KVKK Article 9 was amended in 2024. Under the amended framework, personal data may be transferred abroad if one of the processing conditions under Articles 5 or 6 exists and there is an adequacy decision. If there is no adequacy decision, transfers may be possible through appropriate safeguards such as standard contracts, binding corporate rules, or written commitments approved by the Board. Standard contracts must be notified to the Authority within five business days after signature.

Real estate agencies and developers working with foreign buyers should map foreign transfers. Sending passport copies or title deed documents to foreign partners, overseas sales agents, cloud CRM systems, or international group companies may trigger Article 9 analysis.

Marketing, CRM, and Real Estate Leads

Real estate businesses rely heavily on leads from websites, online ads, social media, WhatsApp, property fairs, call centers, and listing platforms. Lead data may include names, phone numbers, email addresses, budget, preferred location, nationality, investment purpose, and family needs.

A person who submits a request about one property does not automatically consent to indefinite marketing for all future projects. Marketing communications should be separated from service communications. Promotional emails, SMS messages, and calls may require commercial electronic communication consent and compliance with the Message Management System, depending on the channel and recipient.

CRM systems should include consent status, opt-out records, data source, retention period, and access controls. Old leads should not be kept indefinitely merely because they may be useful in the future.

Data Security in Real Estate Files

KVKK Article 12 requires data controllers to take all necessary technical and organizational measures to prevent unlawful processing, prevent unlawful access, and ensure protection of personal data.

For real estate businesses, practical security measures include role-based access, secure digital archives, password-protected files, encrypted storage for identity documents, restricted access to title deed files, secure email practices, confidentiality undertakings for employees and consultants, clean desk rules, secure disposal of printed documents, and access logging in CRM systems.

Real estate professionals should avoid storing client documents on personal phones, unsecured cloud accounts, open WhatsApp groups, or shared computers. If documents must be shared by email or messaging for practical reasons, the sharing should be limited, secure, and necessary.

Data Retention and Deletion

Real estate files should not be retained forever. KVKK requires personal data to be stored only for the period required by law or by the processing purpose. Once the purpose ends and no legal ground remains, the data should be erased, destroyed, or anonymized.

Retention periods should be defined for inquiry forms, property showing documents, brokerage agreements, sale files, lease files, payment records, invoices, title deed documents, power of attorney copies, valuation reports, CRM leads, call recordings, email correspondence, and dispute files.

Some records may need to be retained for tax, accounting, contract, limitation, or legal defense purposes. However, unsuccessful inquiries, expired leads, old viewing forms, unnecessary identity copies, and outdated marketing records should be periodically reviewed and deleted where no valid basis remains.

Data Subject Rights in Real Estate Transactions

Data subjects have rights under KVKK Article 11, including the rights to learn whether their personal data is processed, request information, learn processing purposes, know domestic and foreign transfer recipients, request correction, request erasure or destruction under legal conditions, object to adverse automated results, and claim compensation for unlawful processing.

In real estate practice, a buyer may ask where their passport copy was shared. A seller may request deletion of an old listing file. A tenant may ask whether income documents were transferred to the landlord. A landlord may request correction of contact details. A foreign investor may ask whether data was transferred abroad. Real estate businesses should have a procedure to verify identity, review files, and respond within legal time limits.

Practical KVKK Compliance Checklist for Real Estate Businesses

A real estate agency, developer, property manager, or listing platform in Turkey should:

1. Prepare a personal data processing inventory.
2. Identify buyer, seller, tenant, landlord, investor, visitor, employee, and vendor data.
3. Determine the legal basis for each processing purpose.
4. Prepare clear privacy notices for real estate inquiries, brokerage services, property sales, rentals, and marketing.
5. Avoid collecting identity documents too early or unnecessarily.
6. Limit access to title deed and financial documents.
7. Use formal brokerage and property showing documents in line with sector rules.
8. Manage online listing data under EİDS and platform verification rules.
9. Keep EİDS verification data separate from unrelated marketing uses.
10. Sign confidentiality and data processing clauses with vendors.
11. Secure CRM and digital archive systems.
12. Avoid sharing title deed documents through unsecured channels.
13. Map transfers to banks, valuation experts, lawyers, notaries, public authorities, and listing platforms.
14. Assess cross-border transfers for foreign buyers and foreign sales partners.
15. Separate marketing consent from transaction processing.
16. Define retention periods for each document category.
17. Delete or destroy unnecessary old files.
18. Train sales teams, consultants, property managers, and administrative staff.
19. Establish data subject request procedures.
20. Audit compliance periodically.

Common Mistakes in Real Estate Data Protection

One common mistake is collecting passport or ID copies from every potential customer at the first contact stage. Another is sharing title deed records, property ownership documents, or payment receipts through unsecured messaging applications. A third mistake is keeping old customer leads indefinitely without legal basis.

Real estate agencies also frequently fail to separate listing authorization, brokerage contracts, and privacy notices. EİDS authorization supports listing verification, but it does not replace required brokerage documents or eliminate KVKK duties.

Another mistake is using customer data collected for one property inquiry to send broad marketing campaigns without proper permission. Developers may also share foreign buyer documents with overseas agents or cloud CRM providers without cross-border transfer analysis. Property managers may disclose resident debts or contact details to other residents without necessity.

Conclusion

Personal data protection in Turkish real estate and property transactions requires a practical and transaction-focused KVKK compliance approach. Real estate files contain identity, address, property, financial, family, investment, and ownership information. These data are sensitive in practice because they reveal where people live, what they own, how much they pay, who represents them, and what legal rights they hold.

Real estate agencies, developers, property managers, listing platforms, landlords, and transaction professionals must comply with KVKK principles of lawfulness, transparency, purpose limitation, data minimization, proportionality, security, and storage limitation. They must also consider sector-specific real estate rules, including authorization certificate requirements and electronic listing verification through EİDS. The Ministry of Trade’s EİDS framework shows that identity and authorization verification has become central to reliable online property listings, but this also increases the need for careful data governance.

A strong compliance model should include clear privacy notices, proper legal basis mapping, minimal document collection, secure title deed data handling, restricted CRM access, formal vendor arrangements, cross-border transfer analysis, defined retention periods, and procedures for data subject rights.

For real estate businesses in Turkey, KVKK compliance is not only a legal obligation. It is also a trust mechanism. Buyers, sellers, tenants, landlords, and foreign investors share highly valuable information with real estate professionals. Businesses that protect this information properly reduce legal risk, strengthen professional credibility, prevent fraud, and build long-term client confidence in the Turkish property market.