Assessment of the Personal Data Protection Board’s Decision Imposing an Administrative Fine on a Car Rental Company for Requesting a Findeks Credit Report as a Prerequisite for Service in Accordance with Turkish Law

02.05.2025

1. INTRODUCTION

The requirement to share personal data, especially financial privacy-related or sensitive data, as a condition for accessing a service is increasingly drawing the attention of the Personal Data Protection Board (“Board”) and becoming a recurring subject of legal review. According to one of the Board’s decisions, when a car rental company requested a Findeks report from its customer as a prerequisite for the rental and canceled the reservation if this request was not met, it was assessed that linking the service to the provision of personal data was unlawful and an administrative fine was imposed on the company.

The Decision makes it necessary to reconsider the fundamental principles of personal data protection, namely proportionality, necessity, and legitimate interest. Car rental is a service that involves high financial risk in today's economic conditions, which has increased the need for companies to assess the financial reliability of their customers.

In this study we will be evaluate; (i) the legal background and content of the Findeks report, (ii) the implications of the relevant Board Decision in terms of banking and personal data protection law, and (iii) how the decision can be considered in terms of proportionality and legitimate interest balance.

2. SUMMARY OF THE DECISION

A car rental company operating in Turkey rented a car to its customer ("Customer" or "Complainant") through an online platform that provides bus, airplane, rental car and accommodation search and sales services, and paid the same day by credit card.

When the customer went to the authorized agent of the car rental company to pick up the vehicle, he was asked to pay a deposit. The customer gave his credit card to the authorities to pay the deposit.

The Costumer was then sent a two-step verification SMS from Findeks and a password.

The Agency also informed the Costumer that the Findeks report would not be delivered to the Costumer if the verification requirements for access to the Findeks report were not fulfilled and explicit consent was not given for the processing of the data in the report.

Following the failure of the Complainant to provide the Findeks report and explicit consent, the Complainant was notified of the cancellation of the reservation on the same day on the grounds that he did not accept the company procedures.

Ultimately, the Costumer filed a complaint with the Board, requesting the destruction of his data and the termination of the unlawful practice.

As explained in detail below, the Board imposed a fine for the violation of Article 20 of the Constitution of the Republik of Türkiye (“Constitution”) (privacy of private life) and Article 12 of the Law on the Protection of Personal Data ("KVKK" or "Law") (violation of the obligations of the data controller).

In our opinion, it is useful to evaluate the Decision in the following legal frameworks and to analyze its prospective effects on Turkish law:

(i) The legal infrastructure of the Findeks report and the evaluation of the personal data it contains

(ii) Evaluation of the decision in the context of the Banking Law

(iii) Evaluation of the decision in the context of personal data protection law within the framework of Turkish legislation, especially in terms of proportionality and balance of interests.

3. WHAT IS FINDEKS REPORT?

3.1. LEGAL GROUND OF THE FINDEKS REPORT

Pursuant to Additional Article 1 of the Banking Law, a Risk Center was established at the Banks Association of Türkiye ("BAT") to collect risk information of credit institutions and customers of financial institutions deemed appropriate by the BDDK and to ensure that such information is shared with these institutions and third real persons within the framework of the legal order.

The Risk Center management is authorized to sign information exchange agreements with private law legal entities in line with the establishment purposes of the Risk Center upon the approval of the Board.

With its Decision No. 2685 dated July 3, 2008, the BDDK authorized KKB to operate as an information exchange institution. In Türkiye, only KKB and Risk Center operate as information exchange institutions. KKB serves as a proxy for the Risk Center ^[2] . Therefore, as of today, the state has a monopoly on banking information exchange.

Findeks is a brand of the state monopoly Kredi Kayıt Bürosu A.Ş. ("KKB") .^[3]

3.2. WHAT DATA DOES THE FINDEKS REPORT CONTAIN?

The Findeks report is a report prepared on the basis of Additional Article 1 ("Additional Article 1") of the Banking Law ("Banking Law"), which shows financial data such as debt and limit information, payments, etc. of credit, credit card and overdraft accounts of individuals at banks.

The content of the Findeks report is determined by the Risk Center management pursuant to subparagraph (g) of paragraph (1) of Article 3 of the Regulation on the Principles and Procedures Regarding the Provision of Information of the Customers of the Members of the Risk Center of the Banks Association of Türkiye ^[4] ("Risk Center Regulation").

The report processes financial data such as (i) credit rating, (ii) month-by-month information on whether commercial/individual loans are paid on time, (iii) the amount of non-performing commercial/individual loans, (iv) debts transferred to asset management companies, and (v) credit limits.

Some images from the sample report are presented:

As can be seen, the content of the Findeks report contains very detailed data. In our opinion, it is extremely difficult to consider the sharing of such detailed data as prudent in terms of car leasing.

When the Personal Data Protection Board, which was established to protect the rights of citizens arising from the Law within the framework of Article 20 of the Constitution (privacy of private life), detects a data processing in this detail and within the framework of the existing jurisprudence, we are of the opinion that the purpose of data acquisition is quite suitable for interpretation in favor of individuals.

Alternatively, based on the legal power of the Risk Center management to determine the content of the report according to the Risk Center Regulation, the Risk Center and/or its proxy KKB may prepare and share a simpler report with a decision. It is possible that the need for a legal regulation change at the level of the BDDK regulation for sharing is put forward.

For example, even just sharing the Findeks Credit Rating may be a serious indication for car rental applications and may subject to commercial evaluation on a company basis:

4. EVALUATION OF THE DECISION WITHIN THE FRAMEWORK OF TURKISH LEGISLATION

4.1. EVALUATION IN TERMS OF BANKING LAW

Article 73 of the Banking Law stipulates that the data of natural and legal persons, which are specific to banking activities and which are generated after the establishment of a customer relationship with banks, shall become customer secrets.

With Additional Article 1, the collection of risk information and the sharing of such information with real persons or private legal entities is conditional upon the consent of the persons concerned.

With the Regulation on Sharing Confidential Information ^[5] , it is regulated that banks and financial institutions are exempt from the obligation to keep confidential information and documents, provided that a confidentiality agreement is made and that it is limited to the specified purposes, by exchanging all kinds of information and documents, either directly among themselves or through the Risk Center or companies to be established by at least five banks or financial institutions.

Although we are of the opinion that obtaining approval from the customer via SMS by KKB for the provision of the Findeks report within the scope of the aforementioned legislation is in compliance with the ECL, the necessity of the customer data provided in the content of the Findeks report for the car rental activity should be discussed within the framework of the commercial decision to be taken by the companies.

4.2. EVALUATION IN TERMS OF KVKK

4.2.1. EVALUATION IN TERMS OF THE PRINCIPLE OF PROPORTIONALITY

Article 4 of the KVKK lists the principles that must be complied with in the processing of personal data.

One of these principles is that the personal data to be processed should be relevant, limited and proportionate to the purpose for which they are processed. According to the guidelines of the Personal Data Protection Authority, the principle of proportionality means establishing a reasonable balance between data processing and the purpose to be achieved.

Due to today's economic conditions, exchange rate increase and inflation, spare parts prices and new/second-hand vehicle prices have increased extraordinarily. Buying a vehicle is an investment that requires a very high financial burden.

Considering the material value of the vehicles subject to leasing and the possible losses that may be incurred in the event of a loss, we believe that it is proportionate for car rental companies to request the Findeks report showing the financial risk of the customer during the leasing service.

4.2.2. EVALUATION REGARDING THE LEGITIMATE INTEREST OF THE DATA CONTROLLER

Pursuant to the established decisions the Board ^[6] , it is necessary to conduct a balance test between the fundamental rights and freedoms of the data subject and the interests of the car rental companies in obtaining the information in question, to consider which of the competing interests outweighs and to decide on the processing of the relevant personal data as a result.

Car rental companies face financial risks such as (i) not being able to use the vehicle for many years due to the security measures taken by the judicial authorities, (ii) not being able to rent the vehicle, (iii) not being able to sell the vehicle as a result of the involvement of the leased vehicles in the criminal incident.

As an example, vehicles with a market value of TRY 900,000 ^[7] are rented at an average daily rental price of TRY 500 and the actual possession of the vehicle is handed over to another person. In other words, the possession of the vehicle changes hands daily for 1/1800 of the value of the vehicle.

When an assessment is made in this context; when the material value of the vehicles and the risk borne by the leasing companies are compared with the interest of the lessors of the vehicles, which is a personal data, to learn a much more limited credit rating from the current report, we are of the opinion that the balance of interests is established and even the interest of the leasing companies will outweigh. However, in order to achieve this, it would be beneficial to work on limiting the current report much more.

As a result, we believe that processing only the credit rating will be a sufficient parameter within the scope of the interest in question. Therefore, we believe that obtaining Findeks credit rating information can be processed without obtaining explicit consent within the scope of the personal data processing conditions listed in Article 5 of the KVKK. However, it is possible that a legal regulation change at the level of the BDDK regulation will be required for this.

4.2.3. EVALUATION IN TERMS OF LINKING EXPLICIT CONSENT TO THE CONDITION OF SERVICE

Pursuant to Article 3 of the KVKK, explicit consent is consent regarding a specific subject, based on information and expressed with free will.

Within the framework of the definition in the Law and the established decisions of the Board ^[8] , linking the explicit consent to the condition of service undermines the free will.

There is unanimity of jurisprudence on this issue.

Within the framework of the existing adverse jurisprudence in terms of the principle of proportionality, legitimate interest and adherence to the service precondition, our legal opinion is that in the case of a much more limited Findeks report, the explicit consent of the person will not be required.

5. CONCLUSION AND SOLUTION SUGGESTIONS

It is a well-known fact that in most modern civilizations, bank credit rating is taken as a basis for access to basic needs such as asset acquisitions, credit allocation, housing leasing, and account openings.

The main purpose of the existence of KKB, and therefore Findeks, is to share information on the credit risks of individuals within the framework of the legal order.

We are of the opinion that, in today's economic conditions, a limited credit rating data from KKB, which is a state monopoly, to be received by the car rental company, which has the constitutional right to property, which is in the category of sacred right due to the sweat of its brow, guaranteed by Article 1 of the Additional Protocol No. 1 of the ECHR and Article 35 of the Constitution, would be a practice that is compatible with the legitimate interest and proportionate in today's economic conditions.

The paradox of limiting unsecured retail consumer loans to a maximum of TL 500,000 in the framework of the communiqués issued by the BDDK to deposit banks, but handing over the de facto control of vehicles with asset values much higher than this amount to customers with only a deposit amount of credit card blockage collateral is obvious. In a TRY 500,000 loan allocation process where (a) payroll, (b) movable/immovable property information, (c) collaterals such as sureties in some cases, and (d) credit risk examination is required, the unlawful demand for a limited credit rating from customers during the leasing of much more valuable vehicles almost without collateral does not coincide with today's realities.

While we agree with the Board's Decision that only explicit consent should not be taken as a prerequisite and that the current report is very detailed, it is clear that the need served by the report is a situation where there is no need for explicit consent. Furthermore, the Decision does not address many critical issues, particularly proportionality.

As a result, we are of the opinion that a limited Findeks report and credit rating information may be processed by car rental companies within the scope of legitimate interest. Likewise, it is clear that the car rental sector, which is one of the cornerstones of the Turkish economy, should be partially assured. Accordingly, we believe that it would be useful to conduct a study on how the Findeks report can be provided in a more limited framework.

^[1] https://kvkk.gov.tr/Icerik/7772/2023-1234

^[2] KKB provides data collection and sharing services to 185 Risk Center member financial institutions in addition to conducting all operational and technical activities in-house as a proxy for the BAT Risk Center. (https://www.kkb.com.tr/hakkimizda)

^[3] Trademark Notice Bulletin Date 14.08.2023, Application Number 2023/091507, Application Date 14.07.2023

^[4] https://www.riskmerkezi.org/tr/duzenlemeler/yonetmelikler/19

^[5] https://www.resmigazete.gov.tr/eskiler/2021/06/20210604-6.htm

^[6] Board Decision dated 22/07/2020 and numbered 2020/559,

Board Decision dated 25/03/2019 and numbered 2019/78,

Board Decision dated 23/06/2020 and numbered 2020/481

^[7] https://renaultfiyat.com/renault-clio-fiyatlari

^[8] Board Decision No. 2020/173 of 27/02/2020,

Board Decision No. 2019/206 of 08/07/2019,

Board Decision No. 2021/389, T. 20/04/2021

This website is available “as is. Turkish Law Blog is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this website, and in no event shall they be liable for any loss or damages.

The content and materials published on this website are provided for informational purposes only and should not be used as a legal opinion in any way. This website and the information contained are not intended to establish an attorney-client relationship.

Merkezi Kayıt Kuruluşunun Kuruluş, Faaliyet, Çalışma ve Denetim Esasları Hakkında Yönetmelik ile Kaydileştirilen Sermaye Piyasası Araçlarına İlişkin Kayıtların Tutulmasının Usul ve Esasları Hakkında Tebliğ’de Değişiklik Yapıldı

Amendments to the Regulation on the Establishment, Activities, Working Principles, and Supervision of the Central Securities Depository and to the Communiqué on the Principles and Procedures for the Book-Entry Recording of Dematerialized Capital Market Instruments

Bankaların Yeşil Varlık Oranı Hesaplaması Hakkında Tebliğ Yayımlandı

Significant Amendments to the Regulation on Shopping Malls

Threshold Values for Statutory Independent Audit Updated for 2025

Updated Thresholds for Independent Audit

Two-minute Recap of Competition Law Matters Around the Globe - April 2025

Competition on the Digital Market: Internet Sales Bans in Light of the Competition Board and EU Case Law

Two-minute Recap of Competition Law Matters in Türkiye - March 2025

Construction Law Wrap Up 2024

Construction Arbitration: Türkiye - Part 4

Construction Arbitration: Türkiye - Part 3

Two-Minute Recap of Data Protection Law Matters Around the Globe – April 2025

The New Legal Framework for Cyber Security in Turkey: Cyber Security Law Numbered 7545

Kişisel Verileri Koruma Kurulu’nun Hizmet Ön Koşulu Olarak Findeks Raporu Talep Eden Araç Kiralama Şirketine Vermiş Olduğu İdari Para Cezası Kararının Türk Hukukuna Göre Değerlendirilmesi

Tüzel Kişilik Perdesinin Kaldırılmasında İspat Sorunu ve İcra Takibine Yansıması

Tam Yargı Davalarında Miktar Artırımı Yapılan Tutara da Dava Tarihinden İtibaren Faiz İşleyeceği Hususunda İçtihatlar Birleştirildi

Precedents Unified Regarding the Accrual of Interest on the Increased Amount in Full Remedy Actions as of the Date of the Initial Lawsuit

Uzaktan İletişim Araçları Yoluyla Piyasaya Arz Edilen Ürünlerin Piyasa Gözetimi ve Denetimi Yönetmeliği Yürürlüğe Girdi

New Era for E-marketplaces and E-sellers-providers in Turkey (Updated 28 March 25)

E-Ticaret Mevzuatında Meydana Gelen Gelişmeler (18.03.2025)

Elektrik Piyasasında Toplayıcılık Yönetmeliği Ne Getiriyor?

Kamuda Enerji Performans Sözleşmesi Uygulaması

Ulusal Taşıt Tanıma Sistemi Uygulama Genel Tebliği Hakkında Bilgilendirme

İklim Kanunu Teklifi TBMM Çevre Komisyonu'nda Kabul Edildi

Türkiye Sürdürülebilirlik Raporlama Standartları Uygulama Kapsamında Değişiklikler Yapıldı

Amendments to Türkiye Sustainability Reporting Standards

Kripto Platformlarında Rezerv Denetimleri Başlıyor. Sermaye Piyasası Kurulu Kripto Varlık Hizmet Sağlayıcıların Rezerv Kanıt Denetimleri Hakkında İlke Kararı Yayımladı

CMB Clarifies Proof of Reserves Audit for Crypto Asset Service Providers

Guidelines on the Secondary Legislation on Crypto Asset Service Providers

Sigorta Şirketlerinin Sermaye Yükümlülükleri ve Mali Bünyelerinin Zayıflaması Halleri

Insurance Litigation 2025 in Turkey

Capital Obligations of Insurance Companies and Circumstances of Financial Weakening

Jurisdictional Implications of CJEU Case C-339/22 and Article 71(3) of Brussels Ibis for Non-EU States: The Case of the UK, Norway, Switzerland and Türkiye

Constitutional Court Decision No. 2024/176 E. and 2025/42 K. – Assessment Regarding Industrial Property Rights and the Option of Net Profit-Based Compensation

Kesinleşmemiş TÜRKPATENT Kararları Üzerinden Yapılan Yanıltıcılık ve Haksız Rekabet İlişkisi

The BR International Trade Report: May 2025

BIS Issues Four Key Updates on Advanced Computing and AI Export Controls

U.S. Section 301 Strikes Back: Additional U.S. Port Service Fees on Vessels With China Nexus; Potential Far-Reaching Implications for Leaseback Arrangements

İş Hukuku Güncel Gelişmeler I Ocak-Şubat-Mart 2025

Employment Law Newsletter I January-February-March 2025

Yabancılık Unsuru Taşıyan İş Sözleşmelerinde Hukuk Seçimi Anayasa’ya Aykırı Bulundu

Regulatory Compliance in Advertising of Cosmetic Products: An Evaluation in Light of the Decisions of the Advertising Board

Kozmetik Ürünlerin Reklamında Mevzuata Uyum: Reklam Kurulu Kararları Işığında Bir Değerlendirme

Sağlık Meslek Mensuplarının Serbest Meslek İcrası Hakkında Yönetmelik Yürürlükte: Denetim Süreçleri Belirlendi

Reklam Kurulu Kararları Işığında Örtülü Reklamın Tanımı, Unsurları ve Hukuki Çerçevesi

Definition, Elements and Legal Framework of Covert Advertising in Light of Advertising Board Decisions

İtibar mı, Ceza mı?: Sosyal Medyada Ticari Reklamın Hukuki Sınırları

M&A Essentials: A Practical Guide for Buyer, Seller, and Advisors

Legal Due Diligence in M&A Deals: Key Areas and Compliance Focus

The Power of Disclosure: How Disclosure Letters Shape Liability in M&A Transactions

Arsa Payı Karşılığı İnşaat Sözleşmeleri: Arsa Sahibinin Hak ve Yükümlülükleri

Construction Contract: Rights and Obligations of the Landowner

Kentsel Dönüşümde Mülkiyet Hakkı İhlalleri

İpoteğin Paraya Çevrilmesi Yolu İle İlamsız ve İlamlı İcra Takip Türleri ve İpotek Kat İhtarnamesi: Hukuki ve Uygulamalı Analiz

İcra ve İflas Kanunu Uyarınca Yapılacak Satışların İlanlarına İlişkin Parasal Limitlerin Güncellenmesi Hakkında Tebliğ Yayımlandı

Communiqué on the Update of Monetary Limits for Announcements of Sales to Be Made Under the Enforcement and Bankruptcy Law is Published

Startup Investments: A Handbook for Investors and Entrepreneurs

TEKMER (Teknoloji Geliştirme Merkezi) Nasıl Kurulur ve Girişimcilere Hangi Destekleri Sunar?

Ters Hak Ediş (Reverse Vesting) Nedir?

Pillar One – Amount B will not Apply to Transactions of Distributors, Sales Agents and Commissioners Operating in Türkiye

9487 Sayılı Cumhurbaşkanı Kararı ile Gelir Vergisi Kanunu Geçici 67. Maddesi Kapsamında Değişiklikler

Amendments Enacted Under Presidential Decree No. 9487 within the Scope of Provisional Article 67 of the Income Tax Law

Türkiye'de Siber Güvenliğin Yeni Yasal Çerçevesi: 7545 Sayılı Siber Güvenlik Kanunu

Two-Minute Recap of Recent Developments in IT Law – April 2025

ChatGPT, Gemini, Claude Gibi Genel Amaçlı Yapay Zekâ Modelleri İçin Yeni Dönem

Liability Regulations in Cargo Damage During Sea Transport: A Comparative Analysis of Turkish and English Maritime Law

Regulation on Pilotage and Towage Services Published

Limanlar Yönetmeliğinde Değişiklik Yapılmasına Dair Yönetmelik Yayımlandı

Caught in the Crossfire: Balancing Employee Rights in Internal Investigations

A New Enforcement Blueprint: How the Department of Justice Is Re-Shaping Its Approach to Digital Assets, Anti-Money Laundering, and Financial Crime

Paravan Şirketlerin Karanlıktaki Yüzü

Assessment of the Personal Data Protection Board’s Decision Imposing an Administrative Fine on a Car Rental Company for Requesting a Findeks Credit Report as a Prerequisite for Service in Accordance with Turkish Law

Popular Articles on Data Protection & Privacy

Latest Insights from Barlas & Karabucak

Subscribe to our newsletter