Credit score sharing in Turkey has become an increasingly common practice among businesses seeking to reduce financial risk. From car rental companies to fintech platforms, and even some employment screening processes, creditworthiness checks through systems like Findeks are now routine. However, many companies do not realize that the use and sharing of credit score data are directly governed by Turkish data protection law—specifically the Law No. 6698 on the Protection of Personal Data, widely referred to as KVKK. When companies process, store, or transmit a customer’s financial information—particularly sensitive credit scoring data—they are subject to the legal standards of data processing, informed consent, data minimization, and security set forth in KVKK.
At ER&GUN&ER Law Firm, we provide legal consultancy and audit defense services to companies across Turkey that collect or share credit information. Our English Speaking Turkish Lawyers specialize in KVKK compliance in Turkey, and offer clients not only regulatory interpretation, but also practical implementation strategies—policy drafting, consent form development, internal documentation, and litigation support. As a best lawyer firm in Turkey for personal data protection and financial compliance, we know how to help clients comply with the law while preserving their business interests. Our services are particularly important for companies facing a data protection investigation in Turkey, or those subject to complaints due to unlawful Findeks checks.
Understanding the Nature of Credit Score Data Under KVKK
Credit score data, such as the Findeks report provided in Turkey by the Credit Bureau (Kredi Kayıt Bürosu), is classified as personal data under Article 3 of KVKK because it relates to the financial behavior of an identifiable individual. This data typically includes debt history, credit card limits, loan repayments, bounced checks, and overall creditworthiness. In certain contexts—especially if used to evaluate a customer’s ability to access essential services or employment—it may even be considered sensitive personal data under Turkish law. Therefore, it cannot be collected, processed, or shared freely by businesses without first satisfying specific legal conditions.
Our Turkish Law Firm regularly advises corporate clients on whether the credit score data they are collecting is legally justifiable, whether the consent process is robust, and whether the use of this information complies with the data minimization principle required by KVKK compliance in Turkey. Many companies mistakenly believe that because the data comes from a third-party provider like Findeks, they are exempt from liability. In fact, all controllers and processors of the data are jointly responsible for lawful handling. Ignorance of this principle has led to significant penalties for even well-intentioned businesses.
Do You Need Explicit Consent to Use Credit Scores in Turkey?
The short answer is yes—explicit, written, and informed consent is typically required to lawfully process or share a customer’s credit score under KVKK. Article 5 of the law lists specific legal bases for processing personal data without consent, but these generally do not apply to private businesses using credit scores for commercial screening. “Contractual necessity” is not a safe basis unless the credit score is demonstrably essential to the delivery of the core service. The same logic applies to “legitimate interest,” which must be balanced against the customer’s right to privacy and informed data use. In practice, regulators have made it clear: if you’re using credit scores to make commercial decisions, get clear, documented consent.
At ER&GUN&ER Law Firm, we help businesses develop consent forms that meet Turkish and European data protection standards. Our English speaking Turkish lawyers also review digital checkboxes, onboarding scripts, and privacy statements to ensure that they are valid in the eyes of Turkish regulators. As part of our KVKK compliance strategy in Turkey, we train internal compliance teams and create documentation that can be presented during audits or in response to complaints.
Risks of Sharing Credit Data with Third Parties
Sharing credit score data with third parties—especially without the data subject’s prior and informed consent—creates a significant risk under Turkish data protection law. Under KVKK, any transfer of personal data to another data controller or processor must be justified under Article 8 (domestic transfers) or Article 9 (international transfers), and requires either a legal basis or explicit consent. In practice, very few private businesses can justify sharing Findeks reports with insurers, leasing partners, or affiliated brands without clear written permission from the individual.
Our Turkish Law Firm is frequently consulted by clients who have received formal complaints under the KVKK for exactly this issue. Common scenarios include an employee's credit score being shared with a parent company abroad, a customer’s Findeks report being copied to an internal Slack channel, or a supplier requiring client credit data for invoicing. These may seem harmless, but under the KVKK and its accompanying Board decisions, they constitute unlawful disclosure. We help clients implement internal access controls, enforce confidentiality within departments, and maintain detailed logs of all data disclosures to ensure full KVKK compliance in Turkey.
Handling Complaints and Data Subject Requests
Once a customer or employee suspects that their data—such as a Findeks report—has been misused, they may file a complaint directly with the company. If no response is received within 30 days, they may escalate the issue to the Turkish Data Protection Board (Kişisel Verileri Koruma Kurulu). Companies are legally obliged to respond to these data subject requests in writing and within the statutory period. Failure to respond or respond sufficiently often triggers a formal investigation. This is how many data protection investigations in Turkey are initiated, even in cases where the original action was unintentional.
As part of our personal data legal support in Turkey, we manage the full cycle of complaint resolution—internal fact-finding, legal position assessment, communication strategy, and defense filing. In appropriate cases, we prepare mitigation statements and correction protocols to show that the company is acting in good faith and willing to adopt compliance reforms. This has led to significant penalty reductions or avoidance for our clients.
Data Retention and Erasure Obligations
One of the most neglected areas in Turkish corporate practice is data retention. Under KVKK, credit data must not be kept longer than necessary for the specific processing purpose stated in the consent or privacy policy. In many cases, Findeks reports are saved on email servers, shared folders, or even printed and filed away without any policy on retention or erasure. This is a major legal vulnerability, as regulators increasingly ask companies to prove they are following a data lifecycle framework—collection, use, storage, deletion.
We help clients implement KVKK-compliant retention and destruction protocols, conduct data mapping, and document deletion events. As a best lawyer firm in Turkey in regulatory advisory, we also develop checklists, staff training guides, and template responses to data erasure requests from customers or former employees.
Internal Legal Resources for Financial Data Compliance
- Defending KVKK Audits in the Finance Sector
- Dual Language Privacy Notices
- Overview of KVKK Rules and Fines
- How to Handle a Credit Data Breach
- Credit Terms in Fintech and SaaS Contracts
Frequently Asked Questions (FAQs)
- Can a company ask for my Findeks credit score? Only with your prior, informed, and explicit consent. This request must be tied to a legitimate business need.
- Is credit score data subject to KVKK? Yes. It qualifies as financial personal data and must be processed lawfully under KVKK and consumer protection laws.
- Can I sue a company that shared my credit report without consent? Yes. You can file a complaint with the Data Protection Board and, in some cases, initiate civil claims for damages.
- Are consent forms in apps legally valid? Only if they are clearly visible, not pre-checked, and tied to a readable privacy notice. We assess this on a case-by-case basis.
- Can financial data be stored indefinitely? No. It must be deleted once the stated purpose is complete, or when the retention period expires.
- How can companies defend against KVKK claims? By showing they had lawful consent, secure storage, internal access control, and a valid processing policy.
- What penalties apply for credit data misuse? Depending on the nature of the violation, companies may face fines, public sanctions, and in rare cases, criminal charges.
- Is GDPR enough for companies operating in Turkey? No. While similar in principle, GDPR does not satisfy KVKK-specific registration and documentation rules.
- What industries are most at risk? Car rental, leasing, insurance, fintech, HR, and any sector that uses pre-screening or risk scoring models based on financial data.
- How can a Turkish Law Firm help? We assess your data use practices, revise policies, build documentation, defend against Board inquiries, and train staff on lawful processing.
Stay Compliant and Build Trust with Responsible Credit Data Use
Financial data is among the most sensitive forms of personal information—and credit scores are at the heart of it. In Turkey, as in many other jurisdictions, this information cannot be collected, stored, or shared without clear legal authority. The risks of misuse are no longer theoretical; companies have been fined, investigated, and even publicly listed as violators by the Turkish Data Protection Board. As more customers become aware of their rights, compliance is no longer optional—it’s a competitive advantage that distinguishes trusted businesses from risky operators.
At ER&GUN&ER Law Firm, we help you use data responsibly without sacrificing commercial performance. Our English Speaking Turkish Lawyers work closely with your team to ensure your credit score policies, Findeks usage, customer consent flows, and document retention schedules meet the standards set by Turkish law. As a best lawyer firm in Turkey for KVKK compliance, we not only advise—we defend, structure, and future-proof your data strategy. If your business uses financial data, let us show you how to use it safely, legally, and effectively.