a) What Is an Asset Management Company?
Asset management companies are firms established by obtaining permission as per the applicable legislation for the purchase, collection and resale of the receivables and other assets of companies assigning them for such purposes. They take over the receivables that constitute the non-performing loan portfolios of financial organizations, particularly banks, and specialize in the collection process of those receivables. Being critical for the functioning of the financial system, asset management companies provide advantages to those that cannot collect their loan receivables as well as those that have difficulty in paying their loan debts.
b) Collection Process
An asset management company’s collection process starts with a payment offer to a debtor. If the debtor’s payment plan is agreed upon, a written notification is sent to the debtor, which must include the information that the debt has been paid or that the debt will be cleared if paid. These notifications must be made in writing or through permanent data storage devices, being recorded and stored to be legally valid.
For the purpose of ensuring legal security, the collection process should be transparent and respect the rights of both parties. Asset management companies are required to complete the collection process properly and effectively without violating the rights of debtors. If the debtor fails to clear the debt, legal action will be necessary, but any action must comply with the Personal Data Protection Law no. 6698 (the “KVKK”) along with other pertinent regulations.
c) Analysis with Respect to the KVKK
An asset management company may process the debtor’s phone number data, which is the debtor’s personal data, without the explicit consent of the debtor as per subparagraph (e) of paragraph (2) of article 5 of Law no. 6698 if there is a new creditor of the loans borrowed by the debtor from the relevant banks to prevent the debtor from paying debts to the previous creditors and to inform the debtor of the facilities to be provided to the debtor by the relevant parties and of the legal risks that the debtor may face in case of non-payment of the debt in accordance with article 186 of Law no. 6098. [Personal Data Protection Board, Decision No: 2020/429, Decision Date: 28.05.2020.] However, in this respect, asset management companies must identify the debtor’s identity and contact details accurately.
Except for those who wish to pay the debt, assume the debt, or participate in the debt or contract, either by contacting the company directly using the communication details provided to the debtor by asset management companies or by giving consent with the debtor at the time of communication with the debtor, no information regarding the debt may be disclosed in any manner to unauthorized third parties, and such persons may not be contacted. Another important issue is the information provided to the debtor’s relatives. If the person reached is the debtor’s spouse or the debt’s guarantor, there is a legitimate basis for informing them about the debt’s details, since these persons may be held liable for the debt. The persons who live in the same dwelling as the debtor and will be directly affected from any attachment proceedings (such as descendants and ascendants) may also be informed in this respect. Otherwise, informing other parties about the debt would violate the debtor’s privacy. The debtor’s relatives and the persons thought to have a legitimate reason to know about the debt may be informed to the extent of their legitimate reason.
Another issue is the manner of accessing the contact information of the debtor’s relatives for their notification. The Board has detected that certain software, programs, and applications are used to query citizens’ personal data, such as identity and contact details, through data obtained via various means. The use of such programs violates the provisions of article 12 of the KVKK regarding data controllers’ data security obligations.
In this context, the Board’s Decision no. 2020/429 of 28.05.2020 states that, “obtaining the phone numbers of the debtor’s brother and colleagues in a matter that can only be assumed and cannot be fully proven, and then disclosing the debt details of the complainant, i.e. their personal data, to these persons constitute a violation of the provisions of the Law. Thus, the data controller is deemed to have failed the obligation to take all necessary technical and administrative measures to prevent unlawful processing of and unlawful access to personal data and to ensure an appropriate level of security for the protection of personal data.”
As such, the Board finds it unlawful to obtain the personal data of the debtor’s relatives and to disclose the debtor’s debt details to such relatives, without a reasonable explanation and in violation of the processing reasons set out in article 5 of the Law.
The Board has also clarified the complaints regarding multiple SMSs sent by asset management companies for the collection of receivables. Accordingly, sending an SMS “for the purpose of preventing the debtor from paying debts to the previous creditors and informing the debtor of the facilities to be provided to the debtor by the relevant parties and of the legal risks that the debtor may face in case of non-payment of the debt” will be a lawful data processing based on subparagraph (e) of paragraph 2 of article 5 of the Law, which refers to the necessity for “data processing for the establishment, exercise or protection of a right.” However, the Company’s sending multiple SMSs to a phone number lawfully obtained at different times for the same debt, i.e. sending multiple messages of the same content to the data subject’s phone number on different dates, constitutes an abuse of the right of the data controller. This situation also violates the principle of compliance of personal data processing with the law and good faith, as stated in subparagraph (a) of paragraph 2 of article 4 of the Law.
d) Analysis with Respect to Financial Consumers
The debt collection process is subject to special regulations in terms of financial consumers. The Law on Consumer Protection and the KVKK protect the communication rights of debtors. Asset management companies may only contact debtors between 09:00-20:00 if they have not redeemed their debts despite being notified of them. Contact is prohibited on weekends and holidays. There is also a limit on how many times the debtor can be contacted. Thus, only three phone calls and one SMS are allowed per day. These limitations protect the debtor’s personal rights and prevent excessive contact.
Asset management companies may not process the debtor’s personal data without authorization and disclose them to third parties while communicating with the debtor. Article 4 of the KVKK states that the processing of personal data must comply with the law and good faith. Therefore, unauthorized disclosure of the debtor’s phone number to third parties violates this provision.
Moreover, contacting the debtor multiple times without the debtor’s consent is contrary to article 5 of the KVKK and the Law on Consumer Protection. During communication, the debtor’s consent must be explicitly obtained and recorded. Otherwise, the debtor’s personal data will be processed unlawfully.
Another important issue is the frequency of SMSs and phone calls to the debtor. In case of non-payment, companies should not make more than three calls per day from different phone numbers. Likewise, sending multiple SMSs should be kept within legal limits. If the debtor is reached, the next call or contact should be postponed for at least five business days without the debtor’s explicit consent, which is necessary to protect the debtor’s personal data and personal rights as per article 6 of the KVKK.
e) Conclusion
Asset management companies’ collection processes are crucial to protect the functioning of the financial system and the personal rights of debtors. The KVKK and the Law on Consumer Protection set forth measures to protect debtors’ personal data and communication rights. Asset management companies must comply with these regulations while communicating with the debtor, protect the debtor’s personal data and act within legal limits, which is not only a legal obligation but also critical for the establishment of trust in the sector. Thus, the rights of debtors and creditors are protected with a fair and transparent collection process.
