Turkey’s Court of Cassation has found Turkish Economy Bank (TEB) responsible for the unauthorized disclosure of confidential client financial records and reversed a lower’s court earlier ruling that had let the bank walk free.
A Data Leak Sends TEB to Court
Anyone familiar with Tatlıcı litigation would end up at the same place in searching for a background story. It’s the inheritance dispute that began after the death of Mehmet Salih Tatlici in 2009.
The publicly available court record paints a picture of how this started although neither Bank nor Ugur and Nurten Tatlici’s commented further of the origin. It appear that in, soon after the passing of late Tatlici, September 2009, the Sarıyer Court requests ten years of banking records for Uğur and Nurten Tatlıcı, going back to 1999 from TEB, and possibly from other banks. Here, TEB complied without issue, and nothing in the record suggests any irregularity at that stage. Years passed. The case changed hands and landed eventually with the Istanbul Civil Court. Then, in March 2017, another request of same records was made by this new court
As the Turkish Court of Cassation decision goes to explain, this new 2017 request simply asked for the previous 2009 response to be re-sent. That is to say, this was a request of Just a resubmission of what was already (or supposed to be) on file. Instead of resending the old records, TEB sent a new, unsolicited batch of account details and transaction history for the period covering 2007 to 2017. Just days later, on April 17, it sent a second letter with similar information, this time covering 11 April 2007 to 11 April 2017. So long story short, the court’s request asking 10-year bank record history led to TEB producing the very last 10 year.
At the end of the day, the TEB, one of Turkey’s leading banks made the same mistake twice. First it suuplied unnecessary new records, and then issuied yet another set of the same unsolicited information only days later.
Some time after the TEB submitted the incorrect and overly broad financial data to the court, the sensitive information was leaked online. The documents, containing details of over 1,000 high-value transactions, were said to published on a website, tatlicileaks.com. This site was claimed to be registered under Mehmet Tatlici’s name and hosted on servers outside of Turkey to evade the jurisdiction of Turkish courts.
Realizing its error, TEB later petitioned the court to have the records removed from the electronic court system, but it had been already accessible to third parties.
TEB’s decision to send records nobody asked for formed the basis of a lawsuit against the TEB.
Court of Cassation Rules That TEB’s Error Does Not Absolve Bank of Liability
The Turkey’s Court of Cassation’s February 2025 decision now confirms that financial institutions must limit any disclosure to what was ordered only. In s’mple terms, the moment TEB step beyond what was explicitly requested, it stopped being compliant and started being liable. Turkey’s Court of Cassation’s legal term for that overreach is “unlawful disclosure of banking secrets.”
In remanding the lower court dismissals, the Court of Cassation’s grounded its reasoning in TEB’s dual legal status as a “data controller” under Turkish data protection law and a “trust institution” under the Banking Law. In other words, the higher court simply said the cat is out of the bag, so the attempt to retrieve it arrived a little too late to matter.
The Court of Cassation found that the question was never whether TEB tried to fix things afterward. It was whether the breach had already caused harm. And on that question, the Court of Cassation answered in the affirmative.
Why BBVA may be next?
Meanwhile, across the Atlantic, Mehmet Tatlici and his Florida firm asked to Florida courts with a RICO (Racketeer Influenced and Corrupt Organizations Act) lawsuit in Florida.
As reported in an earlier coverage, Mehmet Tatlici is seeking to collect his 740 million dollars default judgment against Ugur Tatlici. The collection effort has evolved into a new billion-dollar lawsuit with RICO claims all the while targeting Turkiye Garanti Bankasi A.S. (Garanti Turkey) and its Dutch subsidiary, Garanti Bank International N.V. (GBI), both part of the Spanish banking giant BBVA.
GBI’s lawyers counter that the lawsuit is a “transparent cash grab” and a jurisdictional overreach. GBI argues that the Dutch bank has no business in Florida and is bound by strict EU and Dutch banking laws that protect client privacy.
Garanti Turkey’s position is unique. What makes Garanti Turkey’s position particularly precarious is the overlap between these two fronts.
In Turkey, the Court of Cassation’s decision establishes that when a bank provides more data than requested, even by mistake, it violates privacy and banking laws and can owe moral damages. The decision establishes that a bank is a “trust institution” and cannot escape liability by later removing data or blaming anonymous leakers.
In the U.S., Mehmet Tatlici and his law firm are already asserting that Garanti Bank Turkey and its affiliates form a single global enterprise subject to RICO discovery and potential damages in the billions.
The Court of Cassation’s decision against TEB does not mention Garanti Banks Turkey by name. But, What the TEB ruling may mean for Garanti Turkey is a question worth asking.
The Court of Cassation’s ruling applies financial institutions operating under Turkish banking law, and that includes Garanti Bank Turkey.
Unlike BBVA’s purely European subsidiaries, Garanti Turkey sits at the intersection of EU-linked BBVA governance and Turkish banking regulation, which could, hypothetically, expose Garanti Bank Turkey to scrutiny on more than one legal front.
Could a RICO finding in the United States can violate Turkish privacy or banking law and create a double compliance risk for the Bank operating in more than one jurisdiction? That question is for lawyers to answer.
It reveals however that banks handle sensitive client data, even when responding to legitimate judicial orders, carries consequences that no institution in the banking sector can afford to treat as someone else’s problem.