Principle Decision of the Personal Data Protection Board Regarding Loyalty Card Programs
Pursuant to the Decision of the Personal Data Protection Board concerning Loyalty Card Programs, published in the Official Gazette dated 28 February 2026 and numbered 33182, the practice -widely adopted in the retail and service sectors- whereby individuals may benefit from discounts, reward points, or promotional advantages during shopping merely by declaring a mobile phone number or loyalty card number, without requiring the physical presence of the data subject and without incorporating any identity verification mechanism, has been deemed unlawful.
In its assessment, the Board determined that third parties’ ability to conduct transactions through another person’s membership solely by declaring a number does not rely on any of the legal grounds for data processing set forth under Article 5 of Law No. 6698 on the Protection of Personal Data. The Board further concluded that such practice results both in the unlawful processing of personal data and in the creation of records within the data controller’s systems without the data subject’s consent.
Moreover, it was expressly emphasized that recording sensitive customer transaction details -such as purchased products, transaction date, and store location- arising from purchases made by third parties under the account of the actual cardholder, and issuing invoices in the name of that cardholder, directly violates the principle that personal data must be “accurate and, where necessary, kept up to date” as regulated under Article 4 of the Law.
The Board also stated that attempts by data controller companies to shift responsibility onto customers by including provisions in loyalty card membership agreements stipulating that “the responsibility for the use and safekeeping of the card belongs to the member” do not eliminate their obligation under Article 12 of the Law to implement appropriate technical and administrative measures to ensure data security.
Accordingly, in order to safeguard data security, the establishment of layered authentication mechanisms has been mandated. Such mechanisms include, inter alia: sending a one-time verification code (OTP) via SMS; scanning a dynamic QR code or barcode through a mobile application; presentation of a physical card, entry of a password on the point-of-sale device, and offering customers “opt-in” preferences regarding which transactions (e.g., only earning points or only receiving discounts) may be carried out without verification.
In line with this Principle Decision, all data controllers have been granted a six month compliance period as of the date of publication of the Decision. It has been publicly announced that, pursuant to Article 18 of the Law, substantial administrative fines will be imposed on businesses that fail to establish the necessary technical infrastructure by 28 August 2026 and continue to process transactions based on uncontrolled number declarations.
The full text of the Decision is available at the following link:
https://www.resmigazete.gov.tr/eskiler/2026/02/20260228-5.pdf