Announcements

Pursuant to the Decision of the Personal Data Protection Board concerning Loyalty Card Programs, published in the Official Gazette dated 28 February 2026 and numbered 33182, the practice -widely adopted in the retail and service sectors- whereby individuals may benefit from discounts, reward points, or promotional advantages during shopping merely by declaring a mobile phone number or loyalty card number, without requiring the physical presence of the data subject and without incorporating any identity verification mechanism, has been deemed unlawful.

In its assessment, the Board determined that third parties’ ability to conduct transactions through another person’s membership solely by declaring a number does not rely on any of the legal grounds for data processing set forth under Article 5 of Law No. 6698 on the Protection of Personal Data. The Board further concluded that such practice results both in the unlawful processing of personal data and in the creation of records within the data controller’s systems without the data subject’s consent.

Moreover, it was expressly emphasized that recording sensitive customer transaction details -such as purchased products, transaction date, and store location- arising from purchases made by third parties under the account of the actual cardholder, and issuing invoices in the name of that cardholder, directly violates the principle that personal data must be “accurate and, where necessary, kept up to date” as regulated under Article 4 of the Law.

The Board also stated that attempts by data controller companies to shift responsibility onto customers by including provisions in loyalty card membership agreements stipulating that “the responsibility for the use and safekeeping of the card belongs to the member” do not eliminate their obligation under Article 12 of the Law to implement appropriate technical and administrative measures to ensure data security.

Accordingly, in order to safeguard data security, the establishment of layered authentication mechanisms has been mandated. Such mechanisms include, inter alia: sending a one-time verification code (OTP) via SMS; scanning a dynamic QR code or barcode through a mobile application; presentation of a physical card, entry of a password on the point-of-sale device, and offering customers “opt-in” preferences regarding which transactions (e.g., only earning points or only receiving discounts) may be carried out without verification.

In line with this Principle Decision, all data controllers have been granted a six month compliance period as of the date of publication of the Decision. It has been publicly announced that, pursuant to Article 18 of the Law, substantial administrative fines will be imposed on businesses that fail to establish the necessary technical infrastructure by 28 August 2026 and continue to process transactions based on uncontrolled number declarations.

The full text of the Decision is available at the following link:
https://www.resmigazete.gov.tr/eskiler/2026/02/20260228-5.pdf 

The Personal Data Protection Authority (“Authority”) has issued a public announcement regarding push notifications sent through mobile applications.

Pursuant to Law No. 6698 on the Protection of Personal Data, mobile application providers are mandated to ensure that their data processing activities comply with the general principles set forth in Article 4 and the data processing conditions stipulated in Article 5 of the Law. While push notifications provide rapid information to users, they rely on the processing of personal data within the scope of permissions obtained from the data subject.

Based on investigations conducted following complaints submitted to the Authority, it has been determined that certain mobile application providers obtain “bundled consent” for multiple purposes through a single confirmation. These providers have been found to mandate notifications-  which are inherent to the service- alongside marketing content, thereby forcing users to accept promotional and advertising notifications as a condition for service.

The Authority has emphasized that conditioning the provision of a service upon consent for data processing purposes (such as marketing) that are not directly related to said service invalidates “free will” which is a fundamental element of explicit consent.

Stating that conditioning service delivery on consent for unrelated processing purposes is unlawful, the Authority emphasized that, in accordance with the principle of “granular explicit consent”, an independent and separate choice must be provided for each distinct data processing purpose. Furthermore, the Authority underlined that the technical infrastructure of mobile applications must be designed to support these requirements, granting users the ability to distinguish and manage the types of notifications they wish to receive.

The Authority announced to the public that failure to comply will result in the implementation of necessary technical and administrative measures within the framework of Article 12 of the Law.

You may access the full text of the announcement via the following link: https://www.kvkk.gov.tr/Icerik/8578/mobil-uygulamalar-uzerinden-gonderilen-anlik-bildirimlere-iliskin-kamuoyu-duyurusu 

In its decision dated 10 June 2025 and numbered 2025/1072, published in the Official Gazette, the Personal Data Protection Authority (“the Authority”) examined certain practices whereby data controllers, during the provision of services (such as making payments, creating accounts, registering for memberships, etc.), send verification codes to users via SMS and simultaneously obtain consent for the delivery of commercial electronic messages.

Upon evaluation, the Authority stated that the sending of verification codes via SMS must be strictly limited to the purpose of verification and that using this process as a means to obtain consent for commercial communications raises concerns in terms of the conditions required for obtaining explicit consent.

The decision emphasized that explicit consent, as defined under the Law, must relate to a specific subject matter, be based on informed choice, and be given freely. It was noted that, if consent is obtained during the verification process, it must be clearly and distinctly separated from the verification function, and the user must be adequately informed.

The Authority reiterated that in such practices, the processes concerning the processing of personal data and the sending of commercial electronic communications must be clearly separated, and that explicit consent must be obtained separately and in accordance with the legal requirements. Otherwise, the matter may be subject to further assessment within the scope of Law No. 6698 on the Protection of Personal Data.

The full text of the decision is available via the following link: https://www.resmigazete.gov.tr/eskiler/2025/06/20250626-7.pdf