PDPB Principal Decision On Verification Mechanisms ın Loyalty Card Programs Has Been Published

3/9/2026

All News
  • Home Page
  • |
  • News
  • |
  • PDPB Principal Decision On Verification Mechanisms ın Loyalty Card Programs Has Been Published
The Personal Data Protection Board's ("Board") Principal Decision dated 11 February 2026 and numbered 2026/266, titled "Principal Decision on the Use of the Mobile Phone Number or Loyalty Card Number of a Loyalty Card Member by a Third-Party During Shopping" ("Principal Decision"), has been published in the Official Gazette dated 28 February 2026 and numbered 33182.
The Principal Decision evaluated practices in loyalty card programs widely used across various sectors primarily food, cosmetics, technology, clothing and DIY/building materials retail whereby the mobile phone number or loyalty card number belonging to a loyalty card holder is provided to the cashier by a third-party during shopping, and a transaction is completed without any verification.

In the examinations carried out by the Board, it was determined that within the scope of such practices:
  • Third parties can carry out purchase transactions without the knowledge and consent of the loyalty card holder,
  • Invoices or similar documents issued because of these transactions can in many cases be issued in the name of the loyalty card holder,
  • Customer transaction information relating to the purchase (such as the product or service purchased and the date of purchase) can be recorded to the loyalty card holder's membership account.

The Board assessed that this practice may give rise to unlawful data processing activities and personal data breaches under Law No. 6698 on the Protection of Personal Data ("Law"). In this context, it was noted that recording customer transaction information relating to a purchase not carried out by the data subject themselves to that person's account may constitute a violation of the principle of "accuracy and being up to date when necessary" as regulated under Article 4 of the Law, and that such data processing activity does not rely on any of the data processing conditions set out under Article 5 of the Law.

Furthermore, the Board stated that the inclusion of provisions in loyalty card membership agreements prohibiting the use of the card by third parties does not eliminate the data controller's obligation to ensure personal data security under Article 12 of the Law.

In this context, the Principal Decision sets out that data controllers are required to:
  • Discontinue practices that allow the mobile phone number or loyalty card number of the loyalty card holder to be used by third parties without any verification,
  • Establish appropriate technical and administrative mechanisms to verify that purchase transactions carried out through the loyalty card are conducted with the knowledge and consent of the data subject.

The Board also stated that data controllers may make use of various verification methods when establishing such mechanisms, including:

  • Sending a one-time verification code (OTP) via SMS,
  • Scanning a barcode or QR code via a mobile application or website,
  • Physical card presentation,
  • Using a loyalty card password (PIN).
It was further noted that different verification mechanisms may be preferred depending on the type of transaction and the level of risk.

Under the Principal Decision, data controllers have been granted a 6-month compliance period from the date of publication of the Principal Decision in the Official Gazette to bring their loyalty card practices into compliance with the Law by taking the necessary technical and administrative measures. Data controllers who continue such practice without taking the necessary measures within this period may be subject to administrative sanctions under Article 18 of the Law.

You can access the Principal Decision published in the Official Gazette here
Other News
2/12/2026
Turnover Thresholds Required For Competition Authority Approval In Merger And Acquisition Transactions Updated
The Communiqué Amending the Communiqué Concerning the Mergers and Acquisitions Calling for the Authorization of the Competition Board (“Merger and Acquisition Communiqué”) (Communiqué No: 2026/2) (“Amending Communiqué”) was published in the Official Gazette dated 11 February 2026 and entered into force on the date of publication.
News| Legal Updates
1/19/2026
Proposal on the Amendment of the Personal Data Protection Law
News| Legal Updates
12/11/2025
The Personal Data Protection Board Published a Principal Decision on the Recording of Photocopies of Turkish Identity Cards of Individuals Receiving Accommodation Services in the Tourism and Hospitality Sector
The Personal Data Protection Board (“Board”) published its Principal Decision dated 6 November 2025 and numbered 2025/2120 on the Recording of Photocopies of Turkish Identity Cards of Individuals Receiving Accommodation Services in the Tourism and Hospitality Sector (“Principal Decision”) in the Official Gazette dated 9 December 2025 and numbered 33102, as well as on the website of the Personal Data Protection Authority (“Authority”)
News| Legal Updates
10/21/2025
Obligations of Companies under the Cybersecurity Law
Türkiye’s first binding regulation on cybersecurity — Law No. 7545 on Cybersecurity — came into effect on March 19, 2025. The law introduces both technical and administrative obligations for companies operating in the private sector.
News| Legal Updates
10/1/2025
An Exemption Criterion Has Been Published by the Personal Data Protection Board for Data Controllers Whose Main Activity Is the Processing of Special Categories of Personal Data Regarding the Obligation to VERBİS Registration
The Personal Data Protection Board (“Board”) has updated the exemption criterion specified in its decision dated 06.07.2023 and numbered 2023/1154, which regulates exemptions from the obligation of data controllers to register with the Data Controllers’ Registry Information System (VERBİS), through its decision dated 04.09.2025 and numbered 2025/1572, published today in the Official Gazette (“Update Decision”).
News| Legal Updates
8/1/2025
How Will the Transition to the Electronic Commercial Ledger System (“ETDS”) Take Place?
With the “Communiqué on the Keeping of Commercial Ledgers Not Related to the Accounting of the Enterprise in Electronic Format” (“Communiqué”), published in the Official Gazette dated 14 February 2025 and numbered 32813, the obligation to keep certain commercial ledgers in electronic format has been introduced for specific companies. The aim is to ensure the secure storage of ledgers in a digital environment, facilitate access and auditing, and reduce the need for notary procedures.
News| Legal Updates
6/30/2025
Principle decision on sending verification code via sms has been published by Personal Data Protection Board
In its principle decision dated 10 June 2025 and numbered 2025/1072 (“Principle Decision”), the Personal Data Protection Board (“Board”) set out the principles regarding the processing of personal data in the context of sending verification codes via SMS to data subjects during the provision of products and services. The Principle Decision is published in the Official Gazette dated 26 June 2025 and numbered 32938 and on the official website of the Personal Data Protection Authority.
News| Legal Updates
5/29/2025
Regulation Amending the Regulation on Distance Contracts Published
The “Regulation Amending the Regulation on Distance Contracts” (“Amendment Regulation”), issued by the Ministry of Trade and published in the Official Gazette dated May 24, 2025, and numbered 32909, introduces new provisions regarding consumers’ right of withdrawal in distance sales contracts. These amendments to the Regulation on Distance Contracts (“”), which was originally enacted based on Articles 48 and 84 of the Law No. 6502 on the Protection of Consumers (“Law”), will come into effect on January 1, 2026.
News| Legal Updates
3/19/2025
COMMUNIQUÉS ON CRYPTO ASSET SERVICE PROVIDERS HAVE BEEN PUBLISHED
The Communiqué on the Establishment and Operational Principles of Crypto Asset Service Providers (III-35/B.1) and the Communiqué on the Working Procedures, Principles, and Capital Adequacy of Crypto Asset Service Providers (III-35/B.2), which have been prepared by the Capital Markets Board (“Board”), have been published in the Official Gazette dated March 13, 2025. These communiqués have set out the procedures and principles regarding the establishment, commencement of operations, activities, and suspension of activities of crypto asset service providers.
News| Legal Updates
1/20/2025
New Regulations Introduced in the Classification of Goods and Services for Trademark Applications Under Communiqué No. 2024/2
The Turkish Patent and Trademark Office (“TÜRKPATENT”) has revised the List of Goods and Services for trademark applications. The changes were published in the Communiqué on the Classification of Goods and Services for Trademark Applications No. 2024/2 (“Communiqué”) in the Official Gazette dated 20 December 2024 and numbered 32758, entering into force as of its publication date. This regulation repealed the previous Communiqué No. 2016/2, published in the Official Gazette dated 30 December 2016 and numbered 29934.
News| Legal Updates
11/8/2024
E-Government Lease Agreement Period Begins
The Ministry of Treasury and Finance (“Ministry”) announced that a new service (“Service”) will be introduced for the execution of lease agreements via e-Government and the Service is planned in two phases.

The first phase was introduced via e-Government as of 04.11.2024 and the second phase is expected to be introduced at the end of the year.
News| Legal Updates
10/23/2024
New Regulations Have Been Introduced Regarding Lease Payments in Residential and Workplaces
With the Income Tax General Communiqué published in the Official Gazette No. 32695 on October 17, 2024, and came into effect on the same date, an obligation for certification (providing with documentation) has been introduced in lease payments related to residential and workplaces, along with penalties for violations of this obligation.
News| Legal Updates
Expertise
Sectors
Insights & News
Insights
Covid-19 Legal Guide
Corporate
Contact Us
Subscribe to our Newsletters
All Rights Reserved. © 2020