Principle Decision on Sending Verification Code via SMS was published by the Personal Data Protection Board

6/30/2025

All News
  • Home Page
  • |
  • News
  • |
  • Principle Decision on Sending Verification Code via SMS was published by the Personal Data Protection Board
In its principle decision dated 10 June 2025 and numbered 2025/1072 (“Principle Decision”), the Personal Data Protection Board (“Board”) set out the principles regarding the processing of personal data in the context of sending verification codes via SMS to data subjects during the provision of products and services. The Principle Decision is published in the Official Gazette dated 26 June 2025 and numbered 32938 and on the official website of the Personal Data Protection Authority.

What Are the Principles Have Been Introduced Under the Scope of the Principle Decision?

In response to numerous complaints and notices submitted to the Board, allegations were evaluated regarding the practice in which SMS verification codes are sent to individuals during checkout in physical stores, creating the impression that such codes are mandatory for completing the purchase. However, in practice, these codes were allegedly entered into the system by the data controller to obtain consent for commercial electronic messages.

Following its assessment, the Board identified that, in relation to the SMS messages containing verification codes sent to data subjects:
  • either the data controller or its authorized representatives failed to provide proper information as required, and/or
  • although the code was obtained for the purpose of securing explicit consent for the delivery of commercial electronic messages, it was presented as a prerequisite for completing the purchase, thereby misleading the data subjects.
Within this context, the Board set out the principles to be followed in the processing of personal data during the process of obtaining consent for commercial electronic communications through SMS verification codes, in line with its previous decisions and the Authority’s prior public statements. Accordingly, in summary:

(i) data subjects must be clearly informed about the purpose and consequences of the SMS verification code, and appropriate information channels must be provided within the SMS content;
(ii) the processes of providing information and obtaining explicit consent must be clearly separated, and explicit consent must be obtained individually for each data processing activity that requires such consent, in compliance with the conditions set forth in the Law;
(iii) in order to avoid giving the impression that consent is a prerequisite, explicit consent should be obtained after the completion of the purchase transaction, or if collected during the SMS process, data subjects must be informed that providing consent is not mandatory and that they retain the right to change or withdraw it at any time.

Conclusion

The principles required to be followed during the SMS verification code process, as set forth under the Principle Decision, had already been clearly articulated in the Board’s previous decisions and in the public announcement made by the Authority in 2023. Nevertheless, the continued application of these practices in the field appears to have been a determining factor in the Board’s decision to issue a Principle Decision on the matter.

Moreover, in addition to its earlier statements, the Principle Decision includes a new and significant provision from a practical standpoint: where the approval code is sent via SMS before the completion of the purchase, the SMS content must explicitly state that the data subject is not obligated to give consent and that their preferences can be changed at any time.

In conclusion, failure to comply with the requirements set forth in the Principle Decision may result in administrative sanctions due to the data controller’s failure to take the necessary technical and administrative measures, as stipulated under Article 12 of the Law.

The Principle Decision published by the Board can be accessed here.

Işılay Işık, Associate
Cemile Tekdemir, Trainee Lawyer


Other News
5/29/2025
Regulation Amending the Regulation on Distance Contracts Published
The “Regulation Amending the Regulation on Distance Contracts” (“Amendment Regulation”), issued by the Ministry of Trade and published in the Official Gazette dated May 24, 2025, and numbered 32909, introduces new provisions regarding consumers’ right of withdrawal in distance sales contracts. These amendments to the Regulation on Distance Contracts (“”), which was originally enacted based on Articles 48 and 84 of the Law No. 6502 on the Protection of Consumers (“Law”), will come into effect on January 1, 2026.
News| Legal Updates
3/19/2025
COMMUNIQUÉS ON CRYPTO ASSET SERVICE PROVIDERS HAVE BEEN PUBLISHED
The Communiqué on the Establishment and Operational Principles of Crypto Asset Service Providers (III-35/B.1) and the Communiqué on the Working Procedures, Principles, and Capital Adequacy of Crypto Asset Service Providers (III-35/B.2), which have been prepared by the Capital Markets Board (“Board”), have been published in the Official Gazette dated March 13, 2025. These communiqués have set out the procedures and principles regarding the establishment, commencement of operations, activities, and suspension of activities of crypto asset service providers.
News| Legal Updates
1/20/2025
New Regulations Introduced in the Classification of Goods and Services for Trademark Applications Under Communiqué No. 2024/2
The Turkish Patent and Trademark Office (“TÜRKPATENT”) has revised the List of Goods and Services for trademark applications. The changes were published in the Communiqué on the Classification of Goods and Services for Trademark Applications No. 2024/2 (“Communiqué”) in the Official Gazette dated 20 December 2024 and numbered 32758, entering into force as of its publication date. This regulation repealed the previous Communiqué No. 2016/2, published in the Official Gazette dated 30 December 2016 and numbered 29934.
News| Legal Updates
11/8/2024
E-Government Lease Agreement Period Begins
The Ministry of Treasury and Finance (“Ministry”) announced that a new service (“Service”) will be introduced for the execution of lease agreements via e-Government and the Service is planned in two phases.

The first phase was introduced via e-Government as of 04.11.2024 and the second phase is expected to be introduced at the end of the year.
News| Legal Updates
10/23/2024
New Regulations Have Been Introduced Regarding Lease Payments in Residential and Workplaces
With the Income Tax General Communiqué published in the Official Gazette No. 32695 on October 17, 2024, and came into effect on the same date, an obligation for certification (providing with documentation) has been introduced in lease payments related to residential and workplaces, along with penalties for violations of this obligation.
News| Legal Updates
10/16/2024
Significant Amendments Made Regarding Work Permit Evaluation Criteria
In accordance with the annex to the Regulation on the Implementation of the International Workforce Law (“Regulation”) published in the Official Gazette dated 02.02.2022 and numbered 31738, the “Work Permit Evaluation Criteria” used by the Ministry of Labor and Social Security (“Ministry”) during the evaluation process of work permit applications have been updated pursuant to Article 22 of the Regulation.
News| Legal Updates
10/15/2024
Amendments Have Been Made to the Regulation on Business Opening and Operating Licenses
The Regulation Amending the Regulation on Business Opening and Operating Licenses (“Amendment Regulation”), which was published in the Official Gazette No. 32688 dated October 10, 2024, and came into effect on the same date, has introduced several changes to the relevant provisions of the Regulation on Business Opening and Operating Licenses (“Regulation”).
News| Legal Updates
10/9/2024
Amendment to the Communiqué on the Protection of the Value of the Turkish Currency No. 32
Communiqué (Communiqué No: 2024-32/70) Amending the Communiqué on the Decree No: 32686 on the Protection of the Value of Turkish Currency (Communiqué No: 32686) published in the Official Gazette dated 08.10.2024 and numbered 2024-32/70), which entered into force on the date of its publication.
News| Legal Updates
8/8/2024
Important Amendments to the Animal Protection Law and Our Opinions
The Law on Amendments to the Animal Protection Law (“Law Amendment”), which involves changes to the Animal Protection Law No. 5199 (“Law”), was published in the Official Gazette on August 2, 2024, and came into effect on the same date.

This article has been prepared to summarize and comment on the significant changes.
News| Legal Updates
8/7/2024
Amendments to Customs Law No. 4458
The Decision Concerning the Amendment to the Decision on the Implementation of Certain Articles of the Customs Law No. 4458 ("Decision Amendment") was published in the Official Gazette, and the changes brought by the Decision Amendment will come into force as of August 21, 2024.
News| Legal Updates
7/31/2024
Enforced Collection of Social Security Institution’s Receivables
News| Legal Updates
7/22/2024
Recent Important Decisions by the Board of Advertisement
Advertisements must comply with the principles determined by the Board of Advertisement (“Board”) operating under the General Directorate of Consumer Protection and Market Surveillance of the Ministry of Trade, and must be appropriate to general morality, public order, personal rights, and must be truthful and honest.
News| Legal Updates
Expertise
Sectors
Insights & News
Insights
Covid-19 Legal Guide
Corporate
Contact Us
Subscribe to our Newsletters
All Rights Reserved. © 2020