PRINCIPLE DECISION ON THE PROCESSING OF PERSONAL DATA THROUGH SMS VERIFICATION CODES SENT TO DATA SUBJECTS DURING THE PROVISION OF PRODUCTS AND SERVICES HAS BEEN PUBLISHED BY THE PERSONAL DATA PROTECTION AUTHORITY

26.06.2025

As is known, the Personal Data Protection Authority (“Authority”) has previously informed and instructed data controllers on ensuring the lawfulness of personal data processing activities conducted through the sending of verification codes via SMS to data subjects during in-store shopping, through the public announcement dated 17 December 2021 and public announcement dated 13 November 2023, as well as the Personal Data Protection Board’s (“Board”) decision numbered 2023/1653, all of which were published on its official website. However, following numerous notices and complaints submitted to the Board indicating that such practices are still not being carried out lawfully, the binding principles should be complied by all data controllers involved in the following practices during in-store shopping transactions have been published by the Board in its Principle Decision dated 10 June 2025 and numbered 2025/1072 (“Principle Decision”) which was announced in the Official Gazette dated 26 June 2025 and numbered 32938: (i) requesting the contact information of data subjects, (ii) subsequently sending a verification code via SMS to such data subjects, (iii) requesting the data subject to provide the code to the personnel or enter it into the system on the grounds that it is necessary for completing the payment, issuing an invoice, sending the invoice to the contact address, or updating contact information, and
(iv) sending commercial electronic messages related to the activities of the data controller only after the completion of these steps.

As stated in the Principle Decision, it was found that within the context of SMS messages containing verification codes sent to data subjects during the processes of product and service provision in stores, data controllers had failed to fulfill their obligation to inform the data subjects and/or had given the impression that the codes were requested solely for the purposes of completing payments or updating information, while in reality, explicit consent was obtained from the data subjects in the form of commercial electronic communication approvals.

Accordingly, it is concluded in the Principal Decision that presenting the provision of the verification code as a mandatory element of the shopping process would mislead the data subjects and impair the element of free will. In this regard, the following principles have been determined to ensure that the aforementioned activities are carried out lawfully:

• In order to properly carry out the layered approach to informing data subjects regarding the provision of products and services, the purpose of requesting the SMS verification code and the consequences of sharing it with the data controller must be explicitly and reasonably communicated to the data subjects by the data controller’s personnel at the initial stage, and the required informative channels should also be included in the content of the SMS messages.
• The practice of combining different data processing activities such as approval of a membership agreement, obtaining consent for personal data processing, and obtaining commercial electronic communication approval into a single action should be terminated. In this regard, separate explicit consent options must be provided for each processing activity that requires explicit consent, and the actions for obtaining such consent must be distinguished from the fulfillment of the obligation to inform.
• In the event that a verification code is sent through SMS messages to obtain explicit consent for conducting commercial electronic communications, the explicit consent obtained through such means should meet all the requirements set forth under the Law numbered 6698 on the Protection of Personal Data (“Law”).
• Within this regard, it must be explicitly stated that the consent given by sharing the verification code with the personnel is not required for the provision of the product or service, that the service shall continue even if the code is not provided, and that the permissions given via the code may be withdrawn / preferences may be changed at any time. Accordingly, it should be ensured that the explicit consent for commercial electronic communication is not perceived as a compulsory element for the provision of such products and services.
• In order to ensure the lawfulness of the said activities, data controllers must conduct necessary training and awareness-raising activities periodically for the personnel involved in the relevant processes.

In addition to the principles set out above, the Principle Decision also indicates that:

• within the scope of previous announcements and decision, cash register transactions related to shopping have been concretized by giving examples of making payments, opening registrations, creating memberships, and generating offers, and
• the condition regarding explicit consent for the processing of personal data for the purpose of sending commercial electronic messages should be obtained following the completion of the provision of the product or service has been expanded by stating that such consent may also be lawfully obtained before the completion of the service, provided that the SMS messages to be sent to the data subjects and/or the information provided in physical or digital mediums.

 

In the Principle Decision, the Board emphasized that if the principles outlined therein are not fulfilled, it shall initiate administrative proceedings under Article 18 of the Law, due to the data controller’s failure to comply with its obligation under Article 12(1) to take the necessary administrative and technical measures to ensure the lawfulness of the processing of personal data.

You may access the Principle Decision from here.