On 28 February 2026, Turkish Personal Data Protection Board (“Board”) published its Principle Decision dated 11.02.2026 and numbered 2026/266 (“Decision”), introducing a significant regulation concerning loyalty card programs. The Decision addresses the use of a loyalty card holder’s mobile phone number or loyalty card number by third parties during shopping transactions without any verification mechanism.
- Background of the Decision
In complaints and notifications submitted to the Turkish Personal Data Protection Authority (“Authority”), it was identified that in numerous sectors — particularly retail, food, cosmetics, technology, and apparel — third parties were able to provide the loyalty card holder’s mobile phone number or card number to the cashier and thereby:
- Benefit from discounts and promotions,
- Earn loyalty points,
- Have invoices issued in the name of the card holder,
- Have transaction data recorded in the relevant person’s membership account.
It was determined that these transactions were mostly carried out without any secondary verification mechanism, such as an SMS verification code, mobile application approval, or QR/barcode scanning.
- Legal Assessment of the Board
The Board evaluated the practice as follows:
- Lawfulness in Terms of Processing Conditions
The Board concluded that the practice does not rely on any of the personal data processing conditions set forth under Article 5 of the Turkish Data Protection Law No. 6698 (“Law”) on the Protection of Personal Data and therefore constitutes unlawful data processing.
- Violation of General Principles
With respect to transactions conducted without the data subject’s knowledge and consent, particularly:
- Issuing invoices in the name of the data subject,
- Recording customer transaction data in the data subject’s account,
the Board determined that such practices violate the principle of being “accurate and, where necessary, kept up to date” regulated under Article 4 of the Law.
- Data Security Obligation
Although loyalty card membership agreements may include provisions prohibiting the sharing of cards with third parties, the Board emphasized that such contractual clauses do not eliminate the data controller’s obligation to ensure personal data security pursuant to Article 12 of the Law.
- Obligations Introduced by the Principle Decision
The Board resolved that practices allowing the use of a loyalty card holder’s mobile phone number or card number by third parties without verification must be terminated.
Obligations of Data Controllers
Within the scope of loyalty card applications, data controllers must implement appropriate technical and administrative measures to verify that the following transactions are carried out with the knowledge and consent of the relevant data subject:
- Membership verification
- Earning points
- Spending points
- Use of discounts and promotions
In this context, possible mechanisms may include:
- One-time verification codes sent via SMS
- In-app approval through mobile applications
- QR/barcode scanning
- Tiered verification systems based on transaction risk
Additionally, alternative verification methods may be offered by taking into account the characteristics of different categories of data subjects (such as age, technological literacy, and economic conditions).
- Compliance Period and Sanctions
The Board granted a 6-month compliance period starting from the publication of the Principle Decision in the Official Gazette.
Data controllers who fail to implement the required technical and administrative measures within this period and continue non-compliant practices may be subject to administrative sanctions under Article 18 of the Law.
- Recommended Actions for Companies
Companies operating loyalty card programs are advised to:
- Analyze their current loyalty card usage processes,
- Assess the adequacy of existing verification mechanisms,
- Establish a risk-based transaction verification policy.
Conclusion
The Principle Decision dated 28.02.2026 qualifies the widely used practice of processing transactions solely based on the declaration of a phone number as unlawful and introduces an explicit verification obligation for data controllers.
The Decision requires significant operational and technical adjustments, particularly for data controllers operating in the retail sector. Given the limited compliance period, companies are advised to take prompt action.
You may access the full text of the Principle Decision published by the Personal Data Protection Authority via the link below.
For detailed information and professional support during the compliance process, feel free to contact us.
This Legal Alert has been prepared for general information purposes only on current legal issues, and the evaluations contained in this Legal Alert do not constitute legal advice or a legal opinion. It is not possible to impose any liability on SRP-Legal Law Office due to the content of this Legal Alert. It is recommended to obtain the opinion of a legal advisor regarding your questions and enquires within the scope of this Legal Alert.
