Follow us

PRINCIPLE DECISION BY THE PERSONAL DATA PROTECTION BOARD ON THE USE OF LOYALTY CARD BY CUSTOMERS

A practice that has long been the subject of debate has now been clarified through a principle decision issued by the Personal Data Protection Board (“the Board”).

With the “Principle Decision on the Use of a Loyalty Card Holder’s Mobile Phone Number or Loyalty Card Number by a Third-Party During Purchases” (in Turkish “Sadakat Kart Üyeliği Bulunan Bir Kişinin Cep Telefonu Numarasının veya Sadakat Kart Numarasının Üçüncü Bir Kişi Tarafından Alışveriş Esnasında Kullanılması Hakkında İlke Kararı”)  dated 11 February 2026 and numbered 2026/266, which was announced through publication in the Official Gazette dated 28 February 2026 and numbered 33182 (“the Decision”), it is stated that the Personal Data Protection Authority has received numerous notifications and complaints regarding the below issues:

  • Within the scope of loyalty card programs carried out by data controllers in various sectors, primarily food, cosmetics, technology, building materials, and clothing; purchase transactions are carried out by a third party by providing the mobile phone number or loyalty card number of the data subject to the cashier during purchase, without the knowledge and consent of the data subject and without entering any transaction confirmation code into the system.
  • Furthermore, as a result of purchases made through loyalty cards, invoices or similar documents are frequently issued in the name of the loyalty card holder, and customer transaction information related to the purchase (such as the product/service purchased and the purchase date) is entered into the records and/or membership account related to the data subject.

Accordingly, the Board decided to adopt a principle decision on this matter. The Board assessed the practice:

  • The completion of a purchase in the name of the data subject by a third party, by informing the cashier of the data subject’s mobile phone number or loyalty card number without the card holder’s knowledge or consent, cannot be based on any of the data processing conditions set out in Article 5 of the Personal Data Protection Law No. 6698 (the “Law”), and therefore such act constitutes unlawful processing of personal data.
  • Additionally, issuing an invoice or similar document in the name of the data subject and/or recording incorrect customer transaction information in the records or membership account of the data subject regarding a purchase that was not personally made by the data subject and of which the data subject had no knowledge or consent would violate the principle of “ being accurate and, where necessary, being up to date” (in Turkish “gerektiğinde doğru ve güncel olma”), which is among the general principles set forth in Article 4 of the Law.
  • Although data controllers may impose an obligation on loyalty card holders through the Loyalty Card Membership Agreement not to allow third parties to use the loyalty card provided for their personal use, this shall not eliminate the obligation of data controllers to ensure the security of personal data as stipulated in Article 12 of the Law.

As a result, the Decision stipulates that:

  • The practice allowing purchases to be made via loyalty cards without any verification, merely by a third party informing the cashier of the loyalty card holder’s mobile phone number or loyalty card number, shall be ceased.
  • In order to ensure that personal data processing processes related to loyalty card transactions comply with the Law, data controllers must implement the necessary technical and administrative measures set out in Article 12 of the Law.
  • Verification mechanisms must be established to confirm that purchases conducted by providing the loyalty card holder’s mobile phone number or loyalty card number to the cashierare carried out with the knowledge and consent of the data subject.

Examples of such verification mechanisms include:

  • providing the cashier with a one-time verification code via SMSto the data subject’s mobile phone number, which must then be provided to the cashier in order to use the loyalty card for use of loyalty cards for any purpose (such as membership creation, earning points, redeeming points, or benefiting from discounts/promotions);
  • Scanning the barcode or QR code generated through a mobile application or website at the cashier,
  • Presenting or scanning the physical loyalty card at the cashier,
  • Entering the loyalty card password into the transaction device at the cashier,
  • Providing data subjects with an “opt-in” preference optionwithin the membership account created under loyalty card programs, allowing them to determine which transactions (such as earning points during shopping, benefiting from discounts or promotions, or redeeming points) may be performed during purchases solely by providing their mobile phone number.

Data controllers have been granted a six-month compliance period from the date of publication of the Decision in the Official Gazette, i.e. until 28 August 2026 to establish the aforementioned verification mechanisms.

 

Our Law Firm remains at your disposal for any further clarifications you may need.

Copyright © 2026 Cailliau&Colakel Attorney Partnership, All rights reserved.

by
2026, Newsletters
0
Copyright© Cailliau & Colakel