In order to evaluate the personal data processed within the loyalty programs, the "Draft Guideline on Processing of Personal Data in Loyalty Programs" ("Guideline") was drafted by the Turkish Personal Data Protection Authority and was published under the Turkish Personal Data Protection Board's ("Board") decision dated 18.05.2022 and numbered 2022/514 for public consultation.


After the development history and the currently applied types of loyalty programs, the loyalty programs are defined under the Guideline as:

"Programs that are offered by businesses providing goods/services or within the framework of a partnership program, are customer oriented, are implemented in order to get to know the customer by providing additional benefits to the customer in return for the goods/services purchased, are aimed at personalizing the goods/services offered to the customer, used for personalized advertising, used in product/business development processes and have features that benefit both the customer and the business as a result of their implementation."

After the examination of the actors of the loyalty programs and the basic concepts under the Personal Data Protection Law numbered 6698 ("PDPL"), the loyalty program operators are classified as data controllers and the real persons who are members of the loyalty programs as data subjects.

In accordance with the Guideline, personal data processed within the scope of loyalty programs are categorized under three headings: (i) data actively and voluntarily provided by customers such as name and contact information; (ii) data passively provided by customers such as IP and location information; and (iii) other data obtained through analysis from these two categories.


It is stated under the Guideline that an explicit consent is not required as a rule for the personal data processed in connection with the establishment and performance of a contract that is carried out within a loyalty program. However, in case a data such as name and contact information, which may be claimed to have been processed within the scope of the establishment of the contract, is subject to another data processing process such as 'customer profiling', it is not possible to rely on the legal basis of the establishment and performance of the contract. In addition, it is pointed out within the scope of the Guideline that the data required for the establishment and performance of the contract is subject to close interpretation.

Under the Guideline, it is stated by the Board that the personal data processing may be carried out on the legal basis of performance of the contract with the purposes of providing information to real persons such as calculating points within the scope of the loyalty program, giving information regarding the points earned and reminding the points that will expire. It is emphasized that for personal data to be processed within this scope, electronic commercial message approvals will not be sought as well as explicit consents in accordance with the Guidelines.

In order for the personal data within the loyalty programs to be processed on the legal basis of “legitimate interest”, “The conditions of the legitimate interest to be already certain, the fundamental rights and freedoms of the data subject to be not violated, the data controller to not have any other means that interfere less with the fundamental rights and freedoms of the data subject to achieve that legitimate interest are required to be met”. Regarding the legal basis of legitimate interest, reference is made under the Guideline to the review of the Lithuanian Data Protection Authority dated 2018 stating 'legitimate interest in terms of personal data within the scope of direct marketing strategies and profiling cannot be a legal basis, and therefore, data controllers are required to receive explicit consent'.

Under the Guideline, the obligation to receive explicit consent of the data subjects in order to benefit from the loyalty programs is also discussed under the title of 'conditioning the services on explicit consent'. Considering the regulations within the European Union, it is concluded that in cases where the loyalty programs are conditioned on explicit consent, the condition of explicit consent being based on free will does not disappear, since 'the case is not the product or service being offered, but the product or service being offered without any additional benefit'. However, this conclusion is not a general expression and it is annotated that 'the absence of explicit consent should not put the customers at a significant disadvantage' in order for a valid explicit consent.

It is stated under the Guideline that the personal data of persons who participate in loyalty programs through their memberships in social media applications are required to be processed in accordance with the general principles, especially data minimization and commitment to the purpose, even though their explicit consents have already been received.


The Board, together with the Guideline, underlined that the link between the purpose of data processing and the legal basis is required to be correctly forged, especially regarding the data processed by data controllers within the scope of the loyalty programs. In addition, data controllers must pay attention to the clarification and explicit consent texts to be separate from one another and that the explicit consents are received in a correct manner. Data controllers, for whatever reason, must carry out loyalty program activities in accordance with the general principles and data security measures stated under the PDPL. The Guideline published by the Board is open for public consultation until 16.07.2022.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.