The Personal Data Protection Authority Resolution No. 2025/1072, dated 10/06/2025, on the Processing of Personal Data by Sending a Verification Code to the Data Subjects via SMS During the Provision of Products and Services ("Decision"), entered into the force.
The uncertainty created by the phrase "You must enter the code received via SMS", which is frequently encountered process,at checkout or onboarding appears to be coming to an end. In its Decision, the Board emphasized that the purpose of this SMS being sent to data subjects' phones during processes related to the provision of products and services (such as making payments, opening accounts, creating memberships, making offers, and similar transactions) must be specified.
Furthermore, if the code sent via SMS is provided, the data controller's officials must first clearly and comprehensively inform the data subjects of the consequences of providing the code.
As a continuation of this layered approach, data controllers must provide information on how to access detailed information in the SMS in question in order to fully satisfy the Notification obligation.
The number of SMS messages that must be sent is increasing.
Practices that allow different processing activities must come to an end, such as sending a verification code via SMS to data subjects to confirm a membership agreement, obtain permission to process personal data, or obtain consent for commercial electronic communications, and instead must be carried out through a single action.
Instead of requesting a single consent to process multiple activities that require explicit consent, separate explicit consent must be obtained from data subjects by offering them options.
Accordingly, we are entering a period where separate SMS messages will be sent for commercial communication and for the processing of personal data.
Since the processes for obtaining explicit consent and fulfilling the obligation to provide information must be carried out separately, some data controllers may be required to send at least three separate SMS messages in one instance.
When obtaining explicit consent with an SMS verification code to send commercial electronic communication, the explicit consent must be related to a specific subject, based on information, and freely given.
The personnel involved in this process bear significant responsibilities to ensure that the procedures are managed in compliance with the law. Therefore, periodic training and awareness-raising activities must be conducted for personnel involved in these processes.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
