- within Transport topic(s)
I. Transactions Without Verification Deemed a Violation of the PDPL
The Personal Data Protection Board ("Board"), through its resolution dated 11 February 2026, has explicitly deemed a long-standing practice in loyalty card programmes to be unlawful. The Resolution gives rise to serious legal risks for all data controllers using loyalty systems, particularly in the food, cosmetics, technology, home improvement, and apparel sectors.
II. The Practice Subject to the Resolution
In numerous complaints submitted to the Board, it has been determined that mobile phone numbers or loyalty card numbers belonging to customers were used by third parties at the point of sale without the knowledge and consent of the data subject, and that the transactions were completed without any verification mechanisms being in place.
As a result of this practice:
- Transaction records relating to the purchase were logged to the cardholder's account,
- Invoices were issued in the cardholder's name,
- Inaccurate customer transaction data was generated.
Consequently, personal data was being processed and recorded without the knowledge or intention of the data subject.
III. The Board's Legal Assessment
The Board clearly established that the practice in question:
- was not based on a valid legal ground for data processing under Article 5 of the PDPL,
- violated the principle of "being accurate and kept up to date where necessary" as set out in Article 4 of the PDPL,
- was incompatible with the obligation to ensure personal data security imposed on data controllers under Article 12 of the PDPL.
Furthermore, the Board specifically emphasized that provisions in membership agreements stating that loyalty cards may not be used by third parties do not relieve the data controller of its obligation to implement technical and administrative measures.
IV. Obligations Imposed on Data Controllers
The Board has established as an obligation the implementation of a secure mechanism to verify that the loyalty card is used only by the cardholder or with the cardholder's explicit consent at the time of purchase.
Methods that may be applied in this regard include:
- A one-time verification code sent via SMS,
- QR/barcode scanning through a mobile application,
- Presentation of a physical card,
- Use of a password/PIN,
The Board has not mandated a single solution, noting that different verification methods may be preferred depending on the customer profile, transaction type, and level of risk.
V. Compliance Period and Risk of Sanctions
The Resolution was published in the Official Gazette on 28 February 2026. A six-month compliance period has commenced from that date, and data controllers are required to implement the necessary technical and administrative measures by no later than 28 August 2026.
Data controllers that fail to fulfill their obligations within the specified period may be subject to administrative fines under Article 18 of the PDPL, ranging from TRY 427,263 to TRY 17,092,242 as of 2026.
VI. Assessment
It is important for companies operating loyalty card programmes to conduct a comprehensive review of their current sales and verification processes, establish appropriate verification mechanisms, and update their technical and administrative measures relating to personal data security.
As the Resolution may give rise to a risk of administrative sanctions for all data controllers operating loyalty card programmes - particularly in the food, cosmetics, technology, home improvement, and apparel sectors - we recommend that compliance efforts be planned and completed within the prescribed period.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
[View Source]