The Turkish Personal Data Protection Board (the "Board") published its Principle Decision No. 2026/266, dated 11 February 2026 (the "Decision"), in the Official Gazette on 28 February 2026. The Decision addresses the use of loyalty card numbers or mobile phone numbers belonging to loyalty program members by third parties during shopping transactions without the data subject's knowledge or consent, as well as the data protection violations arising from such practices.

According to complaints and notifications submitted to the Board, in various sectors operating loyalty programs, including grocery retail, cosmetics, technology, apparel and home improvement, customers are able to obtain discounts or earn/redeem loyalty points at checkout merely by providing a mobile phone number or loyalty card number. In many cases, there is no mechanism in place to verify whether the transaction is actually carried out by the relevant data subject. As a result, invoices may be issued in the name of the loyalty card holder and transaction data may be recorded under that individual's membership account; in some cases, transactions may even take place without the data subject's knowledge or consent.

The Board considers that the practice in question cannot rely on any of the legal grounds for processing set out under Article 5 of the Personal Data Protection Law No. 6698 (the "Law"), constitutes a violation of the accuracy principle under Article 4, and is incompatible with the data security obligations set forth in Article 12. The Board further makes clear that allocating responsibility to the user under loyalty program agreements does not relieve the data controller of these statutory obligations.

In light of these findings, the Decision sets out three key obligations for data controllers:

discontinuing the use of loyalty card numbers or mobile phone numbers by third parties without the data subject's knowledge or consent;

implementing appropriate and effective verification mechanisms; and

putting such mechanisms into place within six months from the date of publication of the Decision.

The Decision emphasizes that the verification obligation must be designed in a concrete and practicable manner and refers to the following illustrative methods:

Sending an SMS verification code (OTP) at checkout;

Using a QR code or barcode via a mobile application or website;

Requiring presentation of the physical loyalty card;

Entering a loyalty card PIN; or

Offering transaction-based consent preferences (e.g., allowing number-based identification solely for point accrual while requiring additional verification for point redemption through opt-in mechanisms).

The Decision also notes that verification mechanisms may be structured in a tiered and differentiated manner, depending on the type of transaction and the associated level of risk.

The Decision has direct operational implications for companies operating loyalty programs. Transaction flows based solely on the provision of a phone number will no longer be considered sufficient. Companies will need to reassess their checkout procedures, membership agreements, and technical infrastructure in an integrated manner, and redesign their verification mechanisms to ensure they are systematic and auditable.

The six-month period envisaged from the date of publication of the Decision effectively constitutes a compliance timeline for companies. Failure to implement the required technical and administrative measures within this period may expose data controllers to administrative sanctions under Article 18 of the Law.

