The Decision of the Personal Data Protection Board ("the Board") dated 10/06/2025 and numbered 2025/1072 ("the Decision") was published in the Official Gazette dated 26/06/2025.
The Decision addresses the processing of personal data through the sending of verification codes via SMS to data subjects during the provision of products and services. As the Decision constitutes a principle decision, it sets forth the procedures and principles to be followed when processing data using this method. Failure to comply with these procedures and principles may result in sanctions.
Details are as follows:
1. The Background of the Decision
The Board, in numerous complaints submitted to it, has found that during various stages of product and service delivery, SMS verification codes were sent to individuals receiving such products and services. It was claimed that these codes were necessary for purposes such as billing, payment completion, or invoice delivery. However, it was determined that following the entry of the verification code into the system, commercial electronic messages were subsequently sent to the data subjects.
Following its investigations, the Board determined that during processes such as billing, invoice delivery, account creation, or offer generation, verification codes were sent to data subjects without providing the necessary information notice (clarification) either within the content of the SMS or prior to the sending of the message by the data controller or its authorized parties. Furthermore, although the code was requested on the grounds that it was necessary for the aforementioned purposes, it was found that commercial electronic messages were sent using this method, thereby misleading the data subjects.
In this context, the Board has laid out the general principles governing the obtainment of approval by means of SMS.
2. Principles Set Forth by the Board Regarding SMS Transmission
a) In processes related to the provision of products and services, the purpose of the SMS to be sent to the data subject and the consequences of entering the code contained in the SMS must be clearly and understandably explained to the data subject by the data controller's representatives. Additionally, the necessary information channels must also be provided within the content of the SMS itself.
b) Approval-based actions such as the confirmation of a membership agreement, processing of personal data, or obtaining consent for commercial electronic messages must not be carried out using a single verification code. For processing activities that require explicit consent, data subjects must be presented with options and their explicit consent must be obtained separately for each purpose.
c) Obligation to inform and obtainment of the explicit consent shall be procured separately.
d) In cases where SMS messages are sent for the purpose of obtaining explicit consent for the sending of commercial electronic messages, the consent obtained via SMS must include all elements required under the applicable legislation.
e) In cases where explicit consent is given for the processing of personal data for the purpose of sending commercial electronic messages, such consent must not be obtained in a manner that undermines the elements of informed consent and free will, or that presents it as a mandatory condition for the completion of the product or service provision.
f) Explicit consent for the processing of personal data for the purpose of sending commercial electronic messages must either be obtained after the completion of the product and service provision, or it must be clearly stated in the information provided by the data controller (both via SMS and in physical/digital media) that: (i) the consent given by sharing the relevant code with the officer is not mandatory for the provision of the products and services, (ii) the products and services can still be provided even if the code is not shared, and (iii) the permissions or preferences granted through this code can be changed at any time.
g) Within the scope outlined above, data controllers must regularly provide training and awareness programs to their personnel regarding these processes.
3. Sanctions
The Board has stated that the above-mentioned matters are among the administrative and technical measures that must be taken by data controllers under the Personal Data Protection Law ("the Law"). In this context, it has been emphasized that non-compliance with these requirements may result in the imposition of administrative fines pursuant to Article 18 of the Law.
You may refer to our relevant bulletin regarding administrative fines.
Originally published 02 July, 2025
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
