- within Litigation, Mediation & Arbitration, Government, Public Sector and Accounting and Audit topic(s)
- with readers working within the Oil & Gas industries
With the Principal Decision No. 2026/266 of the Personal Data Protection Board (the "Board"), published in the Official Gazette dated 28/02/2026 and numbered 33182 (the "Principal Decision"), significant regulations have been introduced regarding the processing of personal data within the scope of loyalty card programs.
The Principal Decision primarily evaluates practices concerning the use of personal data—such as members' mobile phone numbers and loyalty card numbers—by third parties in loyalty programs operated by the retail sector, chain stores, supermarkets and similar businesses, and sets out the criteria for lawfulness.
Through te Principal Decision, it is aimed to strengthen data security and identity verification mechanisms.
What Does the Principal Decision Introduce?
Restriction on Use by Third Parties
The use of a loyalty card member's mobile phone number or card number by third parties without the knowledge and explicit consent of the cardholder is deemed unlawful.
Obligation to Implement Identity Verification
Data controllers are required to adopt technical and administrative measures that verify whether the relevant individual is indeed the person conducting the transaction in loyalty card usage.
Acceptable Verification Methods Identified
The following methods are considered lawful verification mechanisms:
- Sending a one-time verification code via SMS,
- Approval mechanisms through a mobile application,
- QR code / barcode scanning systems,
- Conducting transactions using a password unique to the cardholder.
Methods other than these—particularly transactions conducted solely based on the verbal declaration of a phone number—are deemed to pose a data security breach risk.
Review of Information and Explicit Consent Processes
It is emphasized that privacy notices related to loyalty programs must clearly and explicitly set out the purposes of data processing, and that explicit consent must be obtained where required, particularly for activities such as campaigns, analysis and marketing.
Risk of Administrative Fines
It is stated that practices contrary to the Principal Decision may be subject to administrative fines under Articles 12 and 18 of Law No. 6698.
Expected Practical Impacts
With the entry into force of the Principal Decision, particularly in the retail sector, the following will be required:
- Restructuring of checkout processes,
- Integration of SMS-based verification into POS systems,
- Increased mobile application integrations,
- Updating staff training programs.
This regulation effectively puts an end to the practice of "earning points by verbally stating a phone number".
Compliance
A 6 month compliance period has been granted to data controllers as of the publication date of the Principal Decision in the Official Gazette. Data controllers that continue their practices during this period without implementing the necessary measures will be subject to administrative sanctions pursuant to Article 18 of Law No. 6698. Taking into account the 2026 revaluation rates, the administrative fine for failure to comply with the decisions of the Board ranges between TRY 427.263,00 and TRY 17.092.242,00.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
