Turkey: Principle Decision By The Turkish Data Protection Authority

10 July 2025

The Turkish Data Protection Authority (“Authority”) published a principle decision (“Decision”) dated 10 June 2025 and numbered 2025/1072 on the processing of personal data by sending verification codes via SMS to data subjects during the provision of products and services. The Decision was published in Official Gazette dated 26 June 2025 and numbered 32938.

In its Decision, the Authority stated that requesting contact information from the data subjects (e.g. store customers) and sending verification codes via SMS in the course of delivering products and services has become a widespread practice. In its examination, the Authority determined that:

• verification codes were sent to data subjects during processes related to product and service offerings (such as making payments, registering, creating a membership, creating an offer, and similar transactions), but no information was provided in the SMS content containing these codes or before the SMS was sent.
• the data controller misled data subjects by obtaining explicit consent for the sending of commercial electronic messages, even though the code was requested on the grounds that it was necessary for completing payment transactions or updating their information.

Since presenting the subject codes as a compulsory element of the purchase may mislead the data subjects, the Authority emphasized the following points in its Decision:

• In the processes related to product and service offerings (during transactions such as making payments, opening accounts, creating memberships, making offers, and similar transactions), the purpose of the SMS to be sent to the relevant persons’ phones and the consequences of providing the code sent with this SMS shall be conveyed to the relevant persons in a clear and understandable manner by the data controller’s officials (e.g. store personnel, sales representatives) at the first stage, and the necessary information channels shall be provided in the content of the SMS in order to fulfill the obligation to inform,

• To end the practices of carrying out different processing activities, such as confirming the membership agreement, obtaining consent to process personal data, obtaining consent for sending commercial electronic messages, etc. with a single action through sending a verification code via SMS to data subjects,
• to obtain explicit consent from the data subjects separately by offering options for processing activities that must be carried out with express consent,
• The procedures for obtaining explicit consent and fulfilling the obligation to inform shall be carried out separately by the data controllers,
• In case of sending an SMS verification code to obtain explicit consent for sending commercial electronic messages, the explicit consent to be obtained for the transaction in question must have all the conditions specified in the Data Protection Law Numbered 6698 (“Law”),
• Giving explicit consent to the processing of personal data for the purpose of sending commercial electronic messages shall not be presented to the data subjects as a mandatory element for the completion of the product and service provision,
• In case of obtaining explicit consent for the processing of personal data for the purpose of sending commercial electronic messages, this should be requested after the completion of the product and service provision, or it should be clearly conveyed in the SMS content or in the notifications made by the data controller in the physical or digital environment that the consent given is not mandatory for the completion of the product and service provision, and that products and services can always be provided even if the code is not provided, thus preventing the perception of explicit consent for commercial electronic messages as a mandatory element of the product and service provision,
• To ensure that the transactions in question comply with the Law, the necessary training and awareness activities are carried out periodically by the data controllers for the personnel involved in these processes.

The Decision also states that sanctions may be imposed on data controllers under Article 12 of the Law who fail to comply with the aforementioned principles.

Consequently, the practice of obtaining membership consent, commercial message consent, and personal data processing consent through a single transaction shall be ceased and all the principles of the Authority shall be adapted to the practice.

Our Law Firm remains at your disposal for any further clarifications you may need.

Copyright © 2025 Cailliau&Colakel Attorney Partnership, all rights reserved.