Within the scope of the Personal Data Protection Board’s (“Board”) Principle Decision published in the Official Gazette dated February 28, 2026 dated February 11, 2026 and numbered 2026/266 (“Decision”), certain shopping practices carried out under loyalty card programs were evaluated.
Pursuant to the relevant Decision, it has been stated by the Board that the practices whereby a shopping transaction is carried out by third parties by informing the cashier of a customer’s mobile phone number or loyalty card number without the data subject’s knowledge and consent, issuance of invoices or similar documents in the name of the data subject, and recording purchase transaction in the data subject’s account:
- cannot be based on any of the data processing conditions set forth under Article 5 of Law No. 6698 (“Law”) and would lead to unlawful personal data processing activities,
- could constitute a violation of the principle of “being accurate and, where necessary, kept up to date” set forth under Article 4 of the Law,
- may constitute a violation within the scope of the obligation to ensure personal data security as regulated under Article 12 of the Law.
Within this scope, the Board has stated that:
- the practices enabling the aforementioned shopping transactions must be terminated,
- the necessary technical and administrative measures must be taken by data controllers,
- different verification mechanisms must be implemented in loyalty card practices depending on the type of transaction such as membership verification, earning points/discounts/promotions, and redeeming points, and the level of risk associated with such transactions.
A six-month compliance period from the date of publication of the Principle Decision has been granted to data controllers to establish the aforementioned verification mechanisms.
You can access the full text of the Decision here.
Best Regards,
Balay, Eryiğit & Erten
