MA | Gazette

The Personal Data Protection Board’s “Principle Decision on the Use of the Mobile Phone Number or Loyalty Card Number of a Person with a Loyalty Card Membership by a Third Person During Shopping” Published

The Personal Data Protection Board’s (“Board”) Principle Decision No. 2026/266 titled “Principle Decision on the Use of the Mobile Phone Number or Loyalty Card Number of a Person with a Loyalty Card Membership by a Third Person During Shopping” (“Principle Decision”) was published in the Official Gazette dated 28 February 2026 and numbered 33182. Through the Principle Decision, the Board examined, within the scope of the Personal Data Protection Law No. 6698 (“DP Law”), the practice whereby the mobile phone number or loyalty card number of a data subject may be used by third persons during shopping within the framework of loyalty card programs.

In its examination carried out within the scope of the Principle Decision, the Board determined that, in loyalty card programs operated by data controllers active in various sectors, shopping transactions may be completed without any verification merely by providing the mobile phone number or loyalty card number of the data subject to the cashier personnel. In this context, it was determined that third persons may conduct shopping transactions through the loyalty card without the knowledge or consent of the data subject; invoices or similar documents relating to such transactions may be issued in the name of the loyalty card holder; and customer transaction information relating to such purchases may be recorded in the membership account of the data subject.

The Board evaluated that the relevant practice may lead to unlawful personal data processing activities under the provisions of the DP Law. In this respect, the Board concluded that:

  • Carrying out transactions on behalf of the data subject by using the mobile phone number or loyalty card number belonging to the data subject during shopping by a third person, without the knowledge and consent of the data subject, cannot be based on any of the personal data processing conditions set forth under Article 5 of the DP Law.
  • Issuing invoices or similar documents regarding a purchase not personally made by the data subject and recording customer transaction information in the membership account of the data subject may constitute a violation of the principles regulated under Article 4 of the DP Law.
  • The inclusion of provisions in membership agreements stating that loyalty cards are intended solely for the personal use of the data subject does not eliminate the obligation of data controllers to take the technical and administrative measures required to ensure personal data security under Article 12 of the DP Law.

Accordingly, the Principle Decision introduces significant obligations for data controllers. The Board stated that practices allowing the mobile phone number or loyalty card number of the data subject to be used by third persons must be terminated. It was also emphasized that data controllers must establish appropriate technical and administrative measures to verify that transactions carried out through loyalty cards are performed with the knowledge and consent of the data subject.

With regard to the establishment of verification mechanisms, the Board indicated that the following methods may be used:

  • Sending a one-time verification code via SMS to the mobile phone number of the data subject,
  • Scanning a barcode or QR code generated through the mobile application or website at the cashier,
  • Presenting or scanning the physical loyalty card at the cashier,
  • Entering the loyalty card password into the transaction device,
  • Providing data subjects, through the online membership account created within the scope of the loyalty card program, with options regarding which transactions may be carried out by merely providing the mobile phone number.

The Board also stated that verification mechanisms may be differentiated depending on the type of transaction and the level of risk. In this respect, different verification methods may be used for various transaction types within loyalty card applications, such as membership verification, earning points or discounts, and spending points.

Through the Principle Decision, data controllers have been granted a six-month compliance period, starting from the publication date of the decision in the Official Gazette, in order to establish the relevant verification mechanisms. The Board also stated that if the necessary technical and administrative measures are not implemented within this period and the practice continues in violation of the provisions of the DP Law, administrative sanctions may be imposed on data controllers under Article 18 of the DP Law.

You may access the full text of the Principle Decision here (only available in Turkish).

Ayşegül Dağhan

Associate

Cansu Özgüven

Senior Associate

Subscribe

Within the scope of the Privacy Notice, which sets out the details regarding the processing of my personal data, I give my explicit consent to receive invitations and informational communications regarding events, conferences, seminars, and meetings organized by or attended by Moroğlu Arseven.

Get In Touch

You can contact us via our contact information or fill out the form below.

Privacy Notice
Approve