The Personal Data Protection Board (“Board”) made a public announcement regarding the processing of personal data by sending a verification code to the data subjects via SMS during in-store shopping (“Announcement”) and published a summary of decision dated 3 April 2021 and numbered 2021/361 regarding a bank sending promotional messages to the data subjects via mobile applications without their consent (“Decision”).


The Announcement stated that, as a result of the examinations made, it has been determined that a verification code is sent to the data subjects by the stores during the payment transactions; however, either no information is given provided to the data subjects in the SMS contents or before the SMS is sent, or the data subjects are misled with an impression that that the said code is required for completing the payment transactions or updating the information. However, their explicit consent for sending commercial electronic messages is obtained in this way.

In this regard, the Board emphasized the requirements that;

  • Data subjects must be informed about the purpose and results of the transmitted code before sending the SMS within the scope of layered approach, and the data subject must be provided with the necessary channels for being informed regarding data processing in the SMS content,
  • Practices of obtaining approvals for membership agreement, explicit consent, and commercial electronic message approval etc. with a single SMS verification code must be ceased and separate consent must be obtained by offering options for the processing activities in question,
  • If an application is made to send an SMS verification code in order to obtain explicit consent for sending commercial electronic messages, the explicit consent to be obtained in the said transaction must cover all elements.

In the Decision, the Board imposed an administrative fine on the data controller on the grounds that (i) sending push notifications to the subjects’ mobile phone via two mobile applications offered by the data controller bank is not compliant with the legislation as in the application used by customers with Android operating system, boxes for push notifications are prechecked in the mobile applications and notifications are send to the data subjects unless they opt-out, (ii) and assumption of consent as such to this notifications called “push notifications”, which are instantly sent to users via mobile applications by service providers contradicts the provisions that electronic messages specified in Law on Regulation of Electronic Commerce numbered 6563 are subject to the approval of the recipients, and it also violates the article 5 of Personal Data Protection Law numbered 6698 regarding requirement to rely on explicit consent in the processing of personal data.

Please see this link for the full text of the Announcement published in the official website of the Board on 17 December 2021 and this link for the Decision (only available in Turkish).