Turkish Data Protection Board Published Principle Decision on Loyalty Card Memberships Used in Various Sectors

“Principle Decision on the Use of a Loyalty Card Member’s Mobile Phone Number or Loyalty Card Number by a Third Party During a Purchase” (“Decision”), adopted by the Personal Data Protection Board (“Board”) on 11 February 2026 with decision number 2026/266, was published in the Official Gazette dated 28 February 2026 and numbered 33182. The full Turkish text of the Decision is available here.

The Decision addresses a practice frequently encountered in loyalty card programs that are widely used across various sectors, particularly in the retail sector. Within the scope of loyalty card programs operated by data controllers, it has been determined that purchases made by a third party sharing the mobile phone number of the relevant data subject, who is the loyalty card holder, with the cashier during the purchase, and that such purchases conducted through loyalty cards are completed without any transaction approval code, verification step, or identity authentication. It was further determined that transactions were carried out through the loyalty card even though the data subject was not physically present at the checkout and without the knowledge of or consent of the data subject, and that the transaction details were processed under the data subject’s account without any identity verification or transaction approval mechanism.

The Decision states that data controllers had not established any verification mechanism to determine whether such purchases were carried out directly by the data subject or with the data subject’s knowledge and consent. Accordingly, it was noted that purchases made through the use of the data subject’s mobile phone number or loyalty card number by third parties cannot be based on any of the data processing conditions set out in Article 5 of the Personal Data Protection Law No. 6698 (“Law”) and may therefore lead to unlawful data processing.

In addition, the Board emphasized in the Decision that issuing invoices or similar documents in the name of the data subject for purchases made using a loyalty card without the data subject’s knowledge or consent, and recording such transactions in the data subject’s records and membership account, would constitute a violation of the principle of “being accurate and, where necessary, kept up to date” set out among the personal data processing principles under Article 4 of the Law.

Furthermore, the Decision clearly states that imposing an obligation on the data subject under loyalty card membership agreements not to allow third parties to use the loyalty card issued in their name does not remove the data controller’s obligation to ensure personal data security as set out in Article 12 of the Law.

In light of these assessments, the Board decided that the relevant data controllers must establish identity verification mechanisms such as:

• sending a one-time SMS verification code,
• scanning a QR code generated through a mobile application,
• presenting the physical loyalty card, or
• entering the loyalty card password into the payment/transaction device.

The Board also granted data controllers a six-month compliance period as of the publication date of the Decision to establish these mechanisms and stated that administrative sanctions may be imposed pursuant to Article 18 of the Law if the necessary measures are not taken.

Following the Decision, it appears that data controllers operating loyalty card programs will need to review their existing practices and restructure systems that do not include identity verification and transaction approval mechanisms. The Decision also has the potential to establish an important standard in practice regarding personal data security and identity verification processes within loyalty card systems. In this context, implementing verification mechanisms to confirm that purchase transactions are carried out with the knowledge and consent of the data subject should be considered an integral part of the obligation to ensure data security.

 

Gamze Güngör Bulut, Senior Associate
Işıl Gizem Demirtaş, Associate