An End to Sending Verification Codes by SMS During the Provision of Goods and Services
Introduction
In Türkiye, it has recently become increasingly common, especially in retail stores, to send verification codes to data subjects by SMS during the provision of goods and services and to process personal data in this way. In the complaints submitted to the Personal Data Protection Board (“Board”), it has been observed that, during transactions such as making a payment, opening a record, creating a membership, or preparing a quotation, individuals’ contact information is requested, then a verification code is sent by SMS, and the individual is asked to convey this code to the staff member or enter it into the system on the grounds that it is mandatory for completing the payment transaction, issuing the invoice, delivering the invoice to the contact address, or updating the information.
However, complaints have intensified that commercial electronic messages are subsequently sent to the data subjects following these transactions. Upon the widespread use of these practices, which give rise to different legal consequences through a single transaction, the Board made substantial assessments on the matter in its Principle Decision dated 10.06.2025 and numbered 2025/1072, which was published in the Official Gazette dated 26.06.2025 and numbered 32938 (“Principle Decision”)[1].
In this article, the boundaries of the practice will be examined in light of the assessments contained in the said Principle Decision; in addition, how to design notice and explicit consent processes in compliance with Law No. 6698 on the Protection of Personal Data (“KVKK”) will be addressed.
Assessment of the Principle Decision
The Board first emphasized that presenting verification codes sent by SMS as if they were an indispensable element of a purchase may lead to misleading the data subjects. In this context, attention was drawn to the necessity of providing data subjects with clear and comprehensible information regarding the purpose and use of the code and what consequences this will have in terms of personal data.
The Decision also stated that combining different processing activities such as acceptance of a membership agreement, granting permission for the processing of personal data, or obtaining consent for the sending of commercial electronic messages under a single transaction is unlawful. It was stated that, for processing activities requiring explicit consent, (for example, the sending of commercial electronic messages), separate options must be presented to data subjects, and consent must be obtained independently for each transaction.
The Board pointed out that in personal data processing activities based on explicit consent, it is obligatory that the consent obtained meets the validity conditions stipulated in the KVKK, and in this context, making consent for the sending of commercial electronic messages a precondition for the provision of a product or service is not possible. Finally, the Board stated that in the event of acting in violation of these obligations, administrative sanctions would be imposed on data controllers under Article 18 of the KVKK.
With the Board’s evaluations, it has been clearly set forth that this SMS system, frequently resorted to recently by stores and similar service providers, is an unlawful practice in terms of the KVKK. In this respect, the Principle Decision not only resolved existing complaints but also confirmed the impropriety of this increasingly widespread practice in the sector and shed light on how new systems to be designed in the future should look.
Information Obligation and Explicit Consent Practices
Procedures and Principles of the Information Obligation
Within the scope of the KVKK, providing notice to data subjects during the processing of personal data (in other words, informing individuals) is one of the most fundamental conditions of a lawful personal data processing activity. The information obligation requires informing data subjects about (i) the identity of the data controller, (ii) the purposes for which personal data will be processed, (iii) to whom and for what purposes the obtained personal data may be transferred, (iv) the method and legal ground for collecting data, and (v) the rights of the data subject listed in Article 11[2] of the KVKK. In the information to be presented to individuals (in information notices), the purpose of data processing must be specific, explicit and legitimate, and general, ambiguous or misleading statements must not be included. At this point, providing incomplete, incorrect or misleading information will result in a violation of the information obligation, which is one of the erroneous practices emphasized in the Principle Decision.
The Communiqué on the Principles and Procedures to be Followed in Fulfilling the Obligation to Inform[3] (“Communiqué”) also explicitly lists certain conditions regarding how this obligation should be fulfilled. Accordingly, in every case where personal data are processed, whether based on the explicit consent of the data subject or on other processing conditions in the KVKK (without requiring explicit consent), individuals must be appropriately informed, and the fulfillment of the notice obligation must be provable by the data controller. Therefore, fulfilling the information obligation in a manner that can be evidenced in physical or digital form (such as delivering a copy of the information notice to the data subject, or directing them via a link to comprehensive information texts) will provide ease of proof for data controllers in a potential audit.
The Guide on Information[4] published by the Personal Data Protection Authority (“Authority”) regarding how to fulfill the notice obligation in compliance with the KVKK is also instructive for data controllers. In the Guide, the issues to be considered in fulfilling the information obligation are explained with concrete and practice-oriented examples, and both good practices and erroneous practices considered unlawful are included.
Validity Conditions of Explicit Consent and the Problem of Multiple Approvals with a Single Transaction
Within the scope of Article 5 (conditions for processing personal data) and Article 6 (conditions for processing special categories of personal data) of the KVKK, explicit consent is one of the exceptional grounds for the processing of personal data, and it is valid only if it is specific to a particular subject, based on information, and given of the data subject’s free will. Whether a data processing activity should be carried out on the basis of explicit consent or on other processing conditions listed in Articles 5 and 6 of the KVKK (for example, performance of a contract, necessity for compliance with a legal obligation) is determined in each concrete case according to the purpose, scope, and nature of the personal data processing activity. The sending of commercial electronic messages, which is the subject of the Principle Decision, is a consent-based activity and can only be lawful with the explicit consent freely given by the data subject. When all these points are evaluated together, explicit consent must include the “positive declaration of intent” of the person giving consent. Without prejudice to other regulations in the legislation, there is no requirement for explicit consent to be obtained in writing, but as with the information obligation, explicit consent must be obtained in a way that is provable by the data controller, whether electronically, physically, or through call centers and similar channels.
The issue of making explicit consent a precondition for the provision of a service has been particularly emphasized by the Board and the Authority since the entry into force of the KVKK. This error, which is frequently encountered in practice, prevents consent from being based on free will and eliminates its validity. Because a data subject who is forced to give consent to benefit from a service does not actually have a genuine choice; this vitiates the consent given and renders it legally invalid. On the other hand, in its decisions on the subject[5] , the Board has drawn attention to the fact that obtaining explicit consent where other personal data processing conditions exist means misleading and misdirecting the data subject and therefore constitutes an abuse of right by the data controller.
In addition, general consents that are not limited to a specific subject and not restricted to the relevant transaction are considered “blanket consents” and are deemed legally invalid. For example, declarations of consent such as “all kinds of commercial transactions, all kinds of banking transactions and all kinds of data processing activities” that do not point to a specific subject and data processing activity are considered blanket consents and deemed invalid. Therefore, obtaining explicit consent for multiple personal data processing activities through a single transaction or action will undermine the validity of the consent. Consents obtained with a single declaration have been specifically addressed in many Board decisions as not being compatible with the principles and rules of the KVKK[6].
Nevertheless, the Principle Decision points out that combining different types of transactions, such as acceptance of a membership agreement, granting approval for the processing of personal data, and consenting to the sending of commercial electronic messages under a single transaction does not grant the data subject a genuine right of choice and eliminates the independence of the consent. Such practices not only undermine the validity conditions of explicit consent but also violate the fundamental principles stipulated by the KVKK, such as transparency and the requirement that data processing be limited to specific, explicit, and legitimate purposes.
Conclusion
The validity conditions of information obligation and explicit consent practices have in fact been clearly regulated since the entry into force of the KVKK, both in the legislation itself and in secondary regulations such as the Communiqué and the Authority’s guides, and have been explained with concrete examples. Nevertheless, especially in stores, some practices developed to facilitate certain operational processes during the provision of goods and services, although providing practical benefits, do not comply with the principles and rules stipulated by the KVKK. The Principle Decision has once again clearly emphasized the unlawfulness of such facilitating practices and has sent an important message to data controllers to review their systems.
From now on, it has become an obligation for all data controllers, particularly retail stores, to design their information and explicit consent practices in full compliance with the KVKK. To eliminate the risk of invalidity of consents regarding the sending of commercial electronic messages, it is of great importance to move to systems in line with the KVKK and secondary legislation provisions. However, the sending of commercial electronic messages is not solely a compliance issue under the KVKK; at the same time, the provisions of the Regulation on Commercial Communication and Commercial Electronic Messages[7] must also be taken into account. Data controllers must also fulfill the requirements of this Regulation in all commercial communications carried out for the purpose of promoting and marketing goods and services or publicizing their businesses, must register with the message management system where necessary, and must carefully observe the validity conditions for the messages.
- Personal Data Protection Board Principle Decision dated 10.06.2025 and numbered 2025/1072, Official Gazette dated 26.06.2025 and numbered 32938, https://resmigazete.gov.tr/eskiler/2025/06/20250626-7.pdf, (Access Date: 25.08.2025).
- Under Article 11 of the KVKK, data subjects have the right to learn whether their personal data are being processed, to request information if their data have been processed, to learn the purpose of processing and whether it is being used in accordance with this purpose, to know the recipients to whom data are transferred domestically or abroad, to request the correction of incomplete or inaccurate data or the deletion or destruction of such data within the scope of Article 7 of the Law. They also have the right to request that these be notified to third parties, to object to any result arising to their detriment from analysis of data processed solely through automated systems, and to request compensation for damages arising from unlawful processing.
- Communiqué on the Principles and Procedures to be Followed in Fulfilling the Obligation to Inform, Official Gazette dated 10.03.2018 and numbered 30356, https://resmigazete.gov.tr/eskiler/2018/03/20180310-5.htm, (Access Date: 25.08.2025).
- Guide on the Fulfillment of the Obligation to Inform, Personal Data Protection Authority, March 2025, https://kvkk.gov.tr/Icerik/5395/Aydinlatma-Yukumlulugunun-Yerine-Getirilmesi-Rehberi-Kurum-Internet-Sayfasinda-Yayinlanmistir-, (Access Date: 25.08.2025).
- Personal Data Protection Board Decision dated 15.06.2023 and numbered 2023/1041, https://kvkk.gov.tr/Icerik/7768/2023-1041, and Decision dated 02.05.2023 and numbered 2023/692, https://kvkk.gov.tr/Icerik/7691/2023-692 (Access Date: 27.08.2025).
- Personal Data Protection Board Decision dated 20.05.2020 and numbered 2020/404, https://www.kvkk.gov.tr/Icerik/6913/2020-404, and Decision dated 27.02.2020 and numbered 2020/173, https://www.kvkk.gov.tr/Icerik/6739/2020-173 (Access Date: 27.08.2025).
- Regulation on Commercial Communication and Commercial Electronic Messages, Official Gazette dated 15.07.2015 and numbered 29417, https://www.mevzuat.gov.tr/mevzuat?MevzuatNo=20914&MevzuatTur=7&MevzuatTertip=5 , (Access Date: 27.08.2025).
All rights of this article are reserved. This article may not be used, reproduced, copied, published, distributed, or otherwise disseminated without quotation or Erdem & Erdem Law Firm's written consent. Any content created without citing the resource or Erdem & Erdem Law Firm’s written consent is regularly tracked, and legal action will be taken in case of violation.
Other Contents
On September 2025, the Court of Justice of the European Union (“CJEU”) delivered its judgment in Single Resolution Board (SRB) v. European Data Protection Supervisor (EDPS), providing some clarification on the identifiability of data under the EU data protection regime. The case examined whether information that...
In contemporary workplaces, employers frequently implement surveillance systems for reasons such as ensuring occupational health and safety, maintaining workplace order, operating internal control mechanisms, and preventing potential misconduct. However, such monitoring practices often raise significant...
Although the Turkish Personal Data Protection Law No. 6698 (KVKK) stipulates certain rules on cross-border personal data transfer, the effective functioning of the transfer rules was limited over time due to some difficulties in practice. In particular, until late 2024, the application process for permission to transfer...
Personal Data Protection Law numbered 6698 (“PDPL”) was first drafted based on the Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals about the processing of personal data and on the free movement of such data, and entered into force in 2016...
Typically, when an employee departs, their corporate email account remains active and accessible to the employer for a period of time. During this time, the email archive and new incoming messages are forwarded to the employee's manager or another colleague...
In today's world, we now have the opportunity to purchase many products and services through e-commerce platforms with a single click from wherever we are. During these purchases, our personal data are collected and used through the websites or mobile applications of e-commerce platforms for various...
The processing of genetic data has the potential to affect not only the data subjects but also the persons with whom the data subject is genetically connected. “The Guidelines on Issues to be Considered in the Processing of Genetic Data” (“Guidelines”) published by the Personal Data Protection Authority...
In its decision regarding Case-300/21 and dated May 4, 2023, the Court of Justice of the European Union (“CJEU”) evaluates the right to compensation for an infringement of the European Union General Data Protection Regulation (“GDPR”) regulated in Article 82 of the GDPR. The CJEU decided that a mere...
The Personal Data Protection Law numbered 6698 (“PDPL”) introduces definitions for many concepts such as personal data, data controller, data processor and data subject. In terms of understanding and interpreting these concepts, secondary legislation, Personal Data Protection Authority (“Authority”) guidelines...
The Covid-19 pandemic and recent technological developments have significantly accelerated the digital transformation of all sectors. However, this rapid change especially in the financial sector (mobile banking, e-commerce, contactless payments, etc.) has brought some risks along with making life extremely...
Smartwatches have undeniably revolutionized our lives in the past decade. Apart from their core function as a timepiece, these wearable computers packaged in the form of a watch enable us to answer incoming calls, reply to messages and skim through social media notifications in seconds. Their steady rechargeable...
The Personal Data Protection Authority (“DPA”), on 16.06.2022, published the Draft Guidelines on Examination of Loyalty Programs within the Scope of Personal Data Protection Legislation (“Draft Guidelines”). The public has until 16.07.2022 to submit comments on them, and after these are evaluated...
The German Competition Authority (“Bundeskartellamt”) had previously found Meta (formerly Facebook) responsible for abusing its dominant position in the social network market by collecting and processing the personal data of its users without their consent and imposed measures on Meta and its associated...
Banks process large volumes of personal data in their daily operations. In order to deal with this sensitive information, the Turkish Personal Data Protection Authority, in cooperation with the Banks Association of Turkey, published Good Practice Guidelines on Personal Data Protection in the Banking...
The procedural rules on mass claims within European Union (“EU”) Member States is not uniform. To improve the position of consumers who might wish to make such claims, the European Parliament passed the Collective Redress Directive (“Directive”). The impact of the Directive is expected to...
In February 2020, the European Commission (“Commission”) published “A European Strategy for Data” as part of a wider drive concerning digital transformation and policy. Through this communication, the European Union (“EU”), defining itself as having a leading role in the data economy...
The Regulation on Protection and Processing of Personal Data by the Social Security Institution (the “Regulation”), the purpose of which is to determine the procedures and principles for processing data obtained within the scope of the duties and authority of...
The Personal Information Protection Law of the People’s Republic of China (“PIPL”) passed at the 30th meeting of the Standing Committee of the 13th National People’s Congress on 20 August 2021 and entered into force on 1 November 2021 as per Article 74...
In today's world, there is no doubt that data has become one of the most valuable assets and resources for some companies. The ability to collect, store, process, and analyze data on a large scale has dramatically changed...
