The Turkish Data Protection Board Issued A Principle Decision On The Use Of Loyalty Cards By Third Parties

Recent Development

The Turkish Data Protection Board ("Board"), through its principle decision dated 11 February 2026 and numbered 2026/266 ("Principle Decision"), made important assessments regarding transactions carried out by third parties during shopping by using the mobile phone number or loyalty card number of individuals who are members of loyalty card programs. The Principle Decision was published in the Official Gazette dated 28 February 2026 and numbered 33182.

What Does the Decision Say?

The Board states that, in practice, loyalty card benefits may be used at the checkout with a relatively low level of authentication, such as merely declaring the relevant mobile phone number. The Board also notes that alternative methods are available, including SMS verification codes, barcode or QR code authentication through mobile applications, or presentation of the loyalty card number.

Within this framework, the Board considers that purchases made by a third party through the use of a data subject's mobile phone number or loyalty card number, without the data subject's knowledge and consent, cannot, as a rule, be based on any of the legal grounds for processing set out under the Personal Data Protection Law No. 6698 ("Law"). Therefore, such processing would constitute unlawful personal data processing.

The Board further underlines that, where transaction information is associated with the relevant person even though the purchase was not actually made by that person, or where an invoice or similar document is issued in that person's name, or customer transaction records are created accordingly, the principle requiring personal data to be "accurate and, where necessary, kept up to date" may be compromised. According to the Board, this may create risks both in terms of the data security of the relevant person and the integrity of customer records.

In this respect, the Board also considers that placing an obligation on the relevant person under loyalty card membership agreements not to allow the use of the card by third parties does not, in itself, make the personal data processing activities carried out by data controllers lawful. The Board's approach shows that data controllers are expected to establish authentication mechanisms capable of verifying, in light of the concrete risks involved, that the relevant transaction has indeed been carried out by the relevant person.

Conclusion and Practical Implications

In the Principle Decision, the Board indicates that data controllers should structure their loyalty card programs in line with the following principles:

• Security mechanisms should be established to verify that membership and shopping transactions are actually carried out by the relevant person.
• Risk based authentication methods should be implemented for different types of transactions, such as earning points, spending points, or benefiting from promotions.
• Technical and administrative measures should be adopted to reduce the risk of inaccurate data processing arising from transactions carried out by third parties.
• Loyalty card use processes should be redesigned in line with the principle that personal data must be accurate and, where necessary, kept up to date.

The Board also granted data controllers a six month compliance period starting from the publication date of the Principle Decision (28 February 2026), to ensure compliance with these obligations.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.