The Turkish Data Protection Authority (DPA) has issued a principle decision dated 11 February 2026, addressing the widespread practice of allowing loyalty card benefits to be used at the checkout solely by declaring the membership holder’s mobile phone number or loyalty card number, without any form of verification.
The DPA determined that this practice gives rise to material compliance risks under Turkish Law No. 6698 on the Protection of Personal Data (DPL), particularly in relation to lawful processing conditions, the principles of accuracy and data being kept up to date, and data security obligations.
Decision background and scope
In its assessment, the DPA noted that loyalty card programmes are widely used across sectors such as grocery, cosmetics, technology, DIY and apparel, and confirmed that verification methods applied at the membership creation stage, including one‑time SMS codes or barcode/QR code scanning via mobile applications or websites, are generally considered lawful.
However, the DPA emphasised that allowing loyalty card benefits to be used during purchases without any confirmation or verification code being entered into the system, merely by declaring the membership holder’s mobile phone number or loyalty card number at checkout, creates significant data protection risks. In particular, this practice may result in personal data being processed without the knowledge or consent of the data subject and may increase the likelihood of personal data breaches. In such cases, invoices or transaction records may be issued in the name of the loyalty card holder and recorded in their membership account, despite the cardholder not having carried out or approved the transaction.
Against this background, the DPA determined that transactions carried out solely through number declaration do not allow data controllers to verify whether the data subject has personally made the purchase or has provided approval, and that recording such transactions in the loyalty card holder’s account may lead to inaccurate or misleading personal data being processed.
From a legal perspective, the DPA highlighted several key consequences of continuing this practice. In particular, purchases carried out by third parties using loyalty card details “on behalf of the data subject” may result in personal data being processed without a valid legal basis. In addition, recording such transactions in the loyalty card holder’s account or issuing invoices in their name may lead to inaccurate or misleading personal data.
The DPA further emphasised that contractual restrictions on third‑party use of loyalty cards do not eliminate data controllers’ responsibility to ensure appropriate data security measures.
Immediate compliance obligations
Within this framework, the DPA has stated that this practice must be discontinued and replaced with appropriate verification mechanisms to ensure that loyalty cards are used during purchases only with the knowledge and consent of the relevant data subject.
To this end, data controllers have been granted a strict six‑month compliance period starting from 28 February 2026, during which they are expected to review and update their existing loyalty card processes. Following the expiry of this transition period, administrative action may be taken against data controllers that have failed to implement the required measures or that continue to allow verification‑free use of loyalty cards.
Practical implications and recommended actions
The decision has immediate and direct operational implications, particularly for checkout and sales processes, and will require many organisations to re‑evaluate long‑standing loyalty card practices within a relatively short transition period.
In practice, the DPA expects data controllers to introduce a positive verification step at the point of sale, comparable to those already commonly used for point redemption. The DPA highlights several verification measures that may be adopted, including:
- one‑time SMS verification codes;
- barcode or QR code scanning via mobile applications or websites;
- presentation or scanning of physical loyalty cards; and
- the use of loyalty card passwords at checkout.
For online transactions, the DPA recommends offering clear opt‑in preferences for transactions carried out solely through phone number declaration, with transparency as to which specific transaction types are covered by such approval.
Verification methods may also vary depending on the risk level of the transaction (e.g. earning points, benefiting from discounts, redeeming loyalty points) and across different groups of data subjects.
In light of the decision, data controllers should assess whether their existing loyalty card processes allow any checkout‑stage use without active confirmation by the data subject, and, if so, prioritise remediation within the applicable compliance period.
Sanctions
Failure to comply with the decision may result in administrative measures under Article 18 of the DPL. For 2026, fines for non‑compliance with DPA decisions range from TRY 427,263 to TRY 17,092,242 (approx. EUR 8,360 to EUR 334,750).
The DPA may also impose additional measures, including the suspension of unlawful data processing activities and the publication of its decisions on the data controllers.
Share
Related persons
You can contact us for detailed information.
Legal Information
This briefing is for information purposes; it is not legal advice. If you have questions, please call us. All rights reserved.