ASSESSMENT OF THE PRINCIPLE DECISION PUBLISHED BY THE PERSONAL DATA PROTECTION AUTHORITY ON 26.06.2025
The Personal Data Protection Authority (“Authority”) published its Principle Decision (the “Principle Decision”) No. 2025/1072 in the Official Gazette dated 26.06.2025 and numbered 32938.According to the Principle Decision, it has been clarified that obtaining commercial electronic communication consent or explicit consent via SMS codes sent to mobile phones during processes such as payment, membership, or registration must be discontinued.
KEY FINDINGS REGARDING THE PRINCIPLE DECISION
In the assessment made by the Authority, it was determined that some companies send SMS messages containing verification codes to users during the provision of products or services; however, these messages either lack sufficient information or such information is not provided prior to the message being sent. This practice has been deemed misleading, as it may cause users to give explicit consent without fully understanding what they are consenting to.
With its Principle Decision, the Authority emphasizes the importance of complying with the following points:
· In processes related to the provision of products and services, the purpose of the SMS messages sent to individuals and the consequences of sharing the code contained in these SMS messages must be clearly and understandably explained to the relevant individuals by the data controller at the very beginning, in accordance with the layered disclosure approach. Additionally, the SMS content should include appropriate information channels to fully meet the disclosure obligation.
· Collecting membership approval, explicit consent, and commercial communication permission within the same SMS is not legally valid, and such practices should be discontinued.
· When personal data is processed based on the explicit consent of the data subject, the data controller must fulfill the disclosure obligation and the process of obtaining explicit consent separately.
· If the SMS verification method is used to obtain explicit consent for sending commercial electronic communications, the consent obtained in this process must fully comply with all the requirements set forth in the Personal Data Protection Law (“KVKK”).
· Explicit consent for the processing of personal data for the purpose of sending commercial electronic communications should not be presented to the data subjects as a mandatory condition for the provision of a product or service. Otherwise, this may undermine the key principles of consent — being based on informed disclosure and freely given. For this reason, it is essential that all processes are carried out in compliance with the KVKK.
· Explicit consent for commercial electronic communication permission should preferably be requested after the completion of the product or service delivery. If a code is sent via SMS during the process, it must be clearly stated that providing the code is not mandatory for receiving the service, that the service will still be provided if the code is not given, and that consent preferences can be changed at any time. This approach prevents the impression that consent is mandatory.
· In order to ensure legal compliance, data controllers must regularly train the relevant personnel and implement ongoing awareness-raising initiatives.
CONCLUSIONS OF THE DECISION
Within this scope, all of the above-mentioned points are considered part of the administrative and technical measures that data controllers are obliged to implement to process personal data lawfully under Article 12 of the KVKK. If it is determined that these principles have been violated, the relevant data controllers may be subject to the sanctions set forth under Article 18 of the KVKK.
You should review your relevant processes and ensure that your explicit consent practices comply with the KVKK, consents must be clearly, separately, and understandably organized.
Please feel free to reach out to us, should you have any queries.
