Principle Decision on the Use of Loyalty Card Information

A PRINCPLE DECISION REGARDING THE USE OF A LOYALTY CARD MEMBER’S MOBILE PHONE NUMBER OR LOYALTY CARD NUMBER BY A THIRD PARTY DURING SHOPPING HAS BEEN PUBLISHED IN OFFICIAL GAZETTE

Following complaints made to the Personal Data Protection Authority, the Personal Data Protection Board published Principle Decision No. 2026/266 dated 11/02/2026. The decision states that providing only a mobile phone number or loyalty card number during a purchase cannot be considered a sufficient method for ensuring data security; transactions carried out by third parties without the knowledge and consent of the data subject may lead to the unlawful processing of personal data.

Activites Considered Unlawful Under the Decision

In loyalty card programs implemented in many sectors such as food, cosmetics, technology, building materials, and clothing, it has been determined that the cardholder’s mobile phone number or card number can be used for purchases by third parties simply by telling it to the cashier without any verification.

It has been assessed that this practice may lead to the processing of personal data without the knowledge and explicit consent of the data subject, the issuance of incorrect invoices in the person’s name due to purchases not made by the individual, the creation of inaccurate customer transaction records, and consequently, the emergence of personal data breaches.

According to the Board, this practice:

The data processing conditions stipulated in Article 5 of the Law No. 6698 on the Protection of Personal Data cannot be relied upon.
It may constitute a violation of the “accuracy and, where necessary, up-to-date” principle set out in Article 4 of the Law on the Protection of Personal Data.
Even if a provision is included in the contract stipulating that the card shall not be used by third parties, this does not eliminate the data controller’s obligation to ensure data security under Article 12 of the Law on the Protection of Personal Data.

The board has decided to put a stop to the use of loyalty cards by third parties without verification.

Measures Required to be Taken by Data Controllers Under the Decision

In this context, data controllers must:

Establish mechanisms to verify that transactions are made with the cardholder’s knowledge and consent during the use of the loyalty card for shopping.
Take technical and administrative measures.
Develop different verification methods (SMS code, mobile application verification, etc.) depending on the risk level.
Offer alternative verification methods suitable for different user groups.

Compliance Period and Administrative Sanctions Implementation

A six-month compliance period has been granted starting from the publication date of the decision in the Official Gazette. At the end of this period, administrative sanctions will be imposed on data controllers who fail to take the necessary measures, in accordance with Article 18 of the Law.

Please feel free to reach out to us, should you have any queries.