On 16 June 2022, the Turkish Personal Data Protection Authority (DPA) published the Draft Guideline on Processing of Personal Data in Loyalty Programs (“Guideline“) for public consultation. Stakeholders can convey their opinions to the DPA until 16 July 2022. You can access the Guideline here (in Turkish).
What does the announcement say?
Overall, the Guideline includes detailed information along with different examples of processing activities followed for loyalty programs. Below, you can find a summary of crucial topics covered by the Guideline.
- The Guideline primarily defines loyalty programs and explains their history and types. According to the Guideline, loyalty programs are defined as follows:
Programs that aim to increase the sales and profitability of the company while providing benefits to the customer through the implementation of all or some of the strategies, such as providing the customer with points/gifts/advantages within the framework of various criteria in return for shopping by processing the customer’s personal data that will enable them to be specific or identifiable in terms of the business, monitoring the customer’s shopping habits, and providing personalized product/service offers by analyzing the processed personal data.
The loyalty program operators are the data controllers within the scope of the Guideline, and the Guideline limits the scope of data subjects to merely customers.
- As per the Guideline, three different categories of personal data are generally processed within the scope of loyalty programs: (i) data actively and voluntarily provided by customers; (ii) data passively provided by customers; and (iii) data obtained from other sources. The annex of the Guideline provides a detailed list of personal data categories processed within loyalty programs.
- The Guideline states that the legal bases for processing personal data shall be determined according to each data-processing activity. If the loyalty program is based on a loyalty agreement, data-processing activities may be pursued by relying on the legal basis of performance of a contract. For example, processing personal data to provide information on the points earned by the customer within the scope of the loyalty agreement can be based on the performance of a contract legal basis. However, if the data-processing activities are carried out beyond the purpose of the loyalty agreement, such as to get to know the customer and offer personalized opportunities, data controllers cannot rely on the performance of a contract legal basis and an analysis on legal bases should be made considering the characteristics of each specific processing activity. In the Guideline, the DPA also touches on profiling activities, stating that data-processing activities conducted for profiling cannot be deemed as required for performance of a contract, and data controllers cannot rely on the performance of a contract legal basis for such processing.
- The Guideline evaluates that requesting the explicit consent of the data subject to become a member of a loyalty program is not considered as setting explicit consent as a pre-condition of such services. The DPA states that needing the explicit consent to provide services within loyalty programs should not be deemed as setting explicit consent as a pre-condition for such services; instead, it should be deemed as such product/service being offered without additional benefits. However, in this case, the discount and the rate of advantage provided within loyalty programs should not cause a significant disadvantage to the data subjects.
- The Guideline states that the approval of data subjects is necessary to send electronic commercial messages within the scope of the loyalty program. In addition, the DPA indicates that the purposes of processing personal data to get to know the customer and send commercial electronic messages are different. Therefore, the DPA underlines that a detailed evaluation must be made on whether the data controller can use the contact information of the data subject to send commercial communications.
- In accordance with the Guideline, data controllers must fulfill their notice requirement for processing activities pursued within loyalty programs. The DPA states that privacy policies should be specific to each processing activity and data controllers should refrain from using general (umbrella) privacy policies. The DPA further underlines that additional benefits such as discounts, points and data transfers related to these benefits should be specified in detail while fulfilling the notice requirement. In addition, if one of the partners processes personal data in order to send advertisements in joint marketing programs, the explicit consent of the data subjects should be obtained and the notice requirement should be fulfilled.
- The Guideline further includes principles on the use of radio frequency identification technology (RFID) for marketing purposes. RFIDs are used, for instance, to analyze customer behaviors when shopping in stores. The DPA stated in the Guideline that data controllers should use RFIDs carefully, especially from a data minimization perspective.
The DPA provides important guidance regarding data-processing activities within the scope of loyalty programs. The Guideline is open to public consultation until 16 July 2022. Those concerned will be able to convey their comments and suggestions to the DPA until this date.