For further information,
please contact:
Legal Alerts

The Turkish Data Protection Authority Published a Principle Decision

Legal Alerts
Intellectual Property and Technology
General

Recent Developments

The Turkish Data Protection Authority published a principle decision on the processing of personal data by sending verification codes via SMS to data subjects during the provision of products and services

The principle decision (“Decision“) of the Turkish Data Protection Board (“Board“) on the processing of personal data by sending verification codes via SMS to data subjects during the provision of products and services was published in Official Gazette No. 32938 dated 26 June 2025. The Board assessed that sending verification codes via SMS without providing information to the data subjects during the provision of services and combining multiple independent personal data processing activities into a single step violate the Personal Data Protection Law No. 6698 (“Law“).

The Decision is available here (in Turkish).
Details of the Decision

  • In response to complaints, the Board decided that the practice of sending an SMS verification code for completing payments, invoicing or delivering invoices, as if it were a mandatory component of providing products or services (including, but not limited to, payments, account registration, memberships and offers), followed by delivering commercial electronic messages to data subjects, is misleading data subjects.

In this regard, the misleading practices and the Board’s assessments are outlined below.

 

  • Additionally, the Board emphasized that data controllers must periodically conduct the necessary training and awareness activities for employees who are involved in these processing activities.
  • The Decision also states that data controllers who fail to comply with the aforementioned principles may be subject to administrative action under Article 12 of the Law, on the grounds that they have not implemented the necessary technical and administrative measures for the lawful processing of personal data.

Conclusion​

With this Decision, the Board identified violations of the Law arising from the use of SMS verification codes during the sale of goods or services. Accordingly, data controllers that use SMS verification codes in the course of providing goods or services are expected to take into account the evaluations set forth in the Decision. In addition, the Board’s assessments regarding the collection of a single explicit consent for multiple distinct data processing activities are important for all data controllers.