Principle Decision of the Personal Data Protection Board Regarding Third-Party Use in Loyalty Card Memberships Published
The Personal Data Protection Board (Board)’s Principle Decision dated 11.02.2026 and numbered 2026/266, titled “Principle Decision on the Use of a Loyalty Card Holder’s Mobile Phone Number or Loyalty Card Number by a Third-Party During Shopping,” was published in the Official Gazette dated 28 February 2026 and numbered 33182. The Principle Decision introduces significant obligations for data controllers.
The key points are summarized below:
- It is decided to terminate practices allowing purchases to be made without any verification by a third party notifying the cashier of the loyalty card holder’s mobile phone number or loyalty card number.
- It is evaluated that such practices are not based on any of the data processing conditions set forth under Article 5 of the Personal Data Protection Law No. 6698 (KVKK) and may lead to unlawful personal data processing activities.
- Issuing an invoice regarding a purchase not made by the data subject and recording the transaction information in the data subject’s membership account may constitute a breach of the principle of “being accurate and, where necessary, kept up to date” regulated under Article 4 of the KVKK.
- The inclusion of a provision in membership agreements stipulating that loyalty cards may not be used by third parties does not eliminate the data controller’s obligation to ensure data security under Article 12 of the KVKK.
- Data controllers are required to take appropriate technical and administrative measures to verify that transactions such as membership creation, earning and using points, and benefiting from discounts or promotions are carried out within the knowledge and consent of the data subject. In this context, it is stated that different verification mechanisms may be designed according to the type of transaction and the level of risk.
- To establish the verification mechanisms stipulated in the Principle Decision, a six-month compliance period has been granted to data controllers as of the date of publication of the Decision in the Official Gazette. At the end of this period, actions shall be taken pursuant to Article 18 of the KVKK against data controllers acting in violation of the obligations.
You may access the full text of the announcement here.
All rights of this article are reserved. This article may not be used, reproduced, copied, published, distributed, or otherwise disseminated without quotation or Erdem & Erdem Law Firm's written consent. Any content created without citing the resource or Erdem & Erdem Law Firm’s written consent is regularly tracked, and legal action will be taken in case of violation.