The Principle Decision of the Personal Data Protection Board Regarding the Use of SMS Verification Codes in Product and Service Provision Has Been Published

The Principle Decision of the Personal Data Protection Board (the Board) dated June 10, 2025 and numbered 2025/1072 (the Decision) was published in the Official Gazette dated June 26, 2025 and numbered 32938. The Decision, which includes key findings and obligations regarding the processing of personal data through the transmission of verification codes, was issued following the Board’s evaluation of complaints based on allegations of misleading practices and violations of the obligation to inform data subjects during product and service delivery processes.

Key highlights of the Decision are summarized below:

• In processes such as making payments, account registration, or membership creation, data subjects must be clearly and transparently informed at the outset by authorized personnel about the purpose of sending verification codes and the potential consequences of providing them. In addition, appropriate communication channels must also be provided within the SMS content.
• Practices that seek to obtain membership approval, commercial communication consent, and personal data processing consent in a single step must be discontinued. Options must be offered for each processing activity requiring explicit consent, and separate explicit consent must be obtained from data subjects accordingly.
• The processes of informing data subjects (under the obligation to inform) and obtaining explicit consent must be carried out separately.
• Any explicit consent obtained for commercial electronic messages must include all legal elements required under applicable law.
• Such explicit consent must not be presented as a mandatory requirement for the provision of products or services.
• Explicit consent for the delivery of commercial electronic messages should either be obtained after the completion of the product or service provision or data subjects should be informed that the service or product can be obtained without providing such a code and that any permissions and preferences granted through the code can be modified at any time.
• Data controllers must ensure that the personnel involved in these processes are adequately trained and that periodic awareness-raising activities are conducted.
• Furthermore, the Decision states that failure to comply with the principles outlined above may result in sanctions against the data controllers.