Loyalty Cards Under KVKK: The Board's 2026/266 Principle Decision Sets a New "No Verification, No Transaction" Standard

The core focus of the Decision is as follows:

"Allowing transactions to be carried out without any verification of the data subject, solely on the basis that a third party declares the loyalty card holder's mobile phone number or loyalty card number at the point of sale, gives rise to a risk of non-compliance with personal data security requirements and the general principles."

This assessment demonstrates that loyalty programmes should no longer be regarded merely as marketing tools, but rather as high-risk personal data processing systems.

1. The Board's Previous Approach in Light of the General Principles

1.1. An Additional Benefit Does Not Necessarily Amount to "Forced Consent"

In its Decision dated July 5, 2019 and numbered 2019/198 (In Turkish), the Board assessed that a loyalty-card-specific discount practice would not be considered as imposing consent as a condition, provided that access to the core product/service is not eliminated.

A similar approach was reaffirmed in the Board's Decision dated May 25, 2023 and numbered 2023/890 (In Turkish). The Board held that participation in the special passenger programme was not mandatory for accessing the core air transport service; the programme merely offered additional benefits, and therefore the "freely given" element of consent was not undermined.

Within this framework, where:

• access to the core service is maintained,
• the additional benefit is tied to consent, and
• the data subject can still benefit from the core service through alternative channels,

consent may not, in every case, be characterised as "forced".

1.2. Cookies, the Opt-In Mechanism, and Direct Marketing Law

The Board's Decision dated March 10, 2022 and numbered 2022/229 (In Turkish) set out clear boundaries regarding the use of cookies in the e-commerce sector.

The Board assessed that cookies other than strictly necessary cookies—namely:

• advertising/marketing,
• targeting, and
• performance/analytics cookies

are subject to explicit consent, and cannot be activated on the basis of legitimate interests.

Furthermore, the Board explicitly considered an opt-in model—where cookies do not operate by default and are activated through the user's active choice—to be mandatory.

This approach is directly relevant to segmentation, profiling, and re-marketing activities conducted within the scope of loyalty programmes.

1.3. Operational Errors as a Separate Processing Activity

The Board also treats errors arising in operational processes as a distinct personal data processing activity.

In its Decision dated January 5, 2023 and numbered 2023/4 (In Turkish), the Board accepted that delivery of a product to the wrong individual due to cross-barcoding constitutes the disclosure of personal data to a third party.

Similarly, in its Decision dated May 18, 2023 and numbered 2023/845 (In Turkish), the Board emphasised that where a courier misuses the recipient's phone number, the data controller's obligations to implement organisational and technical measures remain in force.

In light of these decisions, defences such as "inadvertent mistake" or "isolated employee conduct" do not eliminate liability under Article 12.

1.4. Data Processor and Joint Responsibility

In its Decision dated October 7, 2021 and numbered 2021/1021 (In Turkish), the Board expressly stated that even if the breach is alleged to have occurred within the data processor's environment, the data controller's joint responsibility under Article 12/2 continues.

Penetration testing, technical oversight, monitoring of data destruction processes, and contractual security provisions were examined concretely by the Board.

This approach is of critical importance for relationships established in the e-commerce ecosystem with integrators, logistics providers, call centres, and software vendors.

2. Principle Decision No. 2026/266

2.1. Risk-Based Verification

The Board expressly stated that the use of loyalty cards for different transaction types—such as:

• membership creation,
• earning points,
• spending points, and
• using discounts/promotions

may be subject to different verification mechanisms depending on the level of risk.

This approach is aligned with the risk-based security understanding reflected in the e-commerce personal data breach decision dated August 8, 2024 and numbered 2024/1385 (In Turkish), in which:

• failure to prevent bot traffic,
• failure to detect anomalous access despite hundreds of logins from the same IP, and
• activation of 2FA only after the incident

were assessed as a violation of the data controller's obligations under Article 12.

Accordingly, the Board's message is now clear:

Identity verification and prevention of misuse are no longer optional; they constitute a mandatory design element under Article 12.

2.2. Legal Basis for Processing and the Unlawfulness Issue

The Board stated that transactions carried out by a third party without the loyalty card holder's knowledge and consent cannot be based on any of the legal bases set out under Article 5 of the Law.

The critical points are:

• the data subject did not make the purchase,
• the transaction data is recorded under the data subject's account, and
• invoices are often issued in the data subject's name.

This situation also undermines the "accurate and, where necessary, up-to-date" principle set out in Article 4.

A similar approach is also reflected in the Board's 2023/4 cross-barcoding decision (In Turkish): "even an inadvertent operational error may, as a matter of law, give rise to a new processing/disclosure activity."

2.3. Six-Month Compliance Period and Sectoral Impact

Through the Principle Decision, the Board granted data controllers a six-month compliance period.

Upon expiry of this period, it was expressly stated that proceedings may be initiated under Article 18 against data controllers who:

• fail to implement verification mechanisms,
• fail to differentiate transaction flows based on risk, and
• fail to prevent third-party use.

3. Link Between the Principle Decision and the GDPR / e-Privacy Perspective

There are significant parallels between Türkiye's KVKK approach and the EU data protection framework.

3.1. The GDPR Consent Standard

Under the EU General Data Protection Regulation (GDPR), consent must be:

• freely given,
• informed, and
• specific and unambiguous for defined purposes.

KVKK adopts a comparable consent standard. Therefore, within loyalty programmes, consents for marketing and additional benefits should be collected separately, in an informative manner, and on a voluntary basis.

3.2. e-Privacy Directive (2002/58/EC) and Marketing Communications

The EU e-Privacy Directive requires prior consent (opt-in), particularly for direct marketing conducted through electronic communications. It also protects device privacy in practices such as cookies and device storage/access.

In the context of loyalty programmes, this approach points to principles such as:

• obtaining explicit consent for SMS/e-mail campaigns,
• separating marketing consent from membership, and
• embedding mechanisms such as two-factor authentication and user confirmation at the design stage.

3.3. The EDPB Guidance and "Privacy by Design"

The EDPB's guidance on the interplay between the GDPR and the Digital Markets Act (DMA) emphasises that data protection obligations must be incorporated from the outset across all digital design processes ("privacy by design"). This implies that, for loyalty programmes involving multiple processing operations, risk-based verification and security measures should be embedded at the design stage.

4. Conclusion

Pursuant to the Personal Data Protection Board's Principle Decision No. 2026/266, published in the Official Gazette dated 28 February 2026 and numbered 33182, data controllers operating loyalty card schemes must implement the measures set out below within six months; otherwise, the Board may impose sanctions.

Practices That Must Be Ceased Immediately

Transaction flows that allow, at the point of sale/online, the following actions solely by stating the loyalty card number or mobile phone number—without obtaining the data subject's approval—must be discontinued:

• earning points / spending points,
• applying discounts/promotions,
• processing transactions and/or issuing invoices in the data subject's name.

Verification:

Use of the loyalty card must not be completed without a verification step that confirms the transaction is carried out with the knowledge and consent of the data subject. Particularly for point spending and discount-triggering transactions, a "no verification, no transaction" approach should be adopted.

Verification Mechanisms Referenced by the Board:

1. SMS OTP (one-time password / verification code)
• When the loyalty card/phone number is entered at the point of sale, the system sends an OTP to the registered phone number.
• The transaction (points/discount etc.) cannot be completed without entering the OTP.
• For high-risk transactions such as spending points, OTP may be configured as "mandatory"; for earning points, it may be designed in a "risk-based" manner.
2. In-app approval via mobile application (push / in-app approval)
• A real-time approval request is triggered ("a loyalty account is requested to be used"), and a notification is sent to the app.
• The data subject selects "Approve/Reject"; without approval, there is no transaction.
3. Barcode / QR verification
• The loyalty account may be used only by scanning a dynamic QR/barcode within the application.
• However, a system should be established in line with the "Quishing Information Notice" published on the Authority's website.
4. Alternative verification mechanisms

In alignment with the Board's approach of providing "alternatives for different groups of data subjects":

• SMS OTP for individuals without an app / without smartphones,
• IVR code delivery or customer-panel verification for those who cannot receive SMS (e.g., foreign SIM cards),
• Accessible verification flows for users with disabilities.

Risk-Based Verification Matrix

In Principle Decision No. 2026/266, the Board stated that loyalty card transactions may be subject to different verification mechanisms depending on transaction type and risk level. While no specific technical solution is mandated, it is emphasised that mechanisms ensuring confirmation of the data subject's knowledge and intent must be implemented.

Accordingly, data controllers may model verification as follows, taking into account the nature of their activities, transaction volume, fraud risk, and technical infrastructure:

1. High-Risk Transactions

In such cases, the data subject's explicit and verified intent should be obtained.

For example:

• SMS OTP,
• real-time transaction approval via the mobile application,
• dynamic (single-use) QR/barcode verification.
2. Medium-Risk Transactions

A minimum verification mechanism may be sufficient.

For example:

• scanning an in-app barcode/QR,
• a verification model that escalates to OTP when certain risk indicators arise.
3. Information-Only Transactions

Access controls ensuring account security (e.g., two-factor authentication) may be implemented; however, these should be technically separated from transaction-generating actions.

It should be emphasised that the Board's approach is not to mandate a specific technology, but to ensure the design of a proportionate and purpose-bound verification architecture that prevents third-party use without the data subject's knowledge.

Therefore, the mechanisms listed above do not constitute a binding technical checklist; they are illustrative design alternatives. Data controllers should determine the appropriate mechanism based on a risk analysis reflecting their operational structure.

Records, Evidence, and Audit Trail (Alignment with KVKK Article 12)

For each loyalty transaction, the following records may be retained:

• verification method (OTP / QR / in-app approval),
• verification outcome (success/failure),
• timestamp and transaction type (earning/spending points/discount),
• channel used (POS, web, mobile),
• suspicious indicators (multiple attempts, unusual amounts, etc.).

Such logs are critical both for internal audits and for demonstrating compliance in the context of potential breach investigations.

Separation of Consent Management (Membership ≠ Marketing)

Membership, marketing, and additional service consents should be managed separately, and an easy withdrawal mechanism should be provided.