Principle Decision of the Personal Data Protection Board on Sending Verification Codes via SMS

With the Turkish Personal Data Protection Board's ("Board") Principle Decision dated 10 June 2025 and numbered 2025/1072 ("Decision"), published in the Official Gazette dated 26 June 2025 and numbered 32938, the legal nature of sending verification codes via SMS within the scope of product and service delivery processes has been examined, and the corresponding data protection obligations have been clarified.

Upon evaluation of the applications and complaints submitted to the Board, it has been concluded that the act of sending SMS-based verification codes to data subjects during processes such as making payments, creating accounts, submitting offers, making reservations, or completing registrations constitutes a personal data processing activity. The Board emphasized that such activities must be carried out in full compliance with the provisions of the Law on the Protection of Personal Data No. 6698 ("LPPD").

The key determinations set forth in the Decision are summarized below:

• The transmission of verification codes via SMS, which entails the use of a data subject's contact information, constitutes the processing of personal data. Accordingly, data controllers must fulfil their obligation to inform the data subject fully and in a timely manner.
• Where personal data is processed on the basis of explicit consent, such consent must be obtained in advance, and it must be specific, informed, and freely given.
• Explicit consent and consent for the receipt of commercial electronic communications are distinct legal constructs and must not be obtained through a combined checkbox or a single action.
• The obligation to inform must always be fulfilled prior to the collection of explicit consent.
• SMS-based verification steps must not be regarded solely as technical operations; rather, they are to be treated as personal data processing activities. Accordingly, the content and structure of the messages must reflect this.
• In cases involving profiling and automated decision-making, data subjects must be explicitly informed and provided with the right to object, and such processes must be conducted in a transparent manner.
• Data controllers are under a legal obligation to implement appropriate technical and organizational measures to prevent the unlawful processing or unauthorized access to personal data.

When compared with the General Data Protection Regulation ("GDPR"), the approach adopted by the Board reveals a strong alignment. Similar to the LPPD, the GDPR requires that data subjects be provided with clear, comprehensive, and accessible information before the processing of their personal data. In particular, Articles 13, 14, and 22 of the GDPR emphasize the necessity of transparency, accountability, and the right to object to profiling or automated decision-making. In this regard, the Board's Principle Decision serves as an important interpretative tool for implementing these core principles under both legislative frameworks.

In light of the foregoing, it is essential to recognize that SMS-based verification mechanisms—commonly used processes—constitute personal data processing activities and must therefore be designed and managed in accordance with data protection legislation. E-commerce platforms, mobile applications, membership-based services, and similar organizations should review and, where necessary, revise their privacy notices, consent collection procedures, and system infrastructures to ensure compliance with the Decision. Aligning operational practices with the principles of lawfulness, transparency, and accountability will not only support the protection of data subjects' fundamental rights, but will also strengthen institutional compliance and trust.

The full text of the Board's Principle Decision is available here (In Turkish).