SMS Verification Codes and the Personal Data Protection Board's Guideline Decision No. 2025/1072 17 August 2025
The Personal Data Protection Board's Guideline Decision dated 10 June 2025 and numbered 2025/1072 introduces significant regulations regarding personal data processing activities conducted through SMS verification codes, which have become a widespread practice in commercial life. The decision requires significant adjustments to customer relationship management, particularly in the service and retail industries.
|
1. The Current State of the SMS Verification System and Legal Issues |
|
Complaints received by the Authority reveal a core issue: during the provision of products and services, data controllers request SMS verification codes on the stated grounds of finalizing payment or for the issuance of an invoice, yet use those codes to obtain explicit consent to send commercial electronic messages. This practice violates the fundamental principles of the Law on the Protection of Personal Data No. 6698. |
|
The principle of explicit consent, as described in Article 3 of the Law, has three key elements: |
|
|
Under current practices, data subjects are misled as to the object of their consent; consequently, the consent cannot be regarded as "informed." Moreover, when access to a product or service is conditioned on agreeing to receive commercial electronic messages, the requirement that consent be "freely given" is not satisfied. |
|
As emphasized by the Personal Data Protection Board (Decision No. 2020/173, dated 27 February 2020), when explicit consent is made a precondition for the supply of a product or service, the element of free will is compromised and valid explicit consent cannot be said to exist. This jurisprudence likewise serves as one of the principal foundations of the Board's Guideline Decision. |
|
2. Regulations Introduced by the Guideline Decision |
|
The Board's Guideline Decision imposes clear, actionable obligations on data controllers. First, pursuant to the principle of layered information, the purpose of the SMS verification code and the legal consequences of providing it must be clearly and intelligibly communicated to the data subject. This information must be delivered both orally by the controller's personnel and in writing within the content of the SMS. |
|
Second, the use of a single verification code to perform more than one legal act is prohibited. Separate mechanisms must be implemented for transactions that entail distinct legal consequences-such as approval of a membership agreement, procurement of explicit consent for the processing of personal data, and authorization for the transmission of commercial electronic messages-and explicit consent must be obtained separately for each. |
|
Third, obtaining explicit consent for the sending of commercial electronic messages cannot be presented as a mandatory condition for the provision of products or services. As expressly stated in the Decision, data subjects must be clearly informed that permission for commercial communications is not a precondition for completing the transaction, and that the transaction can still be finalized even if no SMS verification code is provided for that purpose. |
|
Fourth and final provision: data controllers are required to conduct periodic training and awareness-raising activities for the personnel involved in these processes. This requirement is regarded as part of the administrative measures on data security set out in Article 12 of the Law. |
|
3. The Relationship Between the Obligation to Inform and Explicit Consent |
|
Under Article 10 of the Law, the obligation to inform must be fulfilled at the time personal data are obtained by the data controller or a person authorized by it. This obligation must be discharged independently of the collection of explicit consent. As expressly emphasized in the Guideline Decision, the obligation to inform and the act of obtaining explicit consent must be carried out separately. |
|
As set out in the Communiqué on the Procedures and Principles to be Complied with in Fulfilling the Obligation to Inform, information notices must be clear, intelligible, and accessible. Because it is not technically feasible to include the entire notice within SMS content, layered information method should be adopted. The first layer should provide the essential information, and data subjects should be directed to online platforms for the full notice. |
|
4. Legal Penalties and the Liability Regime |
|
Upon non-compliance with the Guideline Decision, administrative fines shall be imposed pursuant to Article 18 of the Law. For 2025, the ranges are TRY 68,083-1,362,021 for violations of the obligation to inform, and TRY 204,285-13,620,402 for processing personal data without the data subject's explicit consent (3). |
|
The unlawful processing of personal data may also constitute a violation of personal rights. Under Article 58 of the Turkish Code of Obligations, individuals whose personality rights have been violated may seek compensation for intangible damages. |
|
This approach is clearly reflected in the Court of Cassation's case law. For example, in one judgment, a mobile line was established in the plaintiff's name by using the plaintiff's identification details without the plaintiff's knowledge or consent, and by forging the plaintiff's signature. When the bills went unpaid, execution proceedings were started against the plaintiff, who was compelled to file a negative declaratory action. The Court of Cassation established that the telecommunications company had failed to exercise due diligence in selecting and effectively supervising its branch/vendor, and that this lapse of diligence violated the plaintiff's personality rights; on that basis, it upheld the claim for non-pecuniary damages (4th Civil Chamber of the Court of Cassation, E. 2019/979, K. 2019/2679). (4) |
|
Furthermore, the Board has the authority to order the suspension of data processing activities. In cases of repeated or systematic violations, that authority may be exercised to suspend in full specific processing operations undertaken by the data controller. Such measures entail significant operational risks, particularly for business models reliant on customer data. |
|
5. Measures Required for Compliance |
|
Data controllers should undertake a comprehensive transformation process to achieve compliance with the Guideline Decision. At the technical infrastructure level, separate authorization mechanisms should be established for distinct purposes. SMS delivery systems should be reconfigured to generate customized content for each type of transaction. In particular, messages seeking consent for the sending of commercial electronic messages must clearly state that such consent is optional. |
|
From an operational standpoint, all procedures across customer touchpoints should be reassessed. Detailed operating procedures should be prepared for sales personnel, call-center agents, and digital channel managers. These operating procedures must set out what information must be provided in each scenario, the exact wording to be used, and which behaviors are to be avoided. |
|
From a legal compliance perspective, the status of existing customer databases must be reviewed. Consents obtained through defective methods lack legal validity; processing predicated upon them must be discontinued immediately. Where necessary, fresh explicit consent should be obtained from customers using procedures compliant with the Law's requirements. |
|
At the corporate governance level, data-protection compliance programs must be developed. These programs should include periodic internal audits, risk assessments, and remediation plans. Active involvement by senior management and the allocation of necessary resources are essential to ensuring effectiveness. |
|
6. Conclusion and Assessment |
|
The Personal Data Protection Board's Guideline Decision No. 2025/1072 emphasizes the principles of transparency and fairness of data-processing activities conducted via SMS verification codes. This decision marks a significant step in Turkey's alignment with the European Union acquis on personal data protection. |
|
For data controllers, while this decision may entail short-term operational challenges and additional costs, it offers significant long-term opportunities to build customer trust and to develop sustainable business models. Businesses that adopt a proactive approach to personal data protection will gain a competitive advantage and position themselves as trusted actors in the digital economy. |
|
Upon its publication in the Official Gazette on 26 June 2025, the Guideline Decision entered into force and the compliance process for data controllers began. The Board's omission of any transitional period is predicated on the view that these practices were already contrary to law. Therefore, data controllers must immediately take the necessary measures and complete their compliance efforts. |
|
In conclusion, the Guideline Decision constitutes a turning point for promoting data responsibility and institutionalizing an ethical culture of data processing. Recognizing that the future of the data economy rests on trust, compliance with this framework constitutes not only a legal obligation but also an essential condition for sustainable growth. |
|
References (1) Personal Data Protection Board (KVKK), Decision No. 2020/173, dated 27 February 2020. |
Other News
-
14.1.2026
Administrative Monetary Fines under Law No. 6698 on the Protection of Personal Data: Current Risks and Compliance Assesment
Under Law No. 6698 on the Protection of Personal Data, the obligations relating to the processing of personal data are being supported by increasingly severe sanctions each year for both data controllers and data processors. The administrative monetary fines announced by the Personal Data Protection Authority for 2026 clearly demonstrate that KVKK compliance is not an area that can be postponed or addressed merely in a formalistic manner.
-
7.1.2026
Supreme Court Review of the Termination of an Employment Contract for Compelling Reasons from the Perspective of the Employee and Employer
Summary of the Judgment of 9th Civil Chamber of the Court of Cassation, Merits No. 2025/5850, Decision No. 2025/6491, dated 17.09.2025:
-
4.1.2026
Financial Thresholds Under IPO Requirements Updated For 2026
With the decision of the Capital Markets Board of Türkiye (the "CMB") dated 31 December 2025 and numbered 2025/68 (the "Decision"), the financial thresholds required to be met for initial public offering ("IPO") applications to be filed in 2026 by companies whose shares will be offered to the public for the first time have been tightened.
-
25.12.2025
The Duration of the Financial Restructuring Implementation Has Been Extended Again in 2025
The duration of the implementation of the financial restructuring implementation carried out within the scope of Provisional Article 32 of the Banking Law No. 5411 has once again been extended for a period of two years by Presidential Decision No. 10765, which was published in the Official Gazette dated 25 December 2025 and numbered 33118.
-
17.12.2025
Sustainability in KVKK Compliance: Beyond a One - Time Compliance Approach
With the acceleration of digitalization, personal data has become a strategic asset for institutions and companies; accordingly, the lawful processing, protection, and management of such data has gained critical importance both in safeguarding individual rights and ensuring corporate sustainability. Law No. 6698 on the Protection of Personal Data sets forth the fundamental principles and obligations regarding the processing of personal data and imposes comprehensive compliance responsibilities on data controllers. Compliance with the KVKK is no longer merely an obligation aimed at avoiding administrative fines; it has also become an indispensable element for protecting corporate reputation, establishing customer trust, and effectively managing legal risks.
-
14.12.2025
Is an Employee Entitled to Benefit from a Wage Increase Implemented During the Notice Period
Pursuant to Article 17 of the Turkish Labour Act No. 4857, the termination of an indefinite-term employment contract must be notified to the other party in advance. Accordingly, employment contracts shall be deemed terminated:
-
11.12.2025
Extension of the Exemption Period in Capital Loss and Over - Indebtedness Calculations
Article 376 of the Turkish Commercial Code No. 6102 ("TCC") regulates the determination of capital loss and insolvency situations in companies, and the procedures and principles to be followed in such cases are detailed in the "Communiqué on the Procedures and Principles Regarding the Application of Article 376 of the Turkish Commercial Code No. 6102" ("Communiqué on TCC Art. 376"),
-
7.12.2025
What is OFAC? Its Strategic Importance For Investors And Areas Of Application
As the world changes and with each passing day, one of the terms we encounter more frequently is "OFAC". In today's globalized world, investors seeking to make international investments come across OFAC or interact with it in one way or another. This is because the sanctions imposed by OFAC relate not only to U.S. citizens or U.S.-origin companies, but also to individuals who have direct or indirect economic or financial contact with the United States. So, what is this OFAC?
-
3.12.2025
Loans To Shareholders And Adat Invoice
In practice, it is quite common for companies to extend loans to their shareholders. In situations where the company becomes a creditor of its shareholders, adat interest must be calculated on the outstanding balance and an invoice must be issued. Accordingly, adat is a method used to calculate accrued interest based on the period during which company funds are utilized by shareholders or related parties, ensuring that any potential tax loss is compensated. These calculations are important for compliance with transfer pricing rules, accurate determination of the tax base, and the fulfillment of legal obligations such as Value Added Tax (“VAT”).
-
27.11.2025
Notification Process To The Central Securities Depository & Trade Repository Of Türkiye For Bearer Share Certificates And Legal Consequences
1. Issuance and Notification of Bearer Share Certificates Pursuant to Article 484 of the Turkish Commercial Code ("TCC"), joint stock companies have two types of share certificates: registered shares and bearer shares. While the transfer of registered shares is completed through delivery, certain conditions have been introduced under the Communiqué on the Notification and Registration of Bearer Share Certificates with the Central Securities Depository ("Communiqué") for the transfer of bearer shares. Within the scope of the Communiqué, the registration of bearer shares with the Central Securities Depository & Trade Reposıtory of Türkiye ("MKK"), the adoption of a board resolution, and the registration and announcement of this resolution before the relevant trade registry directorate and in the Turkish Trade Registry Gazette are required.
-
19.11.2025
The Letter Of Intent Procsess in Merger and Acquisition Transactions
Merger and acquisition ("M&A") transactions are multi-layered processes from both legal and commercial perspectives. Before the parties proceed to the contractual stage, they enter into a preparatory phase in order to articulate their transactional intentions, exchange commercial expectations, and establish the legal framework. This preparatory phase constitutes the initial stage in which the parties discuss the fundamental principles of the transaction structure, formulate their negotiation strategies, and assess the transactional risks.
-
13.11.2025
New Constitutional Court Decision On Violation Of The Right To A Reasoned Decision Published İn The Official Gazette
1. INTRODUCTION The reasoning constitutes the part of judicial decisions that demonstrates the cause and justification for resolving the matter in the manner indicated in the operative section, and it is an extension of adjudication. The fact that the reasoning is satisfactory and consistent is crucial for ensuring the right to be legally heard and the right to a fair trial. By setting forth the court's impartiality, a reasoned judgment enables the parties to understand and be satisfied with the material and legal grounds upon which they have won or lost the case, owing to reasoning that genuinely aligns with the contents of the file, as well as with logic and law.
-
6.11.2025
Decision Of The Constitutional Court Concercing Excluded Pernonnel
In the Constitutional Court's Judgment published in the Official Gazette dated 22 September 2025.
-
23.10.2025
The Obligation for the Principal and Subcontractor Employers to Jointly Participate in Mediation Has Been Annuled by the Constitutional Court
An important Constitutional Court decision has been published regarding the mediation process that an employee can apply to with a request for reinstatement after the termination of employment relations in the workplace. The Constitutional Court ruled that the provision in paragraph (15) of Article 3 of the Labor Courts Law No. 7036, which states, "In cases where there is a principal employer-subcontractor relationship, for a request for reinstatement to be submitted to a mediator, the employers must participate in the mediation talks together and their intentions must be compatible for an agreement to be reached," is unconstitutional. The decision was published in the Official Gazette dated October 17, 2025, and numbered 33050.
-
22.10.2025
The Constitutional Court Has Annulled The Provision Granting The President Authority To Restrict Foreign Exhange And Money Movements!
In its decision No. 2024/193 Merits 2025/136 Decision1 dated 17 June 2025 ("Decision"), published in the Official Gazette on 15 October 2025, the Constitutional Court ("Court") annulled Article 1 of Law No. 1567 on the Protection of the Value of the Turkish Currency ("Law"). The annulled provision had stated that: "The President is authorized to make decisions for the regulation and restriction of the export from or import into the country of currencies, securities, and bonds, and of the purchase and sale of foreign exchange, cash, securities, bonds, precious metals, precious stones, and any goods and valuables made of or containing them; as well as of commercial papers and all means and instruments used for payment, and to take decisions aimed at protecting the value of the Turkish currency."
