SMS Verification Codes and the Personal Data Protection Board's Guideline Decision No. 2025/1072 17 August 2025
The Personal Data Protection Board's Guideline Decision dated 10 June 2025 and numbered 2025/1072 introduces significant regulations regarding personal data processing activities conducted through SMS verification codes, which have become a widespread practice in commercial life. The decision requires significant adjustments to customer relationship management, particularly in the service and retail industries.
|
1. The Current State of the SMS Verification System and Legal Issues |
|
Complaints received by the Authority reveal a core issue: during the provision of products and services, data controllers request SMS verification codes on the stated grounds of finalizing payment or for the issuance of an invoice, yet use those codes to obtain explicit consent to send commercial electronic messages. This practice violates the fundamental principles of the Law on the Protection of Personal Data No. 6698. |
|
The principle of explicit consent, as described in Article 3 of the Law, has three key elements: |
|
|
Under current practices, data subjects are misled as to the object of their consent; consequently, the consent cannot be regarded as "informed." Moreover, when access to a product or service is conditioned on agreeing to receive commercial electronic messages, the requirement that consent be "freely given" is not satisfied. |
|
As emphasized by the Personal Data Protection Board (Decision No. 2020/173, dated 27 February 2020), when explicit consent is made a precondition for the supply of a product or service, the element of free will is compromised and valid explicit consent cannot be said to exist. This jurisprudence likewise serves as one of the principal foundations of the Board's Guideline Decision. |
|
2. Regulations Introduced by the Guideline Decision |
|
The Board's Guideline Decision imposes clear, actionable obligations on data controllers. First, pursuant to the principle of layered information, the purpose of the SMS verification code and the legal consequences of providing it must be clearly and intelligibly communicated to the data subject. This information must be delivered both orally by the controller's personnel and in writing within the content of the SMS. |
|
Second, the use of a single verification code to perform more than one legal act is prohibited. Separate mechanisms must be implemented for transactions that entail distinct legal consequences-such as approval of a membership agreement, procurement of explicit consent for the processing of personal data, and authorization for the transmission of commercial electronic messages-and explicit consent must be obtained separately for each. |
|
Third, obtaining explicit consent for the sending of commercial electronic messages cannot be presented as a mandatory condition for the provision of products or services. As expressly stated in the Decision, data subjects must be clearly informed that permission for commercial communications is not a precondition for completing the transaction, and that the transaction can still be finalized even if no SMS verification code is provided for that purpose. |
|
Fourth and final provision: data controllers are required to conduct periodic training and awareness-raising activities for the personnel involved in these processes. This requirement is regarded as part of the administrative measures on data security set out in Article 12 of the Law. |
|
3. The Relationship Between the Obligation to Inform and Explicit Consent |
|
Under Article 10 of the Law, the obligation to inform must be fulfilled at the time personal data are obtained by the data controller or a person authorized by it. This obligation must be discharged independently of the collection of explicit consent. As expressly emphasized in the Guideline Decision, the obligation to inform and the act of obtaining explicit consent must be carried out separately. |
|
As set out in the Communiqué on the Procedures and Principles to be Complied with in Fulfilling the Obligation to Inform, information notices must be clear, intelligible, and accessible. Because it is not technically feasible to include the entire notice within SMS content, layered information method should be adopted. The first layer should provide the essential information, and data subjects should be directed to online platforms for the full notice. |
|
4. Legal Penalties and the Liability Regime |
|
Upon non-compliance with the Guideline Decision, administrative fines shall be imposed pursuant to Article 18 of the Law. For 2025, the ranges are TRY 68,083-1,362,021 for violations of the obligation to inform, and TRY 204,285-13,620,402 for processing personal data without the data subject's explicit consent (3). |
|
The unlawful processing of personal data may also constitute a violation of personal rights. Under Article 58 of the Turkish Code of Obligations, individuals whose personality rights have been violated may seek compensation for intangible damages. |
|
This approach is clearly reflected in the Court of Cassation's case law. For example, in one judgment, a mobile line was established in the plaintiff's name by using the plaintiff's identification details without the plaintiff's knowledge or consent, and by forging the plaintiff's signature. When the bills went unpaid, execution proceedings were started against the plaintiff, who was compelled to file a negative declaratory action. The Court of Cassation established that the telecommunications company had failed to exercise due diligence in selecting and effectively supervising its branch/vendor, and that this lapse of diligence violated the plaintiff's personality rights; on that basis, it upheld the claim for non-pecuniary damages (4th Civil Chamber of the Court of Cassation, E. 2019/979, K. 2019/2679). (4) |
|
Furthermore, the Board has the authority to order the suspension of data processing activities. In cases of repeated or systematic violations, that authority may be exercised to suspend in full specific processing operations undertaken by the data controller. Such measures entail significant operational risks, particularly for business models reliant on customer data. |
|
5. Measures Required for Compliance |
|
Data controllers should undertake a comprehensive transformation process to achieve compliance with the Guideline Decision. At the technical infrastructure level, separate authorization mechanisms should be established for distinct purposes. SMS delivery systems should be reconfigured to generate customized content for each type of transaction. In particular, messages seeking consent for the sending of commercial electronic messages must clearly state that such consent is optional. |
|
From an operational standpoint, all procedures across customer touchpoints should be reassessed. Detailed operating procedures should be prepared for sales personnel, call-center agents, and digital channel managers. These operating procedures must set out what information must be provided in each scenario, the exact wording to be used, and which behaviors are to be avoided. |
|
From a legal compliance perspective, the status of existing customer databases must be reviewed. Consents obtained through defective methods lack legal validity; processing predicated upon them must be discontinued immediately. Where necessary, fresh explicit consent should be obtained from customers using procedures compliant with the Law's requirements. |
|
At the corporate governance level, data-protection compliance programs must be developed. These programs should include periodic internal audits, risk assessments, and remediation plans. Active involvement by senior management and the allocation of necessary resources are essential to ensuring effectiveness. |
|
6. Conclusion and Assessment |
|
The Personal Data Protection Board's Guideline Decision No. 2025/1072 emphasizes the principles of transparency and fairness of data-processing activities conducted via SMS verification codes. This decision marks a significant step in Turkey's alignment with the European Union acquis on personal data protection. |
|
For data controllers, while this decision may entail short-term operational challenges and additional costs, it offers significant long-term opportunities to build customer trust and to develop sustainable business models. Businesses that adopt a proactive approach to personal data protection will gain a competitive advantage and position themselves as trusted actors in the digital economy. |
|
Upon its publication in the Official Gazette on 26 June 2025, the Guideline Decision entered into force and the compliance process for data controllers began. The Board's omission of any transitional period is predicated on the view that these practices were already contrary to law. Therefore, data controllers must immediately take the necessary measures and complete their compliance efforts. |
|
In conclusion, the Guideline Decision constitutes a turning point for promoting data responsibility and institutionalizing an ethical culture of data processing. Recognizing that the future of the data economy rests on trust, compliance with this framework constitutes not only a legal obligation but also an essential condition for sustainable growth. |
|
References (1) Personal Data Protection Board (KVKK), Decision No. 2020/173, dated 27 February 2020. |
Other News
-
10.8.2025
Mergers And Acquisitions Of Companies Engaged In Renewable Energy Gereration
In recent years, notable developments in Turkey's electricity market have extended beyond investments aimed solely at increasing generation capacity. The sector has also come into focus through strategic investments and merger and acquisition (M&A) transactions involving companies operating in the field of renewable energy.
-
30.7.2025
Annual Leave, Severance Pay, and Notice Pay in Part - Time Employment Contracts
Part-Time Employment Contract Article 13 of the Labor Law No. 4857 defines a part-time employment contract as "a contract in which the employee's normal weekly working hours are significantly less than those of a full-time employee performing similar work."
-
29.7.2025
Legal Remedies And The Official Appeal Process For Property Tax Values
a. General Overview Following the enactment of Law No. 4751 in 2002, which amended the Tax Procedure Law, the Property Tax Law, and the Fees Law, the declaration-based system for determining the property tax base was abolished, and the tariff and assesment procedure implemented by administrative authorities was adopted.
-
24.7.2025
Labour Law No. 4857 Amended! Electronic Notification Opportunity Introduced With Rem
Article 109 of the Labour Law No. 4857 has been amended, together with its title and content, by the Law Amending the Law on the Protection of the Value of Turkish Currency and Certain Laws and the Decree Law No. 635 published in the Official Gazette dated 24 July 2025. With this important amendment, the procedures regarding the form of notifications to be made between employers and employees have been redefined.
-
15.7.2025
Terminatıon Right Of The Employer Due To Conviction And Detention And Legal Consequences
In labour law practice, which is a dynamic field based on the principle of protecting the balance between the employee and the employer, the employee's failure to fulfill their obligation to perform work-especially when this results from circumstances that restrict individual freedom, such as conviction or detention-has significant legal consequences regarding the termination of the employment contract.
-
13.7.2025
Radical Change In The Labor Law Dated 14.07.2025: Flexible Week Holiday Period Has Started In The Tourism Sector!
With the Law No. 7553 on the "Amendment of Certain Laws and Decree Law No. 375" published in the Official Gazette on July 14, 2025, important innovations have been introduced in the Labor Law and some other laws. In this context; as of 14.07.2025, with the provision added to the article Article 46 of the Labor Law which regulates the week holiday, flexible week holiday specific to the tourism sector have been introduced.
-
8.7.2025
Climate Law Enacted
The Climate Law No. 7552 ("Law"), which includes regulations on the procedures and principles related to the reduction of greenhouse gas emissions in the fight against climate change, climate adaptation activities, planning and implementation tools, revenues, permits and inspections, and the legal and institutional framework surrounding these, was published in the Official Gazette dated July 9, 2025, No. 32951, and entered into force. This Law sets out general principles and objectives from a casuistic perspective, preferring to leave detailed and technical regulations to secondary legislation.
-
6.7.2025
Mediation Practices In The Land Registry
Pursuant to the amendments introduced by Law on Amendments to the Enforcement and Bankruptcy Law and to Certain Other Laws which was published in the Official Gazette dated 05.04.2023, numbered 32154 to the Law on Mediation in Civil Disputes dated 7/6/2012 and numbered 6325 ("Law"), the scope of disputes that may be resolved through procedural- mandatory- and voluntary mediation has been expanded.
-
26.6.2025
Effects Of The Concordatum Period On Pledgees
Pursuant to Article 285 of the Enforcement and Bankruptcy Law (EBL), a debtor who is unable to pay their debts on time or is at risk of default may request a concordatum. During the period granted to the debtor upon such request, no enforcement proceedings may be initiated, and ongoing proceedings are suspended, in accordance with Article 294/1 of the EBL.
-
17.6.2025
M&A Dynamics in Publicly Traded Companies: New Investment Strategies Through Borsa Istanbul
In recent years, IPOs in Turkey have reached record levels. In 2023 and 2024, a large number of companies started trading in Borsa Istanbul as a result of initial public offerings (IPO) transactions. These IPOs, which attracted great interest from small investors, stand out as important strategic moves in which companies gain transparency and visibility, and also play a role as an important financing tool. With IPOs, publicly traded companies / partnerships are now drawing the attention of not only small investors but also domestic/foreign strategic and financial investors.
-
15.6.2025
The Court Of Cassation Abandoned Its Long-Standing Precedent Regarding Construction Conracts In Return For Land Shares, Known As "Advance Deed"
Construction contracts in return for land shares are a common practice in the construction sector in Turkey.
-
10.6.2025
Amendments To The Regulation On Distance Contracts: Return Shipping Fees And Right Of Withdrawal For Electronics
With the Regulation Amending the Regulation on Distance Contracts ("Amending Regulation") published in the Official Gazette dated May 24, 2025 and numbered 32909, important amendments were made regarding distance sales. The key changes introduced by the Amending Regulation are as follows:
-
29.5.2025
Alimony Against Inflation: Adjustmen of Alimony and the Issue of Payment in Foreign Currency
Alimony for supplementary welfare allowance and child support awarded by court judgment as a result of divorce cases is generally fixed at a certain amount and either remains the same over the years or is increased only within limited rates determined by the court. Similarly, the provisional alimony determined during the litigation process can become insufficient over time due to the prolonged duration of the proceedings and high inflation; this significantly hampers the effectiveness of alimony enforcement.
-
22.5.2025
Right To Compassionate Leave: Duration, Implementation And Assessment
Legal Basis and Definition of Compassionate Leave: In situations where an employee is unable to perform their work obligation due to certain personal circumstances in which, pursuant to the principle of good faith, the employer cannot reasonably expect the employee to work, the employee must be deemed to be on justified leave. Compassionate leave was introduced by Law No. 6645 in 2015 and is regulated under Additional Article 2 of the Turkish Labour Law No. 4857.
-
19.5.2025
The Right to Be Forgotten in the Context of Search Engines
IWith the rapid advancement of technology, personal data is increasingly recorded in digital environments and can be stored for long periods of time. This situation causes individuals' past negative experiences or changing opinions over time to remain constantly accessible. In particular, search engines make personal data widely accessible by indexing results that appear when searching individuals by their first and last names. Within this context, the "Right to Be Forgotten" stands out as the right of individuals to request the deletion of their personal data or the restriction of access to it in digital environments.
