SMS Verification Codes and the Personal Data Protection Board's Guideline Decision No. 2025/1072 18 August 2025
The Personal Data Protection Board's Guideline Decision dated 10 June 2025 and numbered 2025/1072 introduces significant regulations regarding personal data processing activities conducted through SMS verification codes, which have become a widespread practice in commercial life. The decision requires significant adjustments to customer relationship management, particularly in the service and retail industries.
|
1. The Current State of the SMS Verification System and Legal Issues |
|
Complaints received by the Authority reveal a core issue: during the provision of products and services, data controllers request SMS verification codes on the stated grounds of finalizing payment or for the issuance of an invoice, yet use those codes to obtain explicit consent to send commercial electronic messages. This practice violates the fundamental principles of the Law on the Protection of Personal Data No. 6698. |
|
The principle of explicit consent, as described in Article 3 of the Law, has three key elements: |
|
|
Under current practices, data subjects are misled as to the object of their consent; consequently, the consent cannot be regarded as "informed." Moreover, when access to a product or service is conditioned on agreeing to receive commercial electronic messages, the requirement that consent be "freely given" is not satisfied. |
|
As emphasized by the Personal Data Protection Board (Decision No. 2020/173, dated 27 February 2020), when explicit consent is made a precondition for the supply of a product or service, the element of free will is compromised and valid explicit consent cannot be said to exist. This jurisprudence likewise serves as one of the principal foundations of the Board's Guideline Decision. |
|
2. Regulations Introduced by the Guideline Decision |
|
The Board's Guideline Decision imposes clear, actionable obligations on data controllers. First, pursuant to the principle of layered information, the purpose of the SMS verification code and the legal consequences of providing it must be clearly and intelligibly communicated to the data subject. This information must be delivered both orally by the controller's personnel and in writing within the content of the SMS. |
|
Second, the use of a single verification code to perform more than one legal act is prohibited. Separate mechanisms must be implemented for transactions that entail distinct legal consequences-such as approval of a membership agreement, procurement of explicit consent for the processing of personal data, and authorization for the transmission of commercial electronic messages-and explicit consent must be obtained separately for each. |
|
Third, obtaining explicit consent for the sending of commercial electronic messages cannot be presented as a mandatory condition for the provision of products or services. As expressly stated in the Decision, data subjects must be clearly informed that permission for commercial communications is not a precondition for completing the transaction, and that the transaction can still be finalized even if no SMS verification code is provided for that purpose. |
|
Fourth and final provision: data controllers are required to conduct periodic training and awareness-raising activities for the personnel involved in these processes. This requirement is regarded as part of the administrative measures on data security set out in Article 12 of the Law. |
|
3. The Relationship Between the Obligation to Inform and Explicit Consent |
|
Under Article 10 of the Law, the obligation to inform must be fulfilled at the time personal data are obtained by the data controller or a person authorized by it. This obligation must be discharged independently of the collection of explicit consent. As expressly emphasized in the Guideline Decision, the obligation to inform and the act of obtaining explicit consent must be carried out separately. |
|
As set out in the Communiqué on the Procedures and Principles to be Complied with in Fulfilling the Obligation to Inform, information notices must be clear, intelligible, and accessible. Because it is not technically feasible to include the entire notice within SMS content, layered information method should be adopted. The first layer should provide the essential information, and data subjects should be directed to online platforms for the full notice. |
|
4. Legal Penalties and the Liability Regime |
|
Upon non-compliance with the Guideline Decision, administrative fines shall be imposed pursuant to Article 18 of the Law. For 2025, the ranges are TRY 68,083-1,362,021 for violations of the obligation to inform, and TRY 204,285-13,620,402 for processing personal data without the data subject's explicit consent (3). |
|
The unlawful processing of personal data may also constitute a violation of personal rights. Under Article 58 of the Turkish Code of Obligations, individuals whose personality rights have been violated may seek compensation for intangible damages. |
|
This approach is clearly reflected in the Court of Cassation's case law. For example, in one judgment, a mobile line was established in the plaintiff's name by using the plaintiff's identification details without the plaintiff's knowledge or consent, and by forging the plaintiff's signature. When the bills went unpaid, execution proceedings were started against the plaintiff, who was compelled to file a negative declaratory action. The Court of Cassation established that the telecommunications company had failed to exercise due diligence in selecting and effectively supervising its branch/vendor, and that this lapse of diligence violated the plaintiff's personality rights; on that basis, it upheld the claim for non-pecuniary damages (4th Civil Chamber of the Court of Cassation, E. 2019/979, K. 2019/2679). (4) |
|
Furthermore, the Board has the authority to order the suspension of data processing activities. In cases of repeated or systematic violations, that authority may be exercised to suspend in full specific processing operations undertaken by the data controller. Such measures entail significant operational risks, particularly for business models reliant on customer data. |
|
5. Measures Required for Compliance |
|
Data controllers should undertake a comprehensive transformation process to achieve compliance with the Guideline Decision. At the technical infrastructure level, separate authorization mechanisms should be established for distinct purposes. SMS delivery systems should be reconfigured to generate customized content for each type of transaction. In particular, messages seeking consent for the sending of commercial electronic messages must clearly state that such consent is optional. |
|
From an operational standpoint, all procedures across customer touchpoints should be reassessed. Detailed operating procedures should be prepared for sales personnel, call-center agents, and digital channel managers. These operating procedures must set out what information must be provided in each scenario, the exact wording to be used, and which behaviors are to be avoided. |
|
From a legal compliance perspective, the status of existing customer databases must be reviewed. Consents obtained through defective methods lack legal validity; processing predicated upon them must be discontinued immediately. Where necessary, fresh explicit consent should be obtained from customers using procedures compliant with the Law's requirements. |
|
At the corporate governance level, data-protection compliance programs must be developed. These programs should include periodic internal audits, risk assessments, and remediation plans. Active involvement by senior management and the allocation of necessary resources are essential to ensuring effectiveness. |
|
6. Conclusion and Assessment |
|
The Personal Data Protection Board's Guideline Decision No. 2025/1072 emphasizes the principles of transparency and fairness of data-processing activities conducted via SMS verification codes. This decision marks a significant step in Turkey's alignment with the European Union acquis on personal data protection. |
|
For data controllers, while this decision may entail short-term operational challenges and additional costs, it offers significant long-term opportunities to build customer trust and to develop sustainable business models. Businesses that adopt a proactive approach to personal data protection will gain a competitive advantage and position themselves as trusted actors in the digital economy. |
|
Upon its publication in the Official Gazette on 26 June 2025, the Guideline Decision entered into force and the compliance process for data controllers began. The Board's omission of any transitional period is predicated on the view that these practices were already contrary to law. Therefore, data controllers must immediately take the necessary measures and complete their compliance efforts. |
|
In conclusion, the Guideline Decision constitutes a turning point for promoting data responsibility and institutionalizing an ethical culture of data processing. Recognizing that the future of the data economy rests on trust, compliance with this framework constitutes not only a legal obligation but also an essential condition for sustainable growth. |
|
References (1) Personal Data Protection Board (KVKK), Decision No. 2020/173, dated 27 February 2020. |
Other News
-
2.6.2026
Designation of Critical Infrastructure Sectors Under Cybersecurity Law No. 7545 and Key Compliance Obligations
Cybersecurity Law No. 7545, which introduces comprehensive and far-reaching rules governing cybersecurity in Türkiye, was enacted on 12 March 2025. The Law regulates the powers of the Cybersecurity Authority, the rules to be observed by public institutions and private companies, supervisory mechanisms, and applicable sanctions.
-
25.5.2026
Does Your 2025 Balance Sheet Trigger a VERBIS Obligation? Deadline Set for 5 June 2026
The Personal Data Protection Authority ("Authority") has published an important announcement regarding corporate taxpayer legal entity data controllers that have become subject to the obligation to register with the Data Controllers' Registry ("VERBIS") due to the criteria relating to the 2025 financial balance sheet total. Within the scope of the announcement, the period granted for the fulfillment of the VERBIS registration and notification obligation has been extended until Friday, 5 June 2026.
-
22.5.2026
The Competiton Authority Has Updated Its Merger And Acquisition Guidelines: What Has Changed For Trancastion Parties?
There have been significant developments in the field of mergers and acquisitions in recent times. The Competition Authority has implemented a comprehensive update process with the aim of making the regulatory framework in this area clearer and more predictable. This process, which began with the amendments to the Communiqué No. 2026/2 on the Amendment to the Communiqué on Mergers and Acquisitions Requiring the Approval of the Competition Board (Communiqué No. 2010/4) in February 2026, has entered a new phase with the updated guidelines published in May 2026.
-
20.5.2026
A New Approach to the Limits of the Institution of Amendment of Pleadings: Unification of Judgments Decision
1. INTRODUCTION By its decision dated 08.05.2026, the Grand General Assembly for the Unification of Judgments of the Court of Cassation explicitly ruled that a claim not initially included in the statement of claim cannot subsequently be introduced into the action by way of "partial amendment".
-
13.5.2026
Significant Amendments to Temporary Incapacity Periods for Maternity under the Social Security Institution
Extension of Maternity Leave Periods under Circular No. 2026/13: With the Circular dated 08.05.2026 and numbered 2026/13 issued by the Social Security Institution (“SSI”), the implementation of temporary incapacity benefits under maternity insurance within the scope of the Social Insurance and General Health Insurance Law No. 5510 has been updated. The aforementioned amendments have been introduced in line with Law No. 7578, which entered into force on 01.05.2026. These regulations include new provisions that are particularly significant for employers and employees, especially with respect to the extension of postnatal rest periods and the transitional rules applicable to existing medical reports.
-
11.5.2026
The Communique Regarding Proffesions Subject to the Requirement for a Professional Competency Cerificate (2026/1) Has Been Published
With the "Communiqué Regarding Occupations Subject to the Mandatory Professional Competency Certificate by the Professional Competency Authority," dated March 23, 2026, and published in the Official Gazette No. 33202, the requirement to hold a Professional Competency Certificate has been expanded to include certain occupations classified as hazardous or highly hazardous
-
4.5.2026
Significant Changes in the Workplace: Maternity Leave Periods Revised
Law No. 7578, amending the Social Services Act and certain other laws, entered into force following its publication in Official Gazette No. 33240 dated 1 May 2026. This regulation introduces significant changes, particularly regarding maternity leave durations, which have implications for employers in terms of workforce planning and organisational processes. In this bulletin, we examine the key changes introduced by the regulation.
-
30.4.2026
Draft Law On The Protection Of Trade Secrets Has Been Released!
Whilst Turkish law contains various provisions on trade secrets across different laws and subordinate regulations, there has been no standalone legislation to date that directly and comprehensively defines trade secrets or provides for distinct protection and safeguard mechanisms. Prepared to address this gap, the Draft has been drafted in line with the EU's Directive 2016/943/EU on trade secrets and serves as a tool to support Turkey's international trade policies and the development of digital trade.
-
24.4.2026
A New Era For The Meal Allowance Exemption From Insurance Premium
Article 10 of Law No. 7577 on Amendments to Certain Laws, published in the Official Gazette dated 17.04.2026, introduced a significant amendment to paragraph (b) of Article 80, titled "Earnings Subject to Premium," of Law No. 5510 on Social Insurance and General Health Insurance, which regulates exemption amounts, with respect to the meal allowance exemption provided by employers.
-
20.4.2026
"Effective Remorse" as a Personal Ground Mitigating or Eliminating Punishment
1. What is Effective Remorse? Effective remorse is the legal consequence - in the form of a reduction or elimination of punishment - that the law attaches to the compensatory conduct voluntarily undertaken by a perpetrator following the completion of an offence, as a result of the remorse experienced by that perpetrator.
-
9.4.2026
Deadline for Compliance with Minimum Capital Requirement: 31 December 2026
Articles 332 and 580 of the Turkish Commercial Code (the "TCC") regulate the minimum capital requirements for joint stock companies and limited liability companies, respectively, and stipulate that such amounts shall be determined and may be increased by a Presidential Decree. Pursuant to this authority, with Presidential Decree No. 7887 published in the Official Gazette dated 25 November 2023, the minimum capital amounts have been significantly increased. Accordingly, under the said Decree:
-
7.4.2026
The Occupational Health And Safety Training Regulation Has Been Amended! What Innovations Does The 2026 Regulation Introduce?
Occupational Health and Safety (OHS) trainings constitute the cornerstone of a proactive approach to preventing workplace accidents. The new "Regulation on the Procedures and Principles of Occupational Health and Safety Training for Employees", which entered into force on April 2, 2026, repealed the 2013 regulation and introduced fundamental changes centered on digitalization, accessibility, and measurability in training processes.
-
2.4.2026
The Rights of Minority Shareholders: How Powerful Are They in Reality?
The fundamental principle in joint-stock companies and commercial companies in general is the majority rule. Shareholders holding control determine the fate of the company. However, to prevent this from turning into absolute dominance, the Turkish Commercial Code No. 6102 (the "TCC") grants minority shareholders various rights. The purpose of these rights is to establish a balance between the majority and the minority, and to prevent the minority from becoming entirely ineffective against the company's management.
-
31.3.2026
Employment Retention Incentive in the Manufacturing Industury Enters into Face
The Regulation on the Implementation of the Employment Retention Support Program was published in the Official Gazette dated 3 March 2026 and numbered 33185, and has entered into force.The Program aims to preserve and increase employment in enterprises operating in the manufacturing industry. It covers the period between 1 January 2026 and 31 December 2026, with the final deadline for submitting payment claims set as 31 March 2027.
-
30.3.2026
A Roadmap for the Seizure of Shares in Capital Companies: Differences Between Joint-Stock and Limited Liability Companies
I. Introduction A share in a capital company constitutes a complex legal value encompassing partnership status, financial rights, and managerial powers. Pursuant to the provisions of the Turkish Commercial Code No. 6102 ("TCC") and the Enforcement and Bankruptcy Law No. 2004 ("EBL"), the shares held by a debtor partner in a capital company may be seized by that partner's personal creditors. However, structural differences between joint-stock companies and limited liability companies, together with factors such as whether the shares are embodied in negotiable instruments and the function of commercial registry records, give rise to significant procedural distinctions at the seizure stage. This article examines - without entering into the sale phase - solely the procedure, legal nature, and principal practical differences in the seizure of shares in joint-stock and limited liability companies, in the light of the established case law of the Court of Cassation.
