Duyurular

Principle Decision Published by the Turkish Data Protection Authority on Requesting SMS Verification Codes

The Personal Data Protection Authority (“Authority”) announced the Principle Decision of the Turkish Data Protection Board (“Board”) dated 10/06/2025 and numbered 2025/1072 on the Processing of Personal Data by Sending a Verification Code via SMS to Data Subjects During the Provision of Products and Services (“Principle Decision”) which was published in the Official Gazette dated 26/06/2025 and numbered 32938.

 

Numerous complaints and notices have been submitted to the Authority regarding the practice of requesting verification codes sent via SMS to citizens’ mobile phones during transactions such as making payments, creating memberships, or registering accounts. These codes are requested to be communicated to a staff member or entered into the system under the justification that they are necessary for completing payments, issuing invoices, delivering invoices to the communication address, or updating information.

 

Upon review of these complaints and notices, the Board found that the SMS messages containing verification codes sent to data subjects by data controllers or their authorized persons during the product and service delivery processes did not contain any privacy notice either within the message itself or beforehand. Moreover, it was determined that although the justification for requesting the code was presented as necessary for completing the transaction, the actual intention was to obtain explicit consent for sending commercial electronic messages, thereby misleading the data subjects.

 

According to Article 3 of the Law on the Protection of Personal Data No. 6698 (“Law”) explicit consent is defined as “consent that is related to a specific issue, based on information and expressed with free will.”

 

Explicit consent must meet the following three essential elements:

 

  1. The explicit consent obtained must relate to a specific issue and be limited to that subject. If consent is obtained for the processing of data in multiple categories, it must clearly specify what data will be processed and for what purposes.
  2. The individual must be aware of what they are consenting to. This requires that the person is fully informed both about the subject matter and the consequences of giving consent.
  3. As a declaration of intent explicit consent is valid only if it is given knowingly and voluntarily by the individual without any coercion.

 

The Principle Decision emphasizes that if explicit consent is made a precondition for providing or benefiting from a product or service, the element of free will is compromised, and therefore, such consent cannot be deemed valid.

 

Additionally, the Board made the following findings based on its examination and evaluation of specific cases:

 

  • During payment, membership, or similar transactions related to the provision of products or services, data controllers must provide a clear and comprehensible privacy notice regarding the SMS to be sent to the data subject’s phone, explaining its purpose and the potential consequences of sharing the code received via SMS.
  • The processes of fulfilling the obligation to inform and obtaining explicit consent must be carried out independently of each other.
  • If the verification code via SMS is sent to obtain explicit consent for commercial electronic communications, such consent must meet all legal elements as stipulated in the Law.
  • The explicit consent to be obtained for processing personal data for the purpose of sending commercial electronic communications must not be presented as a mandatory element for completing the provision of products or services. Otherwise, the elements of “being informed” and “freely given” will be compromised. Hence, all such processes must be carried out in accordance with the Law.
  • Furthermore, physical or digital notices given by the data controller or included in SMS content must explicitly state that:
  • Sharing the verification code with a staff member is not mandatory for receiving the product or service.
  • The service will still be provided if the code is not shared, and
    any given consent or preferences can be changed at any time.
  • It should be stated that explicit consent must not be perceived as a mandatory requirement for the provision of services.
  • To ensure lawful processing, data controllers must provide regular training and awareness programs for personnel involved in these processes.
  • Data controllers must also take all necessary technical and administrative measures in accordance with Article 13 of the Law.

 

Data controllers who fail to comply with the Principle Decision may be subject to administrative sanctions under Article 18 of the Law on the Protection of Personal Data No. 6698.

 

You can access the full text of the Principle Decision (in Turkish) here.

 

 

Kind regards,

Zumbul Attorneys-at-Law

info@zumbul.av.tr


All information and documents on our website have been prepared by Zumbul Attorneys at Law for general informational purposes only, in accordance with the Attorneyship Law, other relevant legislation and the Professional Rules of Attorneyship of the Union of Turkish Bar Associations. These publications are not intended for advertising or commercial purposes. The information and documents provided are of a general nature and under no circumstances, do they guarantee or warrant that the content is complete, accurate, up-to-date, or reliable. You should not rely on the information and documents on this website without first consulting a lawyer or expert. The links included in our website’s publications are sourced from publicly available materials and are provided solely for the convenience of visitors in accessing additional information. These links do not constitute any form of recommendation or endorsement of the linked persons, institutions or organizations. The information on this website does not in any way constitute legal advice or establish an attorney-client relationship with visitors to the site. All content on this website is the property of by Zumbul Attorneys at Law, and no content may be copied, reproduced, or used without prior written permission.