In The Know.

  • Home
  • Insights
  • Turkish Personal Data Protection Authority issues announcement to shop stores concerning the explicit consent of customers

Search by

Turkish Personal Data Protection Authority issues announcement to shop stores concerning the explicit consent of customers

December 2021 – On 17 December 2021, the Turkish Data Protection Authority (the “Authority”) issued a public announcement regarding the explicit consents collected by shop stores via verification codes sent by SMS to customers’ telephone numbers. As many shop stores obtain the explicit consent of their customers while they are standing in the queue at the shop store by stating that the verification code is necessary for the payment process, the Authority felt compelled to make a public announcement regarding such misleading data processing activities.

In its announcement the Authority outlined how at some shop stores, an authorised person will request the verification code sent to customers by SMS, and then store begins to send commercial electronic messages based on the consent provided via the verification code. The Authority evaluates such misleading behaviour in its announcement and underlines the obligation to inform data controllers of the requirements of explicit consent.

Requirements of explicit consent

In particular, in its announcement the Authority highlights the requirements of explicit consent, stating that explicit consent must be (i) related to a specified subject, (ii) based on information provided, and (iii) declared by free will. In the event that a data subject provides explicit consent for several categories, the explicit consent must also relate to the different aspects of data processing (which data category is processed for which purposes, etc.).

In addition, the Authority states that data subjects must be informed of the implications of providing their consent. The Authority also indicated that deceptive behaviour that leads to consent is invalid, as such behaviour impairs the free will of data subjects. In addition, the Authority states that explicit consent must not be bundled together as a condition of services.

What do shop stores need to do to be in compliance?

In its announcement, the Authority concluded that:

  • Authorised persons of shop stores must provide sufficient information in clean and plain language regarding the purpose of sending SMS messages to customers and what the result will be after providing the verification code received by SMS. In addition, the content of the SMS must include the necessary links to the shop store’s detailed privacy notice.
  • Shop stores must cease to collect the explicit consent of data subjects for several activities together, such as loyalty agreements, permission for personal data processing, approval for commercial electronic messages, etc., and must instead submit options for each data processing activity separately.
  • Shop stores must avoid situations where the obligation to inform and collect explicit consent are conducted together.
  • In the event that shop stores intend to send SMS verification codes to obtain the explicit consent of customers regarding the sending of commercial electronic messages, the explicit consent must include all requirements mentioned above.

For more information, please contact Ceren Ceyhan, Associate, at, or Hatice Nur Arslan, Legal Trainee, at