Turkish Personal Data Protection Authority (“Authority”) published an announcement on November 13, 2023, regarding personal data processing activities where a verification code is sent to data subjects via SMS while shopping in stores (“Announcement”). The Announcement focuses on the data controllers’ non-compliant data processing practices during face-to-face shopping and provides several recommendations.
In this regard, the Authority highlights numerous complaints about data controllers that send commercial electronic messages to data subjects without their prior consent, after obtaining their phone numbers by sending a verification code via SMS at the register, on the grounds that it is necessary for completing the payment, creating invoices, transmitting invoices to the buyer’s contact address or updating information.
As the main problem with the complaints is the lack of obtaining explicit consent for sending commercial messages, the Authority evaluates data controllers’ practices in line with the provision of the Personal Data Protection Law No. 6698 (“DPL”) by reminding data controllers the elements of explicit consent:
1. Explicit consent must be about a specific subject. Data controllers must clearly identify the subject for which the explicit consent is obtained. Where explicit consent is obtained for the processing of multiple categories of data, it is imperative that the explicit consent must cover different aspects of the processing, such as which data will be processed, for what purposes and potential consequences.
2. Explicit consent must be freely given. Data subjects must be aware of their decisions and not be under the influence of force, threat, mistake and deception that may impair their will. In this context, an explicit consent is not considered valid if it is provided as a prerequisite for the provision of a product/service, since the element of free will would be damaged.
3. Explicit consent must be based on an informed decision in line with the data controllers’ obligation to inform.Data controllers must inform data subjects regarding (i) their and if any, their representative’s identity, (ii) the purpose for which personal data will be processed, (iii) to whom and for what purpose the processed personal data may be transferred, (iv) the method and legal ground for collecting personal data, and (v) rights of data subjects, before obtaining data subjects’ explicit consent. Moreover, data controllers must perform the obligation to inform and obtain explicit consent separately.
Accordingly, the Authority provides the following recommendations for lawful processing of personal data by sending a verification code via SMS to data subjects during store transactions:
The authorized personnel in stores must inform the data subjects in a clear and understandable manner regarding (i) the purpose of the SMS and (ii) the potential outcomes of sharing the verification code. The necessary information channels must also be provided in the content of the SMS, in line with the obligation to inform.
Data controllers must cease the practices of obtaining explicit consent for different processing activities with a single action. In this regard, explicit consent of the data subjects must be obtained separately for different data processing activities.
Data controllers must carry out the procedures for obtaining explicit consent and fulfilling the obligation to inform separately.
Requesting explicit consent to process personal data for the purpose of sending commercial messages should not be presented to customers as a mandatory element for completing a purchase. Otherwise, such practices may compromise the elements of "informed decision-making" and "free will" which are essential components of explicit consent.
Data controllers must request explicit consent to process personal data for the purpose of sending commercial messages after the purchase is completed. Thus, provision of explicit consent for commercial messages will not be perceived as a necessary element for shopping.