Turkey: New Data Protection Decision on Loyalty Card Programs – What
International Businesses Should Know

The Turkish Data Protection Authority (KVKK) has issued a Principle Decision dated 11 February 2026 (No. 2026/266) concerning the use of loyalty card programs in Turkey. The decision addresses the risk that a loyalty card holder’s phone number or loyalty card number may be used by third parties during purchases without proper verification. The decision is particularly relevant for retailers, supermarkets, e-commerce platforms, restaurant chains, and other businesses operating customer loyalty programs in Turkey.

Background of the Decision

Many loyalty programs in Turkey allow customers to obtain discounts, collect points, or benefit from promotions simply by providing their phone number or loyalty card number at the point of sale.

However, according to complaints received by the Turkish Data Protection Authority, this system often allows:

• A person to give someone else’s phone number at the checkout
• Loyalty points or discounts to be used without verifying the identity of the card holder
• Purchase records and invoices to be issued in the name of the loyalty card holder even though the purchase was made by another person

As a result, personal data belonging to the loyalty card holder may be processed without the individual’s knowledge or authorization.

Legal Position of the Turkish Data Protection Authority

Under the Turkish Personal Data Protection Law (Law No. 6698), companies that determine how personal data is processed are considered data controllers.

The Authority concluded that allowing purchases based solely on a phone number or loyalty card number without any verification mechanism may lead to unlawful processing of personal data.

In particular, the Authority emphasized that data controllers must:

• Process personal data lawfully and fairly
• Implement technical and organizational measures to prevent unauthorized access or misuse of personal data

If a third person uses a loyalty card holder’s information and a transaction is recorded under that person’s profile, the data may become incorrect or misleading, which is also inconsistent with the principles of data accuracy under Turkish data protection law.

What Companies Must Do

The Authority expects companies operating loyalty programs to introduce identity verification mechanisms before allowing loyalty benefits to be used.

Examples mentioned in the decision include:

• SMS verification codes sent to the card holder
• Mobile application verification
• QR code or barcode validation
• Presentation of the physical loyalty card
• Use of a PIN or password linked to the loyalty account
• Companies may also implement risk-based verification mechanisms, meaning that stronger verification methods may be required depending on the type of transaction.

Compliance Deadline

Businesses operating loyalty programs in Turkey have been given a six-month period to comply with the decision from the date of publication.

Organizations that fail to implement appropriate safeguards after this period may face administrative fines or other enforcement actions under Turkish data protection law.

Why This Matters for International Companies

Foreign companies operating in Turkey or processing customer data of Turkish residents should pay particular attention to this decision.

Loyalty programs that rely only on phone number entry at checkout—a practice common in many retail systems—may no longer be sufficient under Turkish data protection requirements.

Companies should therefore review:

• Loyalty program design
• Checkout procedures
• Customer verification processes
• Data protection compliance documentation

Implementing appropriate verification mechanisms will be necessary to ensure compliance with Turkish data protection rules.