The Personal Data Protection Board (“KVKK”) ruled with its announcement dated 17.12.2021 that the processing of personal data at stores by sending a verification code to data subjects via SMS during their shopping is contrary to the legislation. KVKK examined the complaints regarding stores that send a verification code to data subjects via SMS during their payment transactions before the cashier following their shopping where cashier requests a verification to complete payment or to update information, but following the transaction, commercial electronic messages related to the store activities are sent to data subjects. KVKK determined that data subjects have not been informed by the data controller with the SMS in which the verification code is sent or before sending such SMS SMS and/or the data controller misleads the data subjects by requesting the verification code on the grounds that it is required to complete the payment or to update information, however with this method they obtain explicit consent of the data subjects to send commercial electronic messages.
In this regard, KVKK has determined that;
• The purpose of the SMS to be sent to the data subjects and the consequences of sharing the verification code in the SMS with the store must be informed to the data subjects in a clear way by persons authorized by the data controller and the same must be provided in the content of the SMS.
• The existing practice which allows explicit consents to be obtained with a single action by sending a verification code to the data subjects via SMS during the payments in the stores for different processing activities such as membership agreement, consent to process personal data, commercial electronic message approval etc. must be terminated and individual explicit consents must be obtained for each processing activity by offering options.
As a result, the practices of various stores in the market to obtain explicit consent of data subjects via SMS, are required to be ceased.