Personal Data Protection Authority (KVKK), with its statement, gave important information about the customer phone received for the “verification code” in store shopping. KVKK stated that commercial messages cannot be sent to the customer phone taken for “verification code” in store purchases without the explicit consent of the customer.
In the written statement made by the KVKK, it was stated that according to various complaints and notices received by the institution, a verification code was sent to the customer via SMS during the cashier transactions after the shopping made in the stores, and that the said code was requested to be reported to the cashier on the grounds that it is necessary for completing the payments or updating their information.
THERE ARE COMPLAINTS
In the statement, it was noted that there were complaints that commercial electronic messages were sent to the related persons after the said transaction, and it was noted that the data controller determined that the relevant persons were misled by obtaining the express consent for sending commercial electronic messages in this way.
Reminding the processing conditions under which personal data can be processed without seeking the explicit consent of the person in the Personal Data Protection Law, the following evaluations were made:
“In this context, as a result of the examinations made by the KVKK, the purpose of the SMS to be sent to the phone of the persons and what the consequences will be if the code transmitted with this SMS is given, shall be made clear to the relevant persons at the first stage by the persons authorized by the data controller in the stores, as a requirement of layered illumination. It is important to provide the necessary channels in the content of the SMS in order to ensure that it is conveyed in a clear and understandable way and that the obligation of illumination is fulfilled.
“THE PRACTICES OF PERFORMING DIFFERENT PROCESSING ACTIVITIES SHOULD BE ENDED”
In the statement, it was emphasized that the practices of sending a verification code to the relevant persons via SMS during the payment for the purchases made in the stores, the membership agreement, the permission to operate the personal data, the approval of the commercial electronic message and similar different processing activities should be terminated with a single action.
In the statement, it was stated that it is important to obtain separate consent by offering options for the processing activities in question, and the following information was shared:
“In addition, it is important to avoid situations that may lead to the realization of explicit consent by data controllers and the fulfillment of clarification obligations together, and if an application is made to send an SMS verification code in order to obtain explicit consent for sending commercial electronic messages, it is important that the express consent to be obtained in the said transaction covers all elements. offers.”
(AA)