Even though the draft guidelines are not legally binding, as it reflects most of the recommendations of the KVKK which have been already presented under different cases before, and since the KVKK's guidelines are not generally subject to critical amendments once they are finalised, data controllers offering loyalty programs in Turkey should consider reviewing their data processing activities in light of the draft guidelines.

Definition of loyalty programs

In the draft guidelines, loyalty programs are defined as 'All or some of the strategies such as providing the customer with points/gifts/advantages in exchange for shopping by processing the customer's personal data that will make it specific or identifiable for the business, tracking the customer's shopping habits, and offering personalized product/service offers by analyzing the processed personal data, or uniliteral or partnership programs that aim to increase sales and profits of the business while providing benefits to the customer'.

It should be noted that the KVKK has not made any distinction on loyalty programs provided by service providers with another main area of work (e.g. retail, e-commerce marketplace) and by companies directly and solely operating loyalty programs.

Legal basis for processing of personal data within the scope of loyalty programs

The draft guidelines highlight the significance of determining the appropriate legal basis considering the purposes of data processing activity and exemplifies the most common data processing purposes within the scope of the loyalty programs.

The draft guidelines states that data controllers may rely on the legal basis of 'establishment or performance of contact' as defined under the Article 5 of the Law for the personal data processing activities that are covered by the terms of the loyalty program agreement; offering gift/point benefits to data subjects, informing them about the points earned, and reminding them that the points that will expire etc. Overall, it can be seen that the KVKK interprets this legal basis very narrowly.

On the other hand, it is highlighted under the draft guidelines that the personal data processing activities involving profiling of data subjects must be carried out based on explicit consent.  

Therefore, to ensure that personal data is processed lawfully in accordance with the the Law, all data controllers offering loyalty programs to data subjects located in Turkey should assess their data processing activities accordingly and determine the appropriate legal basis for each data processing activity.

Validity of consent regarding loyalty programs

The Law states that explicit consent should be: (i) freely given' (ii) provided for a specific subject; and (iii) provided after being adequately informed.

In the draft guidelines, the KVKK addresses these criteria and concludes that it is possible to require explicit consent from data subjects if it does not lead to a bundling of consent with the provision of main goods and services, citing the Handbook on European data protection law¹, as well as the KVKK's decision numbered 2019/198 on loyalty programs. Within this scope, it is clear that the KVKK focuses on loyalty programs provided by service providers with another main area of work (e.g. retail, e-commerce marketplace), rather than by companies directly and solely operating loyalty programs.

As per the KVKK's assessment, it is possible to require explicit consent within the scope of loyalty programs if not providing explicit consent only results in the provision of main goods and services without additional benefits. Therefore, it is important to ensure that the consequences of not consenting do not constitute significant disadvantage.

E-marketing communications within the scope of loyalty programs

The draft guidelines focus on e-marketing communications within the scope of loyalty programs and state that it is necessary to obtain consent from data subjects in order to send e-communications in line with the the Law and Turkish Law No. 6563 on the Regulation of Electronic Commerce².

The KVKK's assessment of joint loyalty card programs is one of the most striking in this regard. Similar to other markets, joint loyalty programs with additional benefits from partner companies are quite common in the Turkish market. According to the draft guidelines, the e-marketing communication consent obtained for the loyalty program covers sending e-marketing communications for the promotion of third parties, provided that they are within the scope of the loyalty program agreement. In this regard, it has been clarified that in case of joint loyalty programs, no separate consent is required to send e-marketing communications for the promotion of a loyalty program partner.

Nevertheless, the KVKK emphasises that e-marketing communication consent does not cover the transfer of personal data with the other joint loyalty program partner companies, and that such transfer can only be carried out in accordance with the data transfer provisions (Articles 8 and 9) of the Law. Besides, the loyalty program partner must obtain data subject's consent in order to send e-marketing communications on its behalf.

Compliance with the general principles

Similar to the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), general principles outlined in Article 4 are at the core of the Law and all data processing activities must adhere to these principles. The draft guide highlights the importance of compliance with the general principles, especially of avoiding excessive data collection, contrary to the proportionality and data minimisation principles, even if there is explicit consent.

Other important notes

As summarised above, the draft guidelines addresses data processing activities for loyalty programs from various perspectives. In addition to these points, please find below KVKK's certain assessments worthy to note:

• Data controllers must provide data subjects with either a specific privacy notice tailored for the loyalty program or a general customer privacy notice that includes a section specifically devoted to the loyalty program.
• Privacy notice and explicit consent form must be presented separately. In order to be fully compliant, additional KVKK rules should be taken into consideration with respect to privacy notices and explicit consent texts (e.g. presenting relevant data categories, mapping purposes, and legal bases).
• All data processing activities must comply with the data security obligations set forth under Article 12 of the Law.
• If the data controller collects and processes special categories of personal data (which are very similar to those listed under the GDPR with slight differences); data minimisation and purpose limitation principles should be evaluated more strictly, and the additional security measures must be taken (i.e. the KVKK's decision numbered 2018/10).
• Lastly, the draft guidelines presents a separate section for the RFID technology (which is frequently used in loyalty programs) and mostly emphasizes the importance of complying with the general principles when RFID is involved.

Melis Mert Managing Associate – Attorney at Law
[email protected]
Büşra Haltaş Associate – Attorney at Law
[email protected]
BTS & Partners, Istanbul

1. See: https://fra.europa.eu/sites/default/files/fra_uploads/fra-coe-edps-2018-handbook-data-protection_en.pdf
2. NB. This article focuses on the Law and the draft guidelines, whereas the electronic commercial messages are separately and highly regulated as well (i.e. would require further compliance works).