The Personal Data Protection Authority issued the Draft Guideline on Analyzing of Loyalty Programs within the Scope of Personal Data Protection Legislation ("Draft Guideline") for public consultation on June 16, 2022.
The Draft Guideline first illustrates the personal data processed through loyalty programs, analyzes the legal grounds on which these data processing activities can be based, and establishes the rules for meeting the notice requirement as well as the principles governing the use of radio frequency identification technology in the context of marketing activities.
The Draft Guideline defines loyalty programs as programs that aim to increase the company's sales and profitability while providing benefits to the customer by implementing all or some of the strategies, such as providing the customer with points/gifts/advantages within the framework of various criteria in exchange for shopping by processing the customer's data that will allow them to be specific or identifiable in terms of the business, monitoring the customer's purchasing patterns and giving customized product/service offers based on personal data analysis.
As per the Draft Guideline, to benefit from a company's loyalty program, it is necessary to have purchased or will receive a good or service from this company. Therefore, it will be possible to process the personal data of the customer regarding the shopping from the company that offers the loyalty program, without the explicit consent of the data subject, within the scope of various legal compliance reasons regulated in the Personal Data Protection Law (“Law”). However, in terms of personal data processed within the scope of the loyalty program, the processing of personal data by obtaining explicit consent or based on another legal reason is a situation that will be decided upon concretely revealing the personal data processed by the company and the processing purposes.
In cases where the loyalty program is offered under a contract and the personal data of the customer is processed by the company, provided that it is related to the establishment and performance of the contract, explicit consent will not be required as a rule for the processing of these data.
However, if, for example, the firm chooses to profile the customers who benefit from the loyalty application, then a new processing process emerges, and since this does not include the case of being directly related to the establishment and performance of the contract, it will not be possible to rely on this reason for compliance with the Law.
After the explanations regarding explicit consent and its validity were made in the Draft Guideline, the prohibition of providing explicit consent as a prerequisite for the service, which is very important for personal data processing activities based on explicit consent, was also mentioned.
According to the Draft Guideline, the explicit consent obtained from the data subject will be considered valid when two criteria are met. First, if the customer does not give his/her explicit consent, he/she does not benefit from the privileges or advantages of the loyalty application, but this should not result in the deprivation of products and services. Another is that the privileges or advantages that the customer is deprived of should not lead to a significant disadvantage for the person who does not give explicit consent, and the free will of the person should not be affected by this issue.
In addition, the Draft Guideline emphasizes that commercial communication consent and personalized marketing consent should be separated from each other and should be obtained separately.
However, within the scope of loyalty practices, data controllers are obliged to provide information about which personal data is processed, for what purpose, by whom, to whom and for what purpose the processed data can be transferred, what the legal basis and method of processing are, and what their rights are stated in the Law.
Moreover, data controllers who implement a loyalty program are required to fulfill the obligation to inform during the processing of personal data regarding membership or for other subsequent processing within the scope of the relevant legislation.
In particular, companies that participate in the loyalty application offered by the third party, if they are going to provide their customers with additional benefits such as discounts and points if they participate in this third-party loyalty application, should mention this situation in their clarification texts. In this case, the data subjects should be informed in detail about which party the personal data is processed and from whom the transfer is made.
If a partner program is in question and one of the program partners intends to process the personal data of loyalty program members to send advertising messages on their behalf, it is also required that consent is obtained, and clarification is made.
Finally, it has been stated that there are erroneous and illegal practices in the processing of personal data within the scope of loyalty programs in terms of compliance with the general principles, determining the reason for compliance with the Law, obtaining explicit consent per the Law, fulfilling the obligation to inform, processing personal data to send commercial electronic messages. In this context, suggestions have been made regarding what data controllers should do to eliminate these contradictions and make loyalty programs comply with the personal data protection legislation.