Turkish DPA guidelines on loyalty programs open for public consultation – Data Protection
To print this article, all you need to do is be registered or log in to Mondaq.com.
On June 16, 2022, the Turkish Personal Data Protection Authority (DPA) published the Draft Directive on the Processing of Personal Data in Loyalty Programs (“Guideline“) for public consultation. Stakeholders can submit their views to the DPA until July 16, 2022. You can access the guideline here (In Turkey).
What does the ad say?
Overall, the guideline includes detailed information as well as different examples of processing activities tracked for loyalty programs. Below is a summary of the critical topics covered by the guideline.
- The Guideline primarily defines loyalty programs and explains their history and types. According to the Guideline, loyalty programs are defined as follows:
Programs that aim to increase the company’s sales and profitability while providing benefits to the customer by implementing some or all of the strategies, such as granting the customer points/gifts/benefits as part of various criteria in exchange for purchases by processing the personal data of the customer which will allow to be specific or identifiable in terms of activity, by monitoring the customer’s buying habits and by proposing personalized product/service offers by analyzing the personal data processed.
Loyalty program operators are data controllers under the Directive, and the Directive limits the scope of data subjects to customers only.
- In accordance with the Directive, three different categories of personal data are generally processed in the context of loyalty programs: (i) data actively and voluntarily provided by customers; (ii) data provided passively by customers; and (iii) data obtained from other sources. The appendix to the Guideline provides a detailed list of the categories of personal data processed in connection with loyalty schemes.
- The guideline states that the legal bases for the processing of personal data must be determined according to each data processing activity. If the loyalty program is based on a loyalty contract, the data processing activities can be continued relying on the legal basis of the performance of a contract. For example, the processing of personal data to provide information on the points earned by the customer under the loyalty agreement may be based on the execution of a contractual legal basis. However, if the data processing activities are carried out beyond the purpose of the loyalty contract, such as for example to know the customer and offer personalized opportunities, the data controllers cannot rely on the execution of a contractual legal basis and an analysis of the legal bases must be made taking into account the characteristics of each specific processing activity. In the guideline, the DPA also addresses profiling activities, stating that data processing activities carried out for profiling purposes cannot be considered necessary for the performance of a contract, and that data controllers data cannot rely on the execution of a contractual legal basis for such processing.
- The guideline assesses that requesting the data subject’s explicit consent to become a member of a loyalty program is not considered to establish explicit consent as a prerequisite for such services. The DPA states that requiring express consent to provide services under loyalty programs shall not be considered to establish express consent as a condition of such services; instead, it should be viewed as such a product/service offered without additional benefits. However, in this case, the discount and the rate of advantage granted under the loyalty programs should not result in a significant disadvantage for the persons concerned.
- The guideline states that data subject approval is required to send electronic commercial messages under the loyalty program. In addition, the DPA indicates that the purposes of the processing of personal data to know the customer and to send commercial electronic messages are different. Therefore, the DPA emphasizes that a detailed assessment should be made to determine whether the controller may use the data subject’s contact details to send marketing communications.
- In accordance with the Guideline, data controllers must fulfill their notification obligation for processing activities carried out in the context of loyalty programs. The DPA states that privacy policies should be specific to each processing activity and that data controllers should refrain from using general (umbrella) privacy policies. The DPA further points out that additional benefits such as discounts, points and data transfers related to these benefits must be specified in detail while respecting the notice requirement. In addition, if one of the partners processes personal data in order to send advertisements in joint marketing programs, the explicit consent of the data subjects must be obtained and the notification requirement must be fulfilled.
- The directive further includes principles on the use of radio frequency identification (RFID) technology for marketing purposes. RFIDs are used, for example, to analyze customer behavior when shopping in stores. The DPA said in the guidance that data controllers should use RFID with care, especially from a data minimization perspective.
The DPA provides important guidance regarding data processing activities in the context of loyalty programs. The Guideline is open for public consultation until July 16, 2022. Interested parties may submit their comments and suggestions to the DPA until that date.
The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.
POPULAR ARTICLES ON: Privacy from Turkey