Customer Data Processing and Marketing Consent Rules in Turkey

Introduction

Customer data processing and marketing consent rules in Turkey are critical compliance issues for companies that sell products, provide services, operate e-commerce platforms, manage CRM systems, send promotional emails or SMS messages, use call centers, run loyalty programs, collect website leads, use cookies for advertising, or conduct personalized marketing campaigns. In a digital economy where customer relationships are built through data, businesses must understand the legal limits of collecting, storing, analyzing, transferring, and using customer information.

The main legal framework consists of Law No. 6698 on the Protection of Personal Data, commonly known as KVKK, and the Turkish rules on commercial electronic messages, including the İleti Yönetim Sistemi, known as İYS. KVKK governs the processing of personal data, while commercial electronic message rules regulate when businesses may send promotional messages by SMS, email, phone call, and similar electronic communication channels.

Customer data compliance in Turkey is not limited to obtaining a simple marketing consent checkbox. A lawful system requires accurate privacy notices, proper legal basis analysis, separate explicit consent where necessary, İYS-compliant commercial communication permissions, secure CRM management, vendor controls, retention rules, opt-out mechanisms, and proper documentation. A company that sends promotional messages without valid consent, uses customer data for undisclosed purposes, transfers data abroad without a proper mechanism, or fails to respect withdrawal requests may face administrative fines, customer complaints, reputational harm, and regulatory scrutiny.

What Is Customer Personal Data?

Customer personal data means any information relating to an identified or identifiable natural person who purchases, requests, uses, subscribes to, reviews, or interacts with a business’s products or services. Under KVKK, personal data is broadly defined, and processing includes collection, recording, storage, preservation, alteration, disclosure, transfer, retrieval, categorization, and other operations performed on personal data. KVKK also defines the data controller as the person or entity determining the purposes and means of processing personal data.

In customer relationships, personal data may include name, surname, phone number, email address, billing address, delivery address, Turkish identity number where legally necessary, passport information, customer number, order history, invoice records, payment status, refund information, complaint records, call center recordings, product preferences, loyalty program data, survey responses, IP address, device ID, cookie ID, location data, advertising ID, and website behavior.

Customer data may also include sensitive or special categories of personal data in certain sectors. For example, a clinic may process health data, a biometric verification provider may process biometric data, a travel company may process passport and health-related travel documents, and an insurance company may process medical or financial risk information. Special categories of data are subject to stricter rules under KVKK Article 6.

The Difference Between Customer Data Processing and Marketing Consent

One of the most common mistakes in Turkey is confusing customer data processing consent with marketing communication consent. These are related but not identical.

KVKK regulates whether and how a business may process personal data. For example, a company may process a customer’s name, address, and order details to deliver a product. It may store invoice records to comply with legal obligations. It may process complaint data to respond to customer requests or defend legal claims.

Marketing consent, on the other hand, concerns whether the company may send promotional commercial electronic messages to the customer. A customer may lawfully buy a product without consenting to marketing messages. Similarly, a company may lawfully process certain customer data for contract performance or legal obligations even if the customer refuses marketing communications.

This distinction must be reflected in forms, checkboxes, privacy notices, CRM systems, and customer service scripts. A checkout page should not make marketing permission a mandatory condition of purchase unless there is a specific lawful reason. A privacy notice should not be presented as if it were consent. A marketing consent form should not be used as a general approval for all personal data processing activities.

Legal Bases for Processing Customer Data Under KVKK

KVKK does not require explicit consent for every customer data processing activity. Article 5 states that personal data cannot be processed without explicit consent, but it also lists several situations where personal data may be processed without explicit consent. These include processing expressly provided by law, necessity for contract performance, necessity for compliance with a legal obligation, data made public by the data subject, necessity for the establishment, exercise or protection of a right, and legitimate interests of the data controller provided that fundamental rights and freedoms are not violated.

For customer data, this means that different processing purposes may rely on different legal bases. Processing a delivery address for shipment may be based on contract performance. Keeping invoice records may be based on legal obligations. Recording a customer complaint may be necessary for customer service, consumer law compliance, or protection of rights. Maintaining fraud prevention logs may be based on legitimate interest or protection of rights, depending on the structure. Responding to a lawsuit, chargeback, enforcement claim, or consumer complaint may be based on establishment, exercise, or protection of a right.

However, marketing activities often require separate analysis. Using customer data for promotional emails, behavioral advertising, personalized campaigns, remarketing, third-party marketing partnerships, or loyalty profiling may require explicit consent or another clearly documented legal basis. The company must not assume that because a person is a customer, all future marketing use is automatically lawful.

Privacy Notices for Customer Data

Every customer data processing system should begin with a proper privacy notice. Under KVKK Article 10, the data controller must inform data subjects at the time personal data is obtained about the identity of the controller, the purpose of processing, recipients and transfer purposes, method and legal basis of collection, and the data subject’s rights.

The Communiqué on the Obligation to Inform clarifies that the obligation to inform applies regardless of whether processing is based on explicit consent or another legal basis. It also states that if processing is based on explicit consent, the obligation to inform and the process of obtaining consent must be performed separately. The notice must use clear, plain, and intelligible language, avoid ambiguous statements, and explicitly state the legal basis of processing.

For customer relationships, this means that privacy notices should be tailored to the actual business model. An e-commerce company should explain account creation, order processing, delivery, payment, returns, customer support, complaint management, invoice retention, marketing, cookies, data transfers, and retention. A hotel should explain reservation, identity verification, payment, accommodation records, security cameras, guest communications, and legal obligations. A clinic should explain health data processing separately because health data is sensitive. A SaaS company should explain user account data, billing, support tickets, analytics, security logs, and international transfers.

Generic privacy policies copied from unrelated businesses are risky. If the actual CRM system, marketing tools, cookie practices, or data transfer structure does not match the notice, the company may be exposed in a complaint or regulatory review.

Explicit Consent Under KVKK

Explicit consent under KVKK must be specific, informed, and freely given. It should not be hidden inside general terms and conditions. It should not be bundled with unrelated approvals. It should not be obtained through pre-ticked boxes or unclear statements.

For customer data processing, explicit consent may be required where no other legal basis applies. Examples may include sending personal data to a third-party marketing partner for that partner’s independent campaigns, using customer photographs or testimonials for advertising, processing optional preference data for personalized marketing, using non-essential cookies for behavioral advertising, or transferring data abroad under limited exceptional circumstances where no adequacy decision or appropriate safeguard is available.

Consent should be separate by purpose where possible. A single checkbox saying “I consent to the processing of my personal data and receiving all communications” is generally weak. A better structure separates privacy notice acknowledgment, commercial electronic message consent, cookie preferences, and optional profiling consent.

Commercial Electronic Messages in Turkey

Marketing communications in Turkey are not governed only by KVKK. Businesses must also comply with commercial electronic message rules. Commercial electronic messages may include promotional SMS messages, emails, automated calls, voice calls, and other electronic communications sent for marketing, advertising, promotion, campaigns, discounts, or similar commercial purposes.

Turkey generally follows an opt-in model for commercial electronic messages sent to consumers. Legal commentary on Law No. 6563 explains that commercial electronic communications for direct marketing or advertising generally require the recipient’s prior consent, while recipients may later refuse further communications and service providers must provide an easy refusal mechanism.

This means that a business should not send promotional SMS or email messages merely because it has a customer’s contact details from a previous transaction. If the communication is transactional, such as order confirmation, delivery update, appointment reminder, payment confirmation, service change, or security notice, it may be treated differently from promotional marketing. But if the communication promotes products, campaigns, discounts, or new services, marketing consent rules must be assessed.

İYS: The Turkish Message Management System

İYS is a central platform through which recipients can view and manage their commercial electronic message permissions. The Ministry of Trade has stated that citizens can check and change their commercial electronic message approvals through e-Devlet or İYS, and that they can see which businesses hold their mobile phone number and email information, manage approval or rejection preferences, and receive messages only from businesses they choose.

For businesses, İYS is important because marketing consent management is no longer only an internal CRM issue. Service providers must ensure that their permission records are compatible with İYS requirements. Marketing teams should not operate separate lists that ignore İYS rejections or updated preferences.

The Ministry has also stated that İYS reduces the archive and consent burden of service providers and that, for approvals obtained through İYS, the proof obligation shifts to İYS. This makes İYS not only a compliance tool but also an evidentiary mechanism.

Valid Marketing Consent: What Should It Include?

A valid marketing consent mechanism should clearly identify the service provider, the communication channels, the purpose of communication, and the recipient’s right to refuse future messages. The customer should understand whether they are consenting to SMS, email, phone calls, push notifications, or all of them.

A strong consent text should avoid vague statements such as “I consent to all communications.” It should say that the customer agrees to receive commercial electronic messages regarding campaigns, promotions, advertisements, discounts, products, services, events, or similar commercial content through specified channels. It should also indicate that the customer may withdraw consent or use the refusal right.

From a KVKK perspective, the same screen or form should also provide access to the relevant privacy notice. But the privacy notice and consent should not be merged into a single legal block. The customer should be informed first, then asked for consent where necessary.

Opt-Out and Withdrawal Rules

Marketing consent must be manageable. Customers must be able to refuse future communications. The refusal mechanism should be easy, accessible, and effective. In practice, SMS messages should include an opt-out mechanism, emails should include an unsubscribe method, and call-based marketing should respect refusal preferences.

From a KVKK perspective, withdrawal of consent has prospective effect. Once the customer withdraws marketing consent, the business must stop consent-based marketing processing. However, withdrawal of marketing consent does not mean the company must delete all customer records. The company may still retain data needed for invoices, orders, legal obligations, dispute records, or fraud prevention if a valid legal basis exists.

This is why CRM systems should distinguish between different data statuses: active customer, former customer, marketing permitted, marketing rejected, account closed, invoice retained, legal hold, complaint pending, consent withdrawn, and deletion requested. Treating all customer data as one undifferentiated database creates compliance risk.

Transactional Messages vs Marketing Messages

One of the most important practical distinctions is between transactional messages and marketing messages.

Transactional messages are communications necessary for the service or transaction. Examples include order confirmation, shipping updates, delivery notifications, appointment reminders, password reset messages, payment receipts, security alerts, warranty updates, changes to a purchased service, or legally required notifications.

Marketing messages promote products, services, discounts, campaigns, loyalty offers, new collections, cross-selling, upselling, events, or personalized recommendations. These usually require marketing consent under commercial electronic message rules unless a specific exception applies.

The content and purpose of the message matter. A message saying “Your order has shipped” is transactional. A message saying “Your order has shipped — also buy our new discounted products today” may become partly promotional. Businesses should be careful not to insert marketing content into transactional communications unless they have the required permission.

Customer Data and CRM Systems

CRM systems are central to customer data processing. They may contain contact details, purchase history, communication preferences, marketing consent status, support tickets, call notes, complaint records, segmentation tags, loyalty points, and sales opportunities.

CRM compliance requires several controls. First, the company should define which data is collected and why. Second, access should be limited according to business roles. Sales teams may need contact and opportunity data, but they may not need access to all complaint files or sensitive documents. Marketing teams may need permission status and campaign segmentation, but they should not override opt-out records. Customer support may need support history, but not all financial or legal records.

Third, CRM data should be updated. Incorrect phone numbers, outdated consent status, duplicate records, or unverified lead lists may cause unlawful marketing. Fourth, imported lead lists should be reviewed carefully. Buying or importing third-party contact databases without verifying legal basis and marketing permissions creates serious risk.

Lead Generation and Website Forms

Many businesses collect customer data through website forms, landing pages, quotation forms, webinar registrations, downloadable guides, WhatsApp buttons, chatbots, and social media ads. These lead generation tools must comply with KVKK and marketing consent rules.

A website lead form should include a privacy notice link or short-layer notice explaining who collects the data, why it is collected, how it will be used, and the person’s rights. If the form is used to respond to a customer inquiry, processing may be based on contract-related steps or legitimate interest depending on the context. But if the company also wants to send promotional messages later, a separate marketing consent checkbox should be used.

Pre-ticked marketing boxes should be avoided. Consent should be active. The user should be able to request information or a quotation without being forced into marketing communications, unless the communication itself is inherently a marketing subscription.

Cookies, Retargeting, and Behavioral Advertising

Customer marketing is no longer limited to email and SMS. Companies use cookies, pixels, SDKs, device identifiers, customer match tools, social media audiences, and retargeting technologies to reach customers across digital platforms.

These technologies may process personal data if they identify or track a user. Advertising cookies and behavioral tracking generally require explicit consent where they are not strictly necessary. A website should not activate non-essential advertising cookies before valid consent is obtained.

Businesses should also distinguish cookie consent from commercial electronic message consent. A user who consents to advertising cookies has not necessarily consented to promotional SMS. A customer who consents to SMS marketing has not necessarily consented to cross-site behavioral tracking. Each channel and purpose should be managed separately.

Loyalty Programs and Personalized Marketing

Loyalty programs often involve extensive customer data processing. A business may track purchases, frequency, spending level, product categories, location, birthday, preferences, coupon usage, and campaign responses. These data may be used to create customer segments, personalized offers, and targeted campaigns.

Loyalty programs can be lawful, but they require transparency. Customers should know what data is collected, how points or rewards are calculated, whether profiling is used, whether offers are personalized, whether third-party partners receive data, and whether participation is optional.

If the loyalty program uses extensive profiling or shares customer data with multiple partners, explicit consent may be required for certain processing activities. If special categories of data are involved, such as health-based products or pharmacy purchases, stricter rules apply.

Customer Data Transfers to Third Parties

Customer data may be transferred to cargo companies, payment providers, call centers, accountants, lawyers, auditors, CRM providers, cloud service providers, marketing agencies, SMS/email service providers, marketplace sellers, group companies, and public authorities.

Domestic transfers are regulated by KVKK Article 8. Personal data cannot be transferred without explicit consent unless one of the legal grounds under Article 5/2 or Article 6/3 applies, with sufficient measures for special categories of data.

For example, transferring delivery details to a cargo company may be necessary for contract performance. Transferring invoice records to an accountant may be based on legal obligation. Transferring dispute documents to a lawyer may be necessary for protection of rights. However, transferring customer data to a marketing partner for independent advertising generally requires a separate legal basis and careful disclosure.

Vendor contracts should include confidentiality, security, purpose limitation, breach notification, deletion, sub-processor, and audit obligations.

Cross-Border Transfers of Customer Data

Many customer data systems involve foreign transfers. E-commerce platforms may use foreign cloud servers, global CRM systems, email marketing tools, analytics platforms, payment infrastructure, support ticket systems, advertising networks, and parent company databases.

KVKK Article 9 was amended in 2024. Personal data may be transferred abroad if one of the processing conditions under Article 5 or Article 6 is met and there is an adequacy decision. If no adequacy decision exists, transfers may be possible through appropriate safeguards such as standard contracts, binding corporate rules, or written commitments approved by the Board. Standard contracts must be notified to the Authority within five business days after signature.

For marketing operations, this is very important. A company using a foreign email marketing provider, CRM platform, advertising tool, analytics provider, or customer support system should map where customer data is stored and accessed. It should not assume that “cloud” processing is legally neutral.

Customer Rights Under KVKK

Customers have rights under KVKK Article 11. They may ask whether their personal data is processed, request information about processing, learn the purpose of processing, know third parties to whom data is transferred domestically or abroad, request correction, request deletion or destruction under legal conditions, request notification of correction or deletion to recipients, object to adverse results created exclusively through automated analysis, and claim compensation for unlawful processing.

Customer service teams should be trained to recognize these requests. A customer may say, “Delete my account,” “Stop texting me,” “Where did you get my number?” “Which companies did you share my data with?” or “Correct my email address.” These may all require KVKK assessment.

The company must respond within the statutory period and should document the request, verification steps, legal assessment, response, and action taken.

Data Security and Breach Notification

Customer databases are attractive targets for cyberattacks. CRM systems, e-commerce databases, email marketing lists, call center records, and loyalty program data may contain thousands or millions of customer records.

KVKK Article 12 requires data controllers to take all necessary technical and organizational measures to prevent unlawful processing, prevent unlawful access, and ensure protection of personal data. If personal data is obtained by others unlawfully, the controller must notify the data subject and the Board within the shortest time.

Practical measures include role-based access control, multi-factor authentication, encryption, logging, secure backups, vendor due diligence, employee training, data loss prevention, secure CRM configuration, access reviews, and incident response plans. Marketing teams should not export customer lists casually or share them through unsecured spreadsheets.

Retention and Deletion of Customer Data

Customer data should not be retained indefinitely. KVKK requires personal data to be erased, destroyed, or anonymized when the reasons requiring processing no longer exist.

A company should define retention periods for customer accounts, invoice records, orders, delivery records, complaint files, call recordings, marketing consent logs, İYS records, cookie consent logs, loyalty data, abandoned cart data, and inactive customer profiles.

The retention analysis must distinguish between legal obligations and marketing convenience. Invoice records may need to be retained for statutory periods. But old campaign lists, inactive leads, outdated phone numbers, or abandoned marketing profiles may no longer have a valid purpose.

Common Mistakes in Customer Data and Marketing Consent Compliance

One common mistake is forcing customers to accept marketing messages during checkout. Another is treating privacy notice acknowledgment as marketing consent. A third is sending promotional messages to customers whose contact information was collected only for delivery or billing.

A fourth mistake is failing to synchronize CRM systems with İYS and opt-out records. A fifth is using purchased lead lists without verifying consent. A sixth is activating advertising cookies before consent. A seventh is transferring customer data to foreign marketing tools without Article 9 analysis.

Another frequent mistake is using broad consent clauses such as “I consent to all marketing and data processing activities.” This language is not sufficiently specific. Businesses should separate processing purposes and communication channels.

Practical Compliance Checklist

A business processing customer data in Turkey should:

1. Map all customer data categories and processing purposes.
2. Identify the legal basis for each processing activity.
3. Prepare clear customer privacy notices.
4. Separate KVKK explicit consent from commercial electronic message consent.
5. Use active opt-in mechanisms for marketing communications.
6. Register and manage commercial message permissions through İYS where required.
7. Synchronize CRM, İYS, and opt-out records.
8. Distinguish transactional messages from marketing messages.
9. Avoid pre-ticked boxes and bundled consent.
10. Review cookies, pixels, SDKs, and retargeting tools.
11. Review contracts with CRM, SMS, email, cloud, and marketing vendors.
12. Map cross-border transfers and apply Article 9 mechanisms.
13. Implement role-based access controls for customer databases.
14. Prepare data breach response procedures.
15. Define retention periods for customer and marketing data.
16. Train sales, marketing, customer service, IT, and legal teams.
17. Keep evidence of consent, notices, withdrawals, and opt-outs.
18. Respond to customer rights requests within legal time limits.
19. Review lead generation campaigns before launch.
20. Audit customer data practices periodically.

Conclusion

Customer data processing and marketing consent rules in Turkey require a coordinated approach under KVKK and commercial electronic message legislation. A business may process certain customer data without explicit consent when processing is necessary for contract performance, legal obligations, protection of rights, or legitimate interests. However, promotional communications, behavioral advertising, profiling, third-party marketing, and optional campaign activities often require separate consent or a carefully documented legal basis.

The most important compliance point is separation. Businesses should separate privacy notices from consent forms, transactional messages from marketing messages, customer service processing from promotional processing, KVKK consent from İYS commercial message approval, and ordinary customer records from advertising profiles.

A strong compliance system should include clear privacy notices, valid marketing consent mechanisms, İYS synchronization, CRM controls, opt-out management, secure vendor contracts, cookie consent, cross-border transfer analysis, retention rules, and customer rights procedures.

Companies that manage customer data transparently and lawfully reduce regulatory risk, protect customer trust, and strengthen their commercial reputation in Turkey. In a market where digital communication is essential, lawful marketing is not only a compliance obligation; it is a competitive advantage.