An Examination of Loyalty Programs Under Personal Data Protection Legislation

30.11.2022 Merve Demirkaya

Introduction

The Personal Data Protection Authority (“DPA”), on 16.06.2022, published the Draft Guidelines on Examination of Loyalty Programs within the Scope of Personal Data Protection Legislation (“Draft Guidelines”). The public has until 16.07.2022 to submit comments on them, and after these are evaluated, the Draft Guidelines will become binding.

An Examination of Loyalty Programs Under Personal Data Protection Legislation
% 0

The History, the Objective and the Scope of the Draft Guidelines

Although it was somewhat different than modern current examples, the first known loyalty program actually began in 1793. This first program used copper tokens. Later, in the 1980s, loyalty programs were implemented by American airline companies with the goal of ensuring commercial stability. These programs served as a role model for today's loyalty programs, which are today implemented almost everywhere and in every sector. Retailers, airline companies, hotels, telecommunication companies, fuel stations and many other businesses can be given as examples. In Turkey, loyalty programs started with the development of organized food retailing and then spread to many areas such as telecommunications, transportation, clothing, automotive, fuel, cosmetics, and, especially, banking.

With the increase in the areas where loyalty programs are used, more personal data is being processed and, with the help of newly-developed technology, this data is formed into data groups in the undertakings database. These data groups, which are also known as big data, are becoming seen as a source of power in the hands of undertakings. Therefore, as a result of the association of the concept of data with power, which was not previously a problem, and because of the sheer amount of personal data involved, it has become necessary to examine loyalty programs within the framework of personal data protection law and competition law. The Draft Guidelines, however, have been prepared with the aim of examining loyalty programs within the scope of personal data protection legislation and do not include any analysis within the framework of competition law. The Draft Guidelines first give the development, history and definition of loyalty programs. They then outline the points to be considered for loyalty program applications within the scope of personal data protection law.

The Definition of Loyalty Programs

In the Draft Guidelines, loyalty programs are defined as follows: “Programs that aim to increase the sales and profitability of the implementing company, while providing benefits to the customer through the implementation of all or some of strategies such as providing points/gifts/benefits to the customer within the framework of various criteria in return for shopping by processing the personal data of the customer that will enable the customer to be specific or identifiable for the business, tracking the shopping habits of the customer, providing personalized product / service offers by analyzing the processed personal data, unilaterally by the companies or within the scope of a program partnership.”[1]

Evaluation of Loyalty Programs within the Framework of Personal Data Protection Law

Data Processed, Data Controller and Data Subject

In loyalty programs, all of the following types of data are processed: (i) personal data provided actively and voluntarily by the customer (such as name, contact information and similar information in the membership form that can be processed by the customer by filling it in person), (ii) personal data passively provided by the customer (if the loyalty program is used through a mobile application, such as processing of IP and location data), and (iii) customer data obtained from other sources (such as data obtained by analyzing data actively provided by a customer, other passively collected user data, or data from unidentified datasets and performing analyses based on these combined data).

In the Draft Guidelines, loyalty program implementers are defined as data controllers. Since the Draft Guidelines solely contains information regarding the customer-based loyalty programs, people who are members of these programs are defined as data subjects.

Legal Grounds for Loyalty Programs

Implementing loyalty programs frequently requires customers to buy products or services from the relevant business. Therefore, it is possible to process personal data within the scope of the program, relying upon legal grounds such as the data belonging to the parties to the contract, fulfilling a legal obligation clearly stipulated in the law, and similar grounds. Yet, since explicit consent will not be sought in the presence of these justifications, a company that processes personal data must clearly demonstrate the purposes for processing it. For instance, in the event that more personal data is processed than the personal data required for the performance of a contract, profiling is carried out, and the sales strategy of the company is determined, it will not be possible to accept that personal data is processed for the purpose of establishing and performing the contract. It can be said that in the Draft Guidelines, the data necessary for the formation and performance of the contract are narrowly interpreted. On the other hand, the Draft Guidelines state that if personal data is processed for the objectives as calculating the points of persons participating in the loyalty program, informing the person about the points earned, or reminding them that the points that will expire, the performance of the contract can be relied on as a legal basis for doing so. In addition, the Draft Guidelines mention Article 7 of the Regulation on Commercial Communication and Electronic Commercial Messages and emphasizes that that no further consent is required for such promotions other than the consent by commercial electronic messages.

Another important aspect is related to the concept of “legitimate interest,” which constitutes another legal basis. The Draft Guidelines note that in order to process personal data within the framework of legitimate interest, "the legitimate interest must already be determined, the fundamental rights and freedoms of the data subject must not be violated, and there must be no other way for the data controller to achieve the legitimate interest in question that interferes less with the fundamental rights and freedoms of the data subject."

Explicit Consent and Clarification Texts

Explicit consent is defined as “consent to the processing of the data held by the person, either voluntarily or upon request from the other party.” Explicit consent is discussed in detail in the Draft Guidelines and first of all, explanations regarding the form of explicit consent are given. In this context, in cases where it is necessary to process personal data by obtaining explicit consent, obtaining explicit consent should be carried out separately from informing the party.

The Draft Guidelines emphasize that the explicit consent obtained within the scope of a loyalty program must satisfy three conditions. Accordingly, explicit consent must (i) be related to a specific subject matter, (ii) be received after providing relevant information, and (iii) be freely given.

Related to a specific subject matter:

This means that explicit consent must be related to and limited to a specific subject. Open-ended and indefinite explicit consents will not be accepted, and explicit consent must be re-obtained in the event that the purpose of processing changes or secondary transactions are required.

Received after providing relevant information:

This condition is related to clarification texts. Accordingly, clarification texts must be made prior to data processing and must be clear and plain. In the Personal Data Protection Board’s (“Board”) relevant decision, dated 05.07.2019 and numbered 2019/198,  the Board states that it may be appropriate for data controllers offering loyalty programs to take the necessary measures to fully meet the condition of being clear and plain while fulfilling the disclosure obligation, to prepare special disclosure texts for loyalty program customers, or to include special explanations for loyalty program users in general disclosure texts regarding all of the data processing processes of the data controller (using methods such as linking, layered disclosure, etc.).

Freely given:

In order to ensure that the explicit consent is freely given, as a rule, the service should not be conditioned on explicit consent. For instance, in cases where a membership requirement is imposed on customers in order to benefit from a service, it cannot be said that customers freely give their consent. On the other hand, as recognized by the Board, the existence of explicit consent is deemed to exist if companies continue to provide the same service without additional benefits in the absence of explicit consent.[2]

General Principles

The Draft Guidelines, as accepted by the Board, emphasize  that “loyalty programs should comply with the principles of ‘compliance with the law and good faith,’ ‘being accurate and updated when necessary,’ ‘being processed for specific, explicit, legitimate purposes,’ ‘being relevant, limited and proportionate to the purpose for which data is processed’ and ‘being retained for the period stipulated in the relevant legislation or valid for the purpose for which data is processed’ as in all data processing activities.”[3]

Given the specific characteristics of loyalty programs, they also provide the possibility to sign up and log in via social media. Thus, The Draft Guidelines emphasize that the principle of data minimization and purposefulness must be respected even in cases where personal data are processed based on explicit consent.

In a final point, the Draft Guidelines also contain clarifications in terms of data security. In this context, they state that the loyalty program implementer should process and maintain the data processed for the loyalty program in terms of the conditions required by data security, as in all personal data processes. The measures to be taken on the subject are included in the decision of the Board dated 31.01.2018 and numbered 2018/10 on "Adequate Measures to be Taken by Data Controllers in the Processing of Sensitive Personal Data."

Conclusion

Loyalty programs are easily accessible, free of charge and voluntary, so companies reach many people with them. Therefore, the large amount of personal data processed has increased the sensitivity of the issue and led the Authority to publish the Draft Guidelines. In general, data processing under a loyalty program must comply with the rules of personal data protection law. Because these issues can be confusing, especially in terms of the grounds for compliance with the law, the requirements for explicit consent and clarification texts, the Draft Guidelines address them in detail using Board decisions, the decisions of foreign authorities and examples. Hopefully, they will eliminate some confusion.

References
  • Draft Guidelines on Examination of Loyalty Programs within the Scope of Personal Data Protection Legislation, https://www.kvkk.gov.tr/ (Access Date:21.11.2022)
  • Turkish Personal Data Protection Authority’s decsion dated 05.07.2019 and numbered 2019/198.
  • Turkish Personal Data Protection Authority’s decsion dated 25.03.2019 and numbered 2019/82.

All rights of this article are reserved. This article may not be used, reproduced, copied, published, distributed, or otherwise disseminated without quotation or Erdem & Erdem Law Firm's written consent. Any content created without citing the resource or Erdem & Erdem Law Firm’s written consent is regularly tracked, and legal action will be taken in case of violation.

Other Contents

Artificial Intelligence Act Adopted by the European Parliament
Newsletter Articles
Artificial Intelligence Act Adopted by the European Parliament

The first “Artificial Intelligence Act” of all time, which includes rules and regulations that directly affect tools such as ChatGPT, Bard and Midjourney adopted by the European Parliament with a majority of votes. Thus, the European Parliament has officially taken the steps of a regulation that could be a turning point for...

Personal Data Protection 31.07.2023
CJEU Decides That A Mere Infringement of the GDPR Is Not Sufficient for Non-Material Compensation
Newsletter Articles
CJEU Decides That A Mere Infringement of the GDPR Is Not Sufficient for Non-Material Compensation

In its decision regarding Case-300/21 and dated May 4, 2023, the Court of Justice of the European Union (“CJEU”) evaluates the right to compensation for an infringement of the European Union General Data Protection Regulation (“GDPR”) regulated in Article 82 of the GDPR. The CJEU decided that a mere...

Personal Data Protection 31.05.2023
ChatGPT: A Grey Zone Between Privacy, Cybersecurity, Human Rights and Innovation
Newsletter Articles
ChatGPT: A Grey Zone Between Privacy, Cybersecurity, Human Rights and Innovation

ChatGPT, a large language model (LLM) developed by OpenAI, is an artificial intelligence (AI) system based on deep learning techniques and neural networks for natural language processing. ChatGPT can process and generate human-like text, chat, analyse and answer follow-up questions, and acknowledge errors...

Personal Data Protection 30.04.2023
A Comparative Approach to Joint Controllers
Newsletter Articles
A Comparative Approach to Joint Controllers

The Personal Data Protection Law numbered 6698 (“PDPL”) introduces definitions for many concepts such as personal data, data controller, data processor and data subject. In terms of understanding and interpreting these concepts, secondary legislation, Personal Data Protection Authority (“Authority”) guidelines...

Personal Data Protection 31.03.2023
The EU’s Digital Operational Resilience Act for Financial Services Industry Actors Entered into Force
Newsletter Articles
The EU’s Digital Operational Resilience Act for Financial Services Industry Actors Entered into Force

The Covid-19 pandemic and recent technological developments have significantly accelerated the digital transformation of all sectors. However, this rapid change especially in the financial sector (mobile banking, e-commerce, contactless payments, etc.) has brought some risks along with making life extremely...

Personal Data Protection 31.01.2023
Smartwatch Privacy: A Beginner’s Guide
Newsletter Articles
Smartwatch Privacy: A Beginner’s Guide

Smartwatches have undeniably revolutionized our lives in the past decade. Apart from their core function as a timepiece, these wearable computers packaged in the form of a watch enable us to answer incoming calls, reply to messages and skim through social media notifications in seconds. Their steady rechargeable...

Personal Data Protection 31.01.2023
Is the Missing Piece of the Puzzle Found in the Intersection Between GDPR and Antitrust Law?
Newsletter Articles
Is the Missing Piece of the Puzzle Found in the Intersection Between GDPR and Antitrust Law?

The German Competition Authority (“Bundeskartellamt”) had previously found Meta (formerly Facebook) responsible for abusing its dominant position in the social network market by collecting and processing the personal data of its users without their consent and imposed measures on Meta and its associated...

Personal Data Protection 31.10.2022
Guidelines on Personal Data Protection in the Banking Sector Published by the Turkish Personal Data Protection Authority
Newsletter Articles
Guidelines on Personal Data Protection in the Banking Sector Published by the Turkish Personal Data Protection Authority

Banks process large volumes of personal data in their daily operations. In order to deal with this sensitive information, the Turkish Personal Data Protection Authority, in cooperation with the Banks Association of Turkey, published Good Practice Guidelines on Personal Data Protection in the Banking...

Personal Data Protection 30.09.2022
GDPR and Mass Claims
Newsletter Articles
GDPR and Mass Claims

The procedural rules on mass claims within European Union (“EU”) Member States is not uniform. To improve the position of consumers who might wish to make such claims, the European Parliament passed the Collective Redress Directive (“Directive”). The impact of the Directive is expected to...

Personal Data Protection 31.08.2022
Briefing for the Impact Assessment of the Data Act Has Been Published
Newsletter Articles
Briefing for the Impact Assessment of the Data Act Has Been Published

In February 2020, the European Commission (“Commission”) published “A European Strategy for Data” as part of a wider drive concerning digital transformation and policy. Through this communication, the European Union (“EU”), defining itself as having a leading role in the data economy...

Personal Data Protection 31.07.2022
The Regulation on Protection and Processing of Personal Data by the Social Security Institution
Newsletter Articles
The Regulation on Protection and Processing of Personal Data by the Social Security Institution

The Regulation on Protection and Processing of Personal Data by the Social Security Institution (the “Regulation”), the purpose of which is to determine the procedures and principles for processing data obtained within the scope of the duties and authority of...

Personal Data Protection February 2022
A New Era: The Personal Information Protection Law of the People’s Republic of China
Newsletter Articles
A New Era: The Personal Information Protection Law of the People’s Republic of China

The Personal Information Protection Law of the People’s Republic of China (“PIPL”) passed at the 30th meeting of the Standing Committee of the 13th National People’s Congress on 20 August 2021 and entered into force on 1 November 2021 as per Article 74...

Personal Data Protection February 2022
All Eyes of the Data Protection Authorities are on Cookies!
Newsletter Articles
All Eyes of the Data Protection Authorities are on Cookies!

In today's world, there is no doubt that data has become one of the most valuable assets and resources for some companies. The ability to collect, store, process, and analyze data on a large scale has dramatically changed...

Personal Data Protection January 2022
The Right to Be Forgotten
Newsletter Articles
The Right to Be Forgotten
Personal Data Protection November 2021
A Groundbreaking Whatsapp Decision by the Irish Supervisory Authority
Newsletter Articles
Healthcare Sector Publishes a Guideline on Data Protection
Newsletter Articles
Healthcare Sector Publishes a Guideline on Data Protection
Personal Data Protection September 2019
The General Data Protection Regulation in Force
Newsletter Articles
The General Data Protection Regulation in Force
Personal Data Protection May 2018
Destruction of Personal Data
Newsletter Articles
Destruction of Personal Data
Personal Data Protection November 2017
The EU General Data Protection Regulation and Its Territorial Scope
Newsletter Articles

For creative legal solutions, please contact us.