KVKK and SMS: Phone numbers, explicit consent, and liability

A phone number is personal data under Turkey's Personal Data Protection Law No. 6698 (KVKK), and collecting, storing, processing, and sharing it with third parties is governed by specific rules; using a number to send an SMS is a personal-data processing activity that must rest on a lawful basis required by KVKK (explicit consent or a statutory exception). This guide explains how KVKK applies to SMS, how it differs from İYS, and who is liable when a complaint is filed.

TL;DR

• A phone number is personal data under KVKK; sending an SMS is a processing activity.
• KVKK requires either explicit consent or a statutory basis (contract performance, legitimate interest, etc.).
• KVKK ≠ İYS. KVKK protects personal data; İYS captures commercial-messaging consent. Both are required.
• Informational SMS (order, OTP, appointment) requires only KVKK basis; no separate İYS consent.
• Commercial SMS requires KVKK explicit consent plus an İYS ONAY record.
• On a KVKK breach, the data controller (the brand sending the message) is fined; the SMS provider is the data processor.

Why KVKK applies to sending SMS

KVKK regulates the entire lifecycle of personal data, "from collection to deletion." Sending an SMS triggers KVKK at these stages:

1. Collection: Capturing the phone number from a sign-up form, order form, call centre.
2. Storage: CRM, e-commerce database, customer system.
3. Processing: Using the number to send an SMS.
4. Transfer: Sharing the number with the SMS provider (e.g. iletiMerkezi).
5. Deletion / anonymisation: When the relationship ends or the data subject requests it.

Each stage needs a lawful basis and transparent communication with the data subject. The recipient may at any time ask what their data is used for, request rectification or erasure; the data controller is obliged to respond.

Explicit consent and statutory exceptions

KVKK provides two paths to lawful processing:

• Explicit consent: A freely-given, specific, informed, and unambiguous declaration: "Yes, you may use my phone number for purpose X."
• Statutory exception: Necessity for contract performance (order confirmation, shipping notice), compliance with a legal obligation (tax, insurance), legitimate-interest balance, factual impossibility.

In practice:

| SMS purpose | Lawful basis | İYS consent | |---|---|---| | Order/appointment/OTP/invoice notification | Contract performance | Not required | | Service outage / security alert | Legitimate interest | Not required | | Survey, feedback invitation | Explicit consent (typically) | Required if commercial | | Discount, campaign, new product | Explicit consent | Required | | Loyalty programme update | Explicit consent | Required |

Important: Assumptions like "anyone who fills the sign-up form has agreed to receive commercial messages" are invalid under KVKK. Explicit consent must always be separated (independent of the contract), informed, and freely given.

The clarification obligation

When you collect a phone number you must clearly tell the user (clarification text):

• The data controller's identity (legal name, registry number, contact).
• The purpose of processing (e.g. order tracking, marketing).
• The recipients of the data (e.g. SMS provider, courier).
• The collection method and lawful basis.
• The data subject's rights (access, rectification, erasure, objection).

The clarification text must sit at or near the form fields, in small but readable type.

KVKK vs İYS: Different laws, different obligations

| Dimension | KVKK | İYS | |---|---|---| | Subject matter | Processing of personal data | Consent for commercial electronic messages | | Law | Law No. 6698 (KVKK) | Law No. 6563 (Electronic Commerce) | | Authority | Personal Data Protection Board | BTK + Ministry of Trade (via İYS) | | Data | All personal data (number, name, e-mail, IP, etc.) | Only commercial-messaging consents (SMS, e-mail, voice) | | Consent type | Explicit consent or statutory basis | ONAY or RET (registered in İYS) | | Informational SMS | Clarification + valid basis is enough | Out of scope | | Commercial SMS | Explicit consent required | İYS ONAY required |

In practice: Both checks happen for commercial SMS. Without explicit consent you should not have stored the number; without an İYS ONAY record you cannot send.

Liability: data controller vs data processor

KVKK defines two roles:

• Data controller: The party determining the purpose and means of processing. For SMS sending, the brand authoring and dispatching the message.
• Data processor: A third party that processes data on behalf of the controller. The SMS infrastructure (e.g. iletiMerkezi).

When a breach occurs, primary liability rests with the data controller; the Board issues fines to the brand. The processor is obliged to implement the technical and organisational security measures stipulated in the contract, but the responsibility for "consented vs not" sits with the brand.

iletiMerkezi is a BTK-licensed data processor; you are responsible for consent and content of the numbers you send to. The role separation is explicit in our terms of service.

Consequences of a breach

• Depending on severity, the Board issues administrative fines to the company. As of 2026 the upper bounds reach the millions of TRY.
• Under Law No. 6563, fines can apply per recipient; for a single campaign covering thousands of recipients, the figure escalates quickly.
• Repeat offences compound.
• Reputational damage, customer claims, and litigation risk are additional exposures.

Frequently asked questions

Q: Do I have to register with VERBİS as a data controller? Companies above the legal thresholds for headcount and turnover must register with VERBİS. Below the threshold, registration is not mandatory, but KVKK compliance still applies in full.

Q: Is a phone number a "special-category personal data" under KVKK? No. It does not fall under sensitive categories like health, religion, union membership. It is standard personal data; processing it still requires a lawful basis.

Q: A customer asked me to delete their data — what should I do? Unless your retention is justified by a legal obligation (tax, accounting, etc.), delete or anonymise. You must respond within 30 days.

Q: Does KVKK apply when I message recipients abroad? A data controller established in Turkey is bound by KVKK regardless of where the recipient is. If the recipient is abroad, the local regime (GDPR, CCPA, etc.) may apply additionally.

Q: If my SMS provider has a security incident, is that a breach for me? A breach at the processor creates notification and mitigation obligations for you as the controller. iletiMerkezi handles potential incidents under its information-security framework; the parties' duties are defined in the contract.

iletiMerkezi tooling that helps with KVKK

• Blacklist (add-blacklist): Block opt-out customers in a single request. See: add-blacklist API.
• İYS integration: Batch-upload İYS consents and validate before send. See: İYS guide.
• Access management: Toggle API permission per user, define IP whitelists.
• Retention policy: Send reports are deleted from the account after a fixed window; this can be aligned with your own retention policy.

Sign up · add-blacklist API · İYS guide

Related

• İYS guide
• What is bulk SMS?
• How to get an SMS sender ID
• add-blacklist API

Last updated: 2026-04-30 · Türkçe