Recent Developments
The Turkish Personal Data Protection Board (the “Board”) adopted Principle Decision No. 2026/347 dated 18 February 2026 (the “Principle Decision”), ruling that data controllers must prepare explicit consent texts and privacy notice (disclosure) texts as separate documents. The Principle Decision was published in the Official Gazette dated 24 March 2026 and numbered 33203, entering into force upon publication.
The Board emphasized that the intertwined presentation of explicit consent and privacy notice texts to data subjects is one of the most frequently encountered legal violations in complaints and notifications received by the Authority. The Principle Decision explicitly establishes that the obligation to inform, regulated under Article 10 of the Law on the Protection of Personal Data No. 6698 (the “Law”), and the concept of explicit consent, defined under Article 3 of the Law, are fundamentally different legal concepts that must be addressed separately.
Distinction Between Explicit Consent and the Obligation to Inform
Under Article 3 of the Law, explicit consent is defined as “consent that is related to a specific subject, based on being informed, and declared with free will.” Explicit consent represents a freely given, specific, informed, and unambiguous declaration of will by which the data subject indicates his/her approval for the processing of personal data. Articles 5 and 6 of the Law list explicit consent among the conditions for processing personal data and special categories of personal data, respectively.
The obligation to inform, on the other hand, is regulated under Article 10 of the Law. Under this obligation, the data controller or an authorized person must provide data subjects with the following information at the time of collecting personal data: (i) the identity of the data controller and, if any, its representative; (ii) the purpose of processing personal data; (iii) the recipients to whom personal data may be transferred and the purpose of such transfer; (iv) the method and legal basis for collecting personal data; and (v) the rights set out in Article 11 of the Law.
The critical distinction highlighted in the Principle Decision is as follows: the obligation to inform must be fulfilled in all cases where personal data is processed, regardless of whether the processing is based on explicit consent or any other lawful processing condition under the Law. Explicit consent, however, is a processing condition that is relied upon only where no other processing condition listed in Articles 5 and 6 of the Law applies.
Requirements Introduced by the Principle Decision
The Principle Decision is grounded in Article 5(1)(f) of the Communique on Procedures and Principles to be Observed in Fulfilling the Obligation to Inform (the “Communique”), which stipulates that “where personal data processing is carried out based on explicit consent, the obligation to inform and the collection of explicit consent must be performed separately.” The Principle Decision elaborates on the practical application of this provision in detail.
The key rules that data controllers must observe under the Principle Decision can be summarized as follows:
- The obligation to inform must be fulfilled in all cases before the commencement of data processing, regardless of which processing condition under the Law the data processing activity is based on, including explicit consent.
- Where data processing is carried out based on explicit consent, the privacy notice and the explicit consent text must be prepared and presented to data subjects as separate documents.
- Even if the privacy notice and the explicit consent text are located on the same page, they must appear under separate headings (stacked vertically) and contain separate declarations for each text.
- Where data processing is based on a processing condition other than explicit consent, only the obligation to inform needs to be fulfilled; an explicit consent text must not be presented to data subjects in such cases.
- It is sufficient to obtain confirmation from data subjects that the privacy notice has been read and understood; consent or approval must not be requested for the information contained in the privacy notice.
Frequently Identified Violations
The Principle Decision also explicitly identifies the legal violations most frequently encountered in practice:
- Presenting explicit consent and privacy notice texts as a single intertwined document.
- Requesting consent or approval from data subjects regarding the fulfillment of the obligation to inform.
- Verbatim copying of texts prepared by other data controllers without adapting them to the data controller’s own operations and activities.
- Failing to use clear, comprehensible, and plain language in privacy notices; including generic, ambiguous, incomplete, misleading, or inaccurate information.
- Using excessively detailed, complex, and lengthy texts.
Statement Wording in Privacy Notices
The Principle Decision draws attention to a significant distinction regarding the acknowledgment statements at the end of privacy notices. Since the purpose of the obligation to inform is solely to notify data subjects about the processing of their personal data, privacy notices do not constitute contractual documents.
| Non-Compliant Statements | Compliant Statement |
|---|---|
| ”I have read and accept" | "I have read and understood" |
| "I have read and give my explicit consent" | |
| "I have read and approve” |
Accordingly, statements such as “I have read and accept,” “I have read and give my explicit consent,” or “I have read and approve” at the end of privacy notices are considered non-compliant. Instead, a statement confirming that the data subject has read and understood the privacy notice - such as “I have read and understood” - is deemed lawful.
Good and Bad Practice Templates
The Principle Decision includes two annexes to guide data controllers. Annex 1 (Good Practice Templates) provides examples of properly separated privacy notices and explicit consent texts in two formats (separate pages and a single page layout). The explicit consent text is presented under a separate heading, covering only data processing activities based on explicit consent, and includes the options “I give my explicit consent / I do not give my explicit consent.”
Annex 2 (Bad Practice Template) presents an example where privacy notice and explicit consent texts are merged, legal bases and data categories are not clearly specified, and the statement “I have read and accept the privacy notice” is used at the end. The Board has stated that such practices contravene the requirement to separate explicit consent and privacy notice texts.
Enforcement
The Principle Decision has informed the public that the measures outlined therein constitute administrative and technical safeguards that data controllers are required to adopt under Article 12(1) of the Law, and that non-compliance will result in enforcement action under Article 18 of the Law. Data controllers that fail to comply may face administrative fines.
Conclusion
The Principle Decision directly addresses one of the most persistent compliance issues and the most frequently reported violation category in complaints to the Authority. In light of the above, data controllers are advised to promptly take the following steps:
- Review existing privacy notices and explicit consent texts, and separate any intertwined or merged documents.
- Update the acknowledgment statements at the end of privacy notices in line with the Principle Decision (replacing “I have read and accept” with “I have read and understood”).
- Refrain from presenting explicit consent texts for data processing activities that do not rely on explicit consent as the lawful processing condition.
- Audit all data collection processes across websites, mobile applications, and physical forms for compliance with the Principle Decision.
- Update existing texts using the good practice templates included in the annex to the Principle Decision as a reference.test paragraph here.
For further information: [email protected] | www.semizlaw.com