Türkiye’s data protection board rules explicit consent texts and privacy notices must be prepared separately by data controllers

Türkiye’s Personal Data Protection Board’s principle decision 2026/347 of 18 February 2026 on the requirement to prepare explicit consent and privacy notices separately, which was published in the Official Gazette on 24 March 2026, addresses one of the most prevalent violations according to complaints received by the Board – the presentation of explicit consent texts and privacy notices to data subjects in an intertwined manner. According to the Board’s Principle Decision, such texts must be prepared and presented separately. For personal data processing activities based on explicit consent, data controllers must revisit their text structures and consent flows.

Within the Principle Decision, the Board identified several recurring compliance issues in practice. These include presenting explicit consent texts and privacy notices as a single document, requesting approval or consent from data subjects in the course of fulfilling the obligation to inform, using texts copied verbatim from other data controllers without adapting them to specific processing activities, and relying on notices that lack clarity and plainness or contain misleading, incomplete, or ambiguous statements (e.g. suggesting that personal data are transferred abroad when no such transfer takes place, or using vague expressions such as “your personal data are processed in accordance with Articles 5 and 6 of the Personal Data Protection Law No. 6698”).

The Board also criticised the use of unnecessarily lengthy and complex texts as a further deficiency and classified all such practices as unlawful under the Principle Decision.

Key principles 

The Board also underscored that explicit consent and the obligation to inform constitute distinct legal constructs in their legal nature and function and must not be implemented in an interconnected or intermingled manner, whether through a single text, declaration, or approval flow. 

The Principle Decision sets out the following considerations to be observed by data controllers:

• The obligation to inform, which is not contingent upon the request or consent of the data subject, must be fulfilled in all circumstances and prior to the processing of personal data, irrespective of the legal basis on which the processing activity is carried out.
• In processing activities based on explicit consent, information notices and explicit consent texts must be prepared separately under distinct headings and presented independently, even if on the same page, in a consecutive and clearly distinguishable manner with separate declarations obtained for each.
• Where the processing activity is based on a legal ground other than explicit consent as provided under the Law, only the obligation to inform must be fulfilled. No explicit consent text should be presented.Obtaining consent for precautionary purposes where explicit consent is not legally required is not considered appropriate.
• Data subjects must confirm that they have read and understood the information notice. no approval or consent should be sought in relation to the privacy notice. Combined declarations such as “I have read, understood, accepted and give my explicit consent” should be avoided, and privacy notices should not be structured as contracts or approval texts. The Board also recalled that the burden of proof regarding the fulfilment of the obligation to inform rests with the data controller.
• Texts prepared by other data controllers must not be used verbatim. Each text must be specifically tailored to the data controller’s own activities.
• Texts must be clear, comprehensible, and drafted in plain language. Misleading, incomplete, or inaccurate statements must be avoided.
• Unduly lengthy and complex texts should be avoided (e.g. instead of reproducing the full text of Article 11 of the Law, the expression “your rights under Article 11 of the Law” should be used).
• Information notices must clearly and explicitly set out the categories of personal data processed, and the purpose and legal grounds of the processing activity.

These obligations constitute part of the administrative and technical measures that data controllers are required to implement under Article 12 of the Law, and it was underlined that administrative fines may be imposed pursuant to Article 18 of the Law (ranging from approximately EUR 4,859 to EUR 324,005) in the event of non-compliance with these principles.

The Principle Decision also includes an annex providing illustrative examples of good and bad practices to inform and guide the public, particularly data controllers. These examples should serve as a practical reference point for assessing existing practices and identifying areas requiring improvement. They should be carefully taken into consideration by data controllers in their compliance efforts.

Conclusion

The Board did not grant a separate compliance transition period under the Principle Decision, which clarifies the implementation standard that should already be met under the current legislation rather than establishing a forward-looking transition timetable.

Data controllers should review their existing privacy notices and explicit consent texts on an activity-by-activity basis across all digital and physical channels, including websites, mobile applications, membership forms, call centre flows, campaign participation screens, employee processes, and customer onboarding documents. 

Combined texts and approval flows should be identified and the necessary separation work should be carried out in coordination with the relevant departments. This approach will ensure compliance with the applicable legal framework, enhance transparency and foster trust with data subjects.

For more information on the Principle Decision and its implications in Türkiye, contact the experts who contributed to this article: alican.babalioglu@ybk-av.com , melis.celik@ybk-av.com , and ezgi.bahar@ybk-av.com