The Principle Decision On The Requirement For Explicit Consent Texts And Privacy Notices To Be Prepared Separately By Data Controllers Has Been Published

On 24 March 2026, the Personal Data Protection Authority (the “Authority”) published the “Principle Decision on the Requirement for Explicit Consent Texts and Privacy Notices to be Prepared Separately by Data Controllers” (“Principle Decision”). The Principle Decision indicates that the presentation of explicit consent texts and privacy notices together in a combined manner by data controllers is one of the most common unlawful practices encountered in complaints and notifications submitted to the Authority.

In this respect, the Principle Decision does not introduce any new requirements, but rather draws attention to incorrect practices in implementation and the key points to be considered by compiling the existing legislative provisions and the established approach of the Authority in a single text. Within the scope of the Principle Decision, the main points to be considered regarding explicit consent texts and privacy notices are summarized below.

• The obligation to inform must be fulfilled in all cases, regardless of the legal basis for processing, and before the processing of personal data begins.

• In personal data processing activities based on explicit consent, privacy notices and explicit consent texts must be prepared separately.

• If privacy notices and explicit consent texts are presented on the same page, they must be provided under separate headings (one below the other) and in a way that requires separate declarations.

• In personal data processing activities where explicit consent is not required, only the obligation to inform must be fulfilled, and explicit consent must not be obtained.

• For the privacy notice, approval/consent in the form of “I have read and approve/accept” should not be requested; only feedback indicating that it has been read in the form of “I have read and understood” should be obtained.

• Texts must not be copied from other data controllers and must be prepared in accordance with each data controller’s own activities.

• A clear, understandable and plain language should be used; misleading or ambiguous statements should not be included, and long and complex texts should be avoided.

• The personal data processed and their categories, together with the purposes of processing and the legal basis, must be clearly and explicitly stated.

If it is determined that the above requirements are not complied with, administrative fines may be imposed on data controllers pursuant to Article 18 of the Personal Data Protection Law No. 6698.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.