A Critical Distinction Between Explicit Consent And Information Notices By Personal Data Protection Board

Sakar is a client and solution oriented, investigative and innovative law firm based in Istanbul. Our Firm is committed to provide our clients with high-quality legal services and business-minded approach. We are a full service law firm to clients across a wide range of areas including Mergers and Acquisitions, Corporate and Commercial, Contracts, Banking and Finance, Competition, Litigation, Employment, Real Estate, Energy, Capital Markets, Foundations, E-commerce, Media and Technology, Data Privacy and Data Protection and Intellectual Property. In order to offer the best possible service for our clients, we harness the latest market developments in legal technology and innovation and we closely follow the legislative changes in Turkish Law. Our lawyers are multi-specialists, equipped to handle a broad range of legal matters. In addition to our depth of experience and awareness of market practice, clients know they will benefit from our team’s innovative mindset and willingness.

Explore Firm Details

The Turkish Personal Data Protection Board (“Board”) has clarified a key issue in data protection practices through its Principle Decision dated 18 February 2026 and numbered 2026/347.

Turkey Privacy

Article Insights

Sakar Law Office are most popular:

within Energy and Natural Resources topic(s)

A. Introduction

The Turkish Personal Data Protection Board (“Board”) has clarified a key issue in data protection practices through its Principle Decision dated 18 February 2026 and numbered 2026/347. With this decision, the Board explicitly emphasized that information notices and explicit consent texts must be drafted separately, taking a clear stance against the commonly adopted “single document” approach. This development is expected to have a direct impact on the documentation structures and compliance processes of data controllers operating in Turkey.

B. Legal Framework

Under the Turkish Personal Data Protection Law No. 6698 (“Law”):

The obligation to inform (information notice) refers to the data controller’s duty to inform data subjects;
Explicit consent, on the other hand, is a legal basis applicable only to certain data processing activities.

The Board underlines that these two concepts have distinct legal natures and must therefore be assessed independently.

C. Key Takeaways from the Decision

a. Information Notices Are Not Tools for Obtaining Consent

The purpose of the obligation to inform is to provide information regarding the personal data processed and the processing activities—not to obtain consent.

Accordingly:

Data subjects should only be expected to declare that they have “read and understood” the information notice;
Statements such as “I have read and accept” or “I have read and give explicit consent” are not considered legally valid.

b. Separate Drafting of Texts Is Mandatory

The Board clearly states that:

Information notices and explicit consent texts must be prepared separately;
Presenting them within a single text creates a risk of non-compliance with the law.

c. Explicit Consent Must Be Based on Genuine and Free Will

For explicit consent to be valid, it must be based on the data subject’s free will.

General statements obtained together with information notices do not meet this requirement and cannot be considered as valid explicit consent.

d. The Obligation to Inform Takes Precedence

The obligation to inform:

Must be fulfilled prior to the data processing activity;
Is independent from explicit consent and does not cease to exist even if explicit consent is obtained.

In addition:

Even where explicit consent is obtained, the obligation to inform remains;
If data processing relies on another legal ground (e.g., performance of a contract), explicit consent should not be requested—only the obligation to inform should be fulfilled.

e. Use of a Single Document

If both information notice and explicit consent texts are included in the same document:

They must be structured under separate headings;
They must contain separate declarations;
A clear and non-misleading distinction must be ensured.

f. Language and Content Standards

The Board also highlights that:

Texts must be clear, plain, and understandable—overly long and complex texts should be avoided;
Generic, vague, or misleading expressions should not be used;
The purpose of processing and legal basis must be clearly stated;
Each data controller must prepare tailored texts specific to its own activities.

D. Practical Implications

This Principle Decision reflects a shift from formalistic compliance towards a focus on substance and genuine intent in data protection practices.

Accordingly, data controllers are expected to:

Review their existing document sets;
Separate combined (single-text) structures;
Remove “acceptance/approval” statements from information notices;
Assess, on a case-by-case basis, whether explicit consent is truly required;
Redesign user flows, particularly on digital platforms.

E. Conclusion

This Principle Decision introduces a significant level of standardization and stricter scrutiny in the practice of the Law. More importantly, it clearly establishes the following principle: Information and consent cannot be obtained through the same declaration. Accordingly, for data controllers, not only the content of documents but also their structure and user experience have now become integral elements of compliance.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.