The Turkish Data Protection Board Issued A Principle Decision On The Separate Preparation Of Explicit Consent Texts And Privacy Notices

Recent Development

The Turkish Data Protection Board (“Board”), through its principle decision dated 18 February 2026 and numbered 2026/347 (“Principle Decision”), clarified that explicit consent texts and privacy notices presented by data controllers to data subjects must be prepared separately. The Principle Decision was published in the Official Gazette dated 24 March 2026 and numbered 33203.

The Board notes that, in practice, the preparation of explicit consent texts and privacy notices in an intertwined manner is among the most common unlawful practices identified in notices and complaints submitted to the Authority. In this respect, the Principle Decision indicates that, particularly in personal data processing activities based on explicit consent, data controllers should revisit their text structures and consent flows.

What Does the Decision Say?

The Board states that the obligation to inform and explicit consent are different concepts in terms of their legal nature and function. Accordingly, presenting these mechanisms within the same text, through a single declaration, or within a single approval flow is not considered appropriate. The Board further emphasizes that, where personal data processing is based on explicit consent, fulfillment of the obligation to inform and obtaining explicit consent must be carried out separately.

Within this framework, the Board indicates the following principles:

• First, the obligation to inform must be fulfilled before the commencement of the personal data processing activity, regardless of any request or approval of the data subject. The Board treats this obligation as an independent obligation, separate from the legal ground for processing.
• Second, where the personal data processing activity is based on explicit consent, the privacy notice and the explicit consent text must be prepared under separate headings and as separate texts. Although they may appear on the same page, they must be clearly separated in terms of content and declaration fields.
• Third, where the personal data processing activity is based on one of the legal grounds other than explicit consent, a separate explicit consent text should not be presented to data subjects. In this respect, the Board’s approach also suggests that obtaining consent for precautionary purposes, where explicit consent is not in fact required, is not appropriate.
• Fourth, data subjects may only be asked to provide a declaration confirming that they have read the privacy notice and have been informed. However, the privacy notice should not be turned into an approval or consent text through wording such as “I have read, understood and accepted” or similar statements. The Board also recalls that the burden of proof with respect to the fulfillment of the obligation to inform rests with the data controller.
• Finally, the Board underlines that such texts must be drafted in a clear, plain and simple manner; vague, ambiguous, misleading or unnecessarily lengthy statements should be avoided; and each text should be prepared in line with the relevant data controller’s own personal data processing activities. In this respect, the Board also indicates that texts prepared by other data controllers should not be used on a word-for-word basis.

Conclusion and Practical Implications

The poor practice template attached to the Principle Decision almost exactly reflects the text structure widely used in practice. This suggests that a significant portion of existing texts may be inconsistent with the standard set out by the Board. Existing text sets may therefore need to be reviewed, particularly in relation to websites, mobile applications, membership forms, call center flows, campaign participation screens, employee processes and customer onboarding documents.

Within this framework, the key action points for data controllers can be summarized as follows:

• Privacy notices should be presented before the commencement of personal data processing and independently of the data subject’s approval.
• Where explicit consent is required, it should be obtained through a separate text and a separate declaration of will.
• Even where the same page is used, the privacy notice and explicit consent sections should be clearly separated in terms of heading, content and declaration fields.
• The legal ground relied upon for each processing activity should be identified accurately, and the relevant texts should be tailored to the data controller’s own activities.
• Texts should be drafted in concise, clear and concrete language.

The following practices should, on the other hand, be avoided:

• combining the privacy notice and explicit consent in a single text.
• using combined declarations such as “I have read, understood, accepted and give my explicit consent”.
• attempting to collect consent automatically even for processing activities for which explicit consent is not required.
• structuring the privacy notice as if it were a contract or an approval text.
• using sample texts obtained from other companies on a word-for-word basis; and
• making it more difficult for the data subject to be genuinely informed through vague, generic, misleading or excessively lengthy explanations.

The Board did not grant a separate compliance period under the Principle Decision. Therefore, rather than establishing a forward-looking transition timetable, the Principle Decision clarifies the implementation standard that should already be adopted under the current legislation. In this respect, data controllers should review their existing privacy notices and explicit consent texts on an activity-by-activity basis, identify combined texts and combined approval flows across all digital and physical channels, and carry out the necessary separation work in coordination with the relevant departments.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.