Principle Decision On The Separate Drafting Of Explicit Consent And Privacy Notices By Data Controllers Published

The Principle Decision dated 18 February 2026 and numbered 2026/347 (“Decision”) of the Personal Data Protection Board ( “Board”), published in the Official Gazette dated 24 March 2026 and numbered 33203, sets out the Board’s assessments regarding privacy notices and explicit consent texts that are improperly drafted by data controllers in practice, and includes examples of both compliant and non-compliant practices.

In the Decision, the Board identifies the most common unlawful practices observed in complaints and notifications submitted to the Personal Data Protection Authority. These include the presentation of explicit consent and privacy notices within a single text, obtaining consent for the provision of the privacy notice, the verbatim use of texts prepared by other data controllers, the use of complex, lengthy, or unintelligible texts, and the inclusion of inaccurate or incomplete information.

The Board evaluates these unlawful practices in light of the relevant provisions of the Law No. 6698 on the Protection of Personal Data (“DPL”), the Constitution, and the Communiqué on the Procedures and Principles to be Followed in Fulfilling the Obligation to Inform, and sets forth the following principles to be observed by data controllers in practice:

• No consent or approval should be obtained from data subjects for the reading or review of privacy notices. It is lawful to obtain only confirmation that the privacy notice has been read.

• Data controllers are obliged to fulfil their obligation to inform prior to the commencement of any personal data processing activity, regardless of the legal basis relied upon.

• Where personal data processing is based on explicit consent, privacy notices and explicit consent texts must be drafted as separate documents under distinct headings. If presented on the same page, they must be arranged consecutively and structured in a way that allows separate declarations for each.

• Where processing is based on legal grounds other than explicit consent, only a privacy notice should be provided.

• Each data controller must prepare its own privacy notice tailored to its specific processing activities, rather than using texts prepared by other data controllers verbatim. In addition, such texts must be clear, concise, and comprehensible, and must avoid incomplete, ambiguous, or misleading statements, as well as unnecessarily lengthy or complex wording.

• Privacy notices must clearly and explicitly set out the categories of personal data processed, the purposes of processing, and the legal basis relied upon.

The Board further considers that the matters set out in the Decision constitute part of the technical and administrative measures that data controllers are required to implement pursuant to Article 12/1 of the DPL, in order to ensure the lawful processing of personal data. Accordingly, it is stated that administrative action will be taken against data controllers that fail to comply with the obligations set forth in the Principle Decision, in accordance with Article 18 of the DPL. As noted above, the Decision also includes an annex providing examples of good and bad practices for the purpose of informing and guiding the public, particularly data controllers, which can be reviewed in the Official Gazette publication (in Turkish).

Assessment

By drawing attention to a frequently encountered compliance issue in practice, the Board reiterates the requirement (which is clearly stipulated under the DPL and secondary legislation) that privacy notices and explicit consent texts must be drafted separately. Data controllers are therefore expected to reassess their current practices in light of the Decision, ensure that their obligation to inform is fulfilled through compliant methods and documentation, and, where explicit consent is required as a legal basis, obtain such consent through separate and duly structured texts.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.