With its principle decision dated 18 February 2026 and numbered 2026/347 (the “Principle Decision”), the Personal Data Protection Board (the “Board”) has set out the principles regarding the requirement for data controllers to prepare explicit consent texts and privacy notices separately. The relevant Principle Decision was published in the Official Gazette dated 24 March 2026 and numbered 33203, and on the website of the Personal Data Protection Authority.
What Are the Principles Introduced Under the Principal Decision?
It can be said that a significant part of the Principle Decision is in line with the Authority’s previous guidelines and decisions. However, it is understood that, particularly with respect to certain common practices (such as the approach to informing data subjects of their rights and the structuring of related texts), clearer distinctions and more concrete, practice-oriented guidance have been introduced.
In its assessment, the Board emphasized that:
- The obligation to inform is not subject to the data subject’s consent and must be fulfilled prior to the data processing activity;
- Explicit consent, on the other hand, is only one of the legal grounds for data processing set out under the Law No. 6698 on the Protection of Personal Data (the “Law”) and has a distinct legal nature.
Within this scope, the Board has stipulated that data controllers must conduct explicit consent and privacy notice processes independently from one another. In summary:
- The obligation to inform must be fulfilled in all cases and prior to the data processing activity, regardless of the legal basis on which the processing is based.
- In data processing activities based on explicit consent, the privacy notice and the explicit consent text must be prepared separately and presented under different headings. Even if these texts are presented on the same page, their content and declarations must be clearly distinguished, and both processes must not be carried out through a single consent.
- Where personal data is processed based on legal grounds other than explicit consent, it is sufficient to fulfill only the obligation to inform.
- No consent should be obtained from data subjects regarding the statements included in privacy notices; instead, only confirmation that the information has been provided should be obtained.
- The texts must be drafted in a clear, plain, and comprehensible language; misleading, incomplete, or overly generic expressions should be avoided. Additionally, rather than directly including lengthy explanations (such as data subject rights), reference-based wording should be preferred.
- Data controllers must tailor the texts they use to their specific activities and must not use texts belonging to other organizations verbatim.
- In privacy notices, the categories of personal data processed, as well as the purposes and legal bases of processing, must be clearly and explicitly stated.
The annexes of the Principle Decision also include templates of good practices (sample compliant texts) and bad practices (sample non-compliant texts) to guide data controllers.
For data controllers, it is important not only to ensure that the content of the texts is compliant, but also to properly separate the processes of the obligation to inform and explicit consent in line with the Principle Decision. It should also be noted that the above requirements will be considered within the scope of the technical and administrative measures to be taken under Article 12 of the Law, and that failure to comply with these obligations may result in administrative sanctions pursuant to Article 18 of the Law.
You may access the Principle Decision published by the Board
here.
Att. Aslı Kınsız
Trainee Lawyer Ece Koçlar