The “Principle Decision on the Requirement for Data Controllers to Prepare Explicit Consent and Privacy Notices Separately” (“Principle Decision”), dated 18.02.2026 and numbered 2026/347, was published in the Official Gazette on 24.03.2026 by the Turkish Personal Data Protection Authority (“Authority”).
The Principle Decision stipulates that data controllers must prepare explicit consent texts and privacy notices separately in terms of both content and presentation, and that these two obligations must be fulfilled independently.
Presenting explicit consent and privacy notices to data subjects in an intertwined manner is unlawful due to the fundamentally different nature of these concepts. Article 20 of the Constitution, Articles 3, 5, 10, and 12 of the Personal Data Protection Law No. 6698 (the “Law”), and Article 5/f of the Communiqué on the Principles and Procedures to be Followed in Fulfilment of the Obligation to Inform are mandatory provisions. Within this framework, the Principle Decision emphasizes that the obligation to inform—being independent of any request or approval of the data subject—must be fulfilled by data controllers prior to the commencement of personal data processing in all cases, regardless of which legal basis (including explicit consent) the processing relies upon under the Law.
If the personal data processing activity is based on explicit consent, the privacy notice and the explicit consent text must be prepared separately and presented to the data subjects. Even if these texts are presented on the same page, they must be arranged one below the other under separate headings, and separate declarations must be obtained for each, as they differ in nature.
Through the Principle Decision, several unlawful practices in the market are addressed, including presenting privacy notices and explicit consent texts together, requesting approval/consent from data subjects to confirm that they have been informed, using another data controller’s texts without adapting them to one’s own activities, employing vague, incomplete, misleading, or incorrect language instead of clear and plain wording, and using overly long and complex texts.
Below are all the requirements set out in the Principle Decision:
- The obligation to inform must be fulfilled prior to the commencement of data processing, independently of the legal basis for processing and in all cases.
- If the processing activity is based on explicit consent, privacy notices and explicit consent texts must be prepared separately under different headings.
- If the texts are presented on the same page, they must be arranged one below the other with different headings, and separate declarations must be obtained for each text.
- If the processing activity is based on a legal ground other than explicit consent, only an privacy notice should be provided; an explicit consent text must not be presented.
- Feedback should be obtained from data subjects confirming that they have read/been informed; however, no approval or consent should be requested regarding the content of the privacy notice.
- Texts prepared by another data controller must not be used without adapting them to the organization’s own activities.
- Texts must be clear, understandable, written in plain language, and must not include incomplete, misleading, ambiguous, or incorrect expressions; overly complex and lengthy texts must be avoided.
- Privacy notices must clearly and explicitly state the personal data processed, categories of such data, as well as the purposes and legal grounds for processing.
The above-mentioned matters constitute administrative and technical measures that must be taken by data controllers to ensure the lawful processing of personal data pursuant to Article 12(1) of the Law. In case of non-compliance, actions will be taken against the relevant data controllers in accordance with Article 18 of the Law. Accordingly, the public has been informed, and the Board has adopted this Principle Decision to emphasize that explicit consent texts and privacy notices—being fundamentally different concepts—must be prepared separately by data controllers.
The relevant Principle Decision also includes annexes containing examples of “Good Practice Templates” and a “Bad Practice Template.”
You may access the full text of the Principle Decision, dated 18.02.2026 and numbered 2026/347, published by the Personal Data Protection Authority on 24.03.2026, via the following link:
https://www.resmigazete.gov.tr/eskiler/2026/03/20260324-3.pdf
For detailed information and professional support during the compliance process, feel free to contact us.
This Legal Alert has been prepared for general information purposes only on current legal issues, and the evaluations contained in this Legal Alert do not constitute legal advice or a legal opinion. It is not possible to impose any liability on SRP-Legal Law Office due to the content of this Legal Alert. It is recommended to obtain the opinion of a legal advisor regarding your questions and enquires within the scope of this Legal Alert.
