The Principle Decision of the Turkish Data Protection Board (“Board”) dated 18 February 2026 and numbered 2026/347, titled Principle Decision on the Requirement for Data Controllers to Prepare Explicit Consent Texts and Privacy Notices Separately (the “Principle Decision”), was published in the Official Gazette dated 24 March 2026. Through the Principle Decision, the Board clarifies how data controllers should distinguish explicit consent texts and privacy notices in light of one of the most common unlawful practices encountered in practice, namely the presentation of these texts to data subjects in an intertwined manner.

Legal Nature of Privacy Notices and Explicit Consent

The Principle Decision emphasises that explicit consent texts and privacy notices are distinct in terms of their legal nature. In this respect, the disclosure obligation constitutes the data controller’s duty to inform data subjects whose personal data are processed, whereas explicit consent is one of the legal grounds for the lawful processing of personal data under the Personal Data Protection Law No. 6698 (the “Law”).

It is further stated that the disclosure obligation under Article 10 of the Law is an obligation to inform data subjects and that privacy notices do not have the nature of a contract. Accordingly, privacy notices are not documents that must be “accepted” by data subjects, but rather unilateral statements through which data controllers fulfil their disclosure obligation.

In line with this approach, the Board considers it unlawful to present privacy notices together with explicit consent texts through statements such as “I have read and accept,” which are commonly encountered in practice. The Board clearly states that data controllers may only obtain confirmation from data subjects that they have read and understood the privacy notice, whereas explicit consent cannot be obtained in relation to the content of the privacy notice itself. The Board also underlines that the burden of proving that the disclosure obligation has been duly fulfilled rests with the data controller.

Key Principles Introduced by the Principle Decision

The Board indicates that the disclosure obligation must be fulfilled by data controllers in all cases, prior to the commencement of the data processing activity, and regardless of whether the processing is based on explicit consent or any other legal ground listed under the Law.

Where personal data processing is based on explicit consent, the privacy notice and the explicit consent text must be prepared separately and presented to data subjects as distinct texts. Even if these texts are presented on the same page, they must be structured under separate headings and in a way that allows for separate declarations of intent. On the other hand, where the processing is based on one of the other legal grounds set forth under the Law, it is emphasised that it is sufficient to fulfil only the disclosure obligation and that no explicit consent text should be presented to data subjects. The good and bad practice examples included in the annexes to the Principle Decision further illustrate these principles.

The Board further underlines that texts prepared by other data controllers should not be copied verbatim and that each data controller must prepare its texts in accordance with its own organisation and processing activities.

The Principle Decision also includes important assessments regarding the wording and content of the texts. In this regard, it is emphasised that privacy notices and explicit consent texts must be drafted in a clear, simple and comprehensible manner, ensuring that they can be easily understood by data subjects.

It is further stated that generic, ambiguous, incomplete, misleading or inaccurate statements should not be included, and that excessively long, detailed and complex texts should be avoided. In addition, privacy notices should clearly and specifically set out the personal data and/or data categories processed, the relevant processing purposes and the applicable legal grounds.

In light of the Principle Decision, data controllers should review not only their existing privacy notices and explicit consent texts, but also the way in which these texts are presented in practice, including online interfaces, application forms, check-box structures and other data collection flows. The Board has explicitly stated that administrative actions will be initiated pursuant to Article 18 of the Law in case of non-compliance with the principles set out in the Principle Decision. Therefore, it is important for data controllers to take the necessary compliance steps without delay.

The full text of the Principle Decision is available at this link.