Compliance Guide: Obligation to Inform and Explicit Consent Practices in Line with the New Board Resolution

In practice, presenting explicit consent texts and privacy notices under obligation to inform in a mixed manner is among the most frequently identified unlawful practices in complaints and reports submitted to the Turkish Personal Data Protection Authority (“Authority”). Accordingly, the Turkish Personal Data Protection Board (“Board”) published a Board Resolution no. 2026/347 in the Official Gazette dated 24 March 2026. In this resolution, the Board emphasized that these two mechanisms serve different functions and must therefore be prepared separately.

Points to Consider When Fulfilling the Obligation to Inform:

1.  Notice Must Be Provided in Advance: As a rule, notices prepared to fulfil the obligation to inform must be provided prior to any data processing activity.

2.  Notice Must Be Separate: The notice must be completely separate from the explicit consent text. These two texts must not be combined into a single document. Even if presented on the same page, they must be clearly separated under different headings.

3.  Notice Must Not Be Based on Consent: A notice is not a contract. For evidentiary purposes, confirmation may be obtained from the data subject that they have read and been informed. However, mechanisms implying consent such as “I have read, approve, and accept” must not be used.

4.  Use Clear and Plain Language: The privacy notice prepared due to obligation to inform must be simple, clear, and understandable. Overly detailed, complex, or ambiguous expressions should be avoided. For instance, instead of stating “your personal data is processed in compliance with legislation,” it should clearly specify which data is processed and for what purpose.

5.  Provide Accurate Information: The notice must not include information that is untrue or misleading (e.g., stating that no cross-border data transfer occurs when it actually does).

6.  Avoid Copy-Paste Practices: Notices must be prepared specifically for each case and not reused generically.

7.  State Information Clearly: The purposes and legal grounds of data processing, as well as the categories of personal data processed, must be clearly and explicitly stated.

Points to Consider When Preparing an Explicit Consent Text:

1.  Explicit Consent Must Be Separate: Explicit consent texts must be separate from privacy notices and must not be combined within the same document.

2.  Assess Legal Grounds: It must be evaluated whether data processing can rely on legal grounds other than explicit consent. For example, if data processing is explicitly required by law, obtaining explicit consent is not necessary.

3.  Do Not Rely on Consent If Another Legal Basis Exists: If another legal basis applies, explicit consent should not be requested. In such cases, providing proper clarification is sufficient.

4.  Use Clear and Plain Language: Explicit consent texts must also be clear and understandable.

5.  Provide Accurate Information: Data subjects must not be provided with incomplete, misleading, or incorrect information.

6.   Avoid Copy-Paste Practices: Explicit consent processes must also be tailored to each specific case.

Sanctions

Compliance with the board resolution is of critical importance for data controllers. Pursuant to Article 18 of the Personal Data Protection Law No. 6698 (“Law”), several administrative sanctions are stipulated:

• Failure to fulfil the obligation to inform may result in administrative fines ranging from TRY 85,437 to TRY 1,709,200.
• The matters set out in the board resolution are considered technical and administrative measures under Article 12 of the Law. Non-compliance may result in administrative fines ranging from TRY 256,357 to TRY 17,092,242.
• Failure to comply with Board decisions may result in administrative fines ranging from TRY 427,263 to TRY 17,092,242.
• Where such violations occur within public institutions or professional organizations with public status, disciplinary action may be taken against the responsible individuals upon notification by the Board.

General Recommendations:

1.  Review Processes: Existing texts should be reviewed and, if necessary, revised in line with the Board resolution.

2.  Ensure Transparency: Data controllers must act transparently at every stage of data processing and ensure that data subjects can easily exercise their rights.

3.  Prioritize User Experience: Texts should be designed in a way that enables data subjects to easily understand and follow processes, whether in physical or digital environments.

4.  Take Precautions Against Violations and Sanctions: Non-compliance may lead to serious sanctions. Therefore, it must be ensured that all texts fully comply with legal requirements.

Conclusion

The Board resolution no. 2026/347 serves as a significant step in eliminating long-standing incorrect practices in personal data protection law and provides a clear roadmap for data controllers. It reaffirms existing legal requirements and presents examples of good and bad practices. In line with this resolution, companies must review their current texts, separate obligation to inform and explicit consent processes, and redesign how these are presented to data subjects.

You can access the resolution, which is only in Turkish, here.