New Principle Decision on the Separation of Information Notices and Explicit Consent Texts in the Processing of Personal Data

25 Mar 2026 Announcements, Publications

In the Principle Decision No. 2026/347 published in the Official Gazette dated March 24, 2026, it was determined that one of the most common unlawful practices in the processing of personal data is the intertwining of information notices and explicit consent texts provided by data controllers. Accordingly, it was ruled that these documents must be prepared separately and data controllers are required to fulfill these obligations through distinct texts.

Pursuant to Article 20 of the Constitution and Articles 5, 6, and 10 of Law No. 6698, The Obligation to Inform is an informational activity that must be fulfilled in all circumstances, regardless of the data subject’s request or consent, whereas Explicit Consent is a declaration of approval based on informed and freely given will regarding a specific matter.

In this context, even if data controllers present information notices and explicit consent texts on the same page, they must be structured under separate headings. Instead of including statements such as “I have read and accept” at the end of information notices, which imply consent, only statements confirming that the information has been received, such as “I have read and understood” should be included. Furthermore, practices such as copying texts belonging to other data controllers, unnecessarily extending texts with technical and legal terminology, including ambiguous expressions, and reproducing the exact wording of Article 11 of the Law instead of summarizing the rights of the data subject should be avoided. Instead, each data controller should adopt a clear and plain language tailored to its own organizational structure. It was also determined that practices where the data controller’s title, MERSIS number, and contact details are not clearly stated, or where the obligation to inform is made conditional upon obtaining consent are unlawful. (Additionally, the decision includes examples of good and bad practices).

In conclusion, compliance with these procedures and principles is considered a mandatory administrative measure to ensure data security under Article 12 of the Law. In case of non-compliance, administrative action will be taken against data controllers pursuant to Article 18 of the Law, as announced to the public.

You may access the decision via the following link:

(https://www.resmigazete.gov.tr/eskiler/2026/03/20260324-3.pdf )

Search

+