Principle Decision on the Requirement for Data Controllers to Draft Express Consent and Fair Processing Notices Separately

The principle decision of the Personal Data Protection Board (“the Board”), dated 18 February 2026 and numbered 2026/347, was published in the Official Gazette dated 24 March 2026 and numbered 33203.

“Principle Decision on the Requirement for Data Controllers to Draft Express Consent and Fair Processing Notices Separately”, definitively prohibits intertwined consent mechanisms that are frequently encountered in practice and that carry legal risks. With this principle decision, the necessity of treating the obligation to inform and the concept of express consent as entirely independent from one another has been clearly emphasized.

Pursuant to the Personal Data Protection Law No. 6698 (“the Law”), express consent is defined as “consent that is related to a specific subject, based on information, and expressed with free will.” The obligation to inform, regulated under Article 10 of the Law, is “a unilateral legal obligation requiring the data controller to inform the data subject prior to the data processing activity, which cannot be made conditional upon any requirement or consent.” With this newly issued principle decision, the Board has highlighted the fundamental differences in the legal nature of these two concepts and has ruled that these texts cannot be combined in terms of both content and presentation.

1-  Common Mistakes in Practice and the Board’s Findings

The Board explicitly lists the main unlawful practices and common mistakes identified in practice based on complaints submitted to it whereby it  determined that data controllers often adopt a formalistic approach when fulfilling their legal obligations and resort to practices that impair the free will of the data subject.

Accordingly,  the Board had opined that  even if express consent texts and fair processing notices are presented on the same digital platform, webpage, or physical document, they must be provided under separate headings and through completely independent consent mechanisms. The principal errors highlighted include:

• "Copy-Paste" Text Usage: Data controllers directly using template texts they receive from other institutions without adapting them to their own organizations and subjective data processing processes.
• Complex and Long Texts: Preventing clear and transparent information of the data subject with long texts that are incomplete, misleading, excessively complex, and create a suffocation of details.
• Incomplete Data Controller Information: Failure to fully include the identity and address information of the data controller or its representative, if any, in the fair processing notices.
• Use of Combined Approval Expressions: Tying the information process to the express consent condition in an unlawful manner by adding expressions such as "I have read, understood and I give express consent" or "I have read, I approve" to the end of the fair processing notice.
• Failure to State the Right of Withdrawal: Omitting the information in the express consent text that the person can withdraw the consent they have given at any time without being subject to any condition.

2-  Standards Introduced with Good and Bad Practice Templates

The Board has included "Good Practice Template" and "Bad Practice Template" examples in the annex of the its decision to guide data controllers.

While stating  "Intertwining express consent texts with fair processing notices impairs the criteria of relating to a specific subject and being expressed with free will, which are the elements of express consent", the following standards have been introduced:

• The two texts must be completely independent of each other in terms of both content and formal requirements.
• Clear, understandable, and simple language must be used in the texts, and ambiguous expressions must be avoided.
• Even if they are to be presented on a single form, page, or screen, they must be visually clearly separated under different headings (positioned one above the other).
• While receiving feedback that the disclosure has been made, an imposition of consent cannot be made at the same time.
• For the obligation to inform, only the statement "I have read and understood" should be obtained, whereas express consent must be subject to an independent choice under a separate heading in the form of "I give express consent" / "I do not give express consent".
• Pre-ticked boxes (opt-in) cannot be presented to the data subject; instead, providing an active and equal choice opportunity in the form of "I accept" and "I do not accept" is a legal requirement.

As a result of these assessments, the Board unanimously resolved that data controllers must fulfill their obligation to inform prior to the commencement of personal data processing and must obtain express consent only in cases where other legal grounds for processing specified in the Law are not available, and as a separate legal act. Furthermore, it has been announced to the public that heavy administrative sanctions under Article 18 of the Law will be imposed on data controllers who fail to comply with these rules by using intertwined texts, continuing copy-paste practices, or imposing fair processing notices conditional upon consent.

Conclusion

The Principle Decision No. 2026/347 should be carefully observed by all data controllers, as it clearly delineates the boundaries between the obligation to inform and express consent mechanisms, eliminates conceptual confusion, and provides concrete guidance through examples of good and bad practices.