DPA Principle Decision: Separation of Privacy Notices and Explicit Consent Texts

The Turkish Data Protection Authority (the “DPA”) has clarified its approach to a commonly encountered issue in practice with its Principle Decision titled “Requirement to Prepare Explicit Consent and Privacy Notice Texts Separately” (the “Principle Decision”), published in the Official Gazette dated 24 March 2026 and numbered 33203.

While emphasizing that the obligation to provide a privacy notice and the process of obtaining explicit consent have distinct legal natures and should therefore be treated separately, the Principle Decision does not introduce a fundamental change; rather, it sets out a framework to address uncertainties in practice.

Key Takeaways from the Principle Decision:

• Privacy notices and explicit consent texts must be prepared as separate documents under distinct headings, and they should be placed in separate sections even if they are presented within the same medium;
• Expressions such as “I have read and accept/approve” should not be included in the privacy notices;
• Explicit consent should be sought only where the relevant data processing activity relies on explicit consent as its legal basis; separate consent should not be obtained where other legal grounds are applicable.

The DPA also notes that privacy notices should not be unnecessarily lengthy or complex. In this context, it considers that a general reference to the rights set out under Article 11 of the Personal Data Protection Law (the “Law”), rather than listing them individually, would be more appropriate. At the same time, the DPA emphasizes that the personal data processed must be clearly and specifically identified in privacy notices, and that generic, category-based descriptions alone are not deemed sufficient.

Finally, the DPA highlights that non-compliance with these obligations may constitute a breach of the data security obligations under Article 12 of the Law.