PERSONAL DATA PROTECTION SEPARATION OF INFORMATIVE STATEMENT AND EXPLICIT CONSENT

The Personal Data Protection Authority (“Authority”) has published a recent principle decision in the Official Gazette on 24 March 2026, introducing important items that clarify  the distinction between Informative Statement (in Turkish, “Aydınlatnma Metni”) and Explicit Consent (in Turkish, “Açık Rıza”) mechanisms governed under Turkish data protection law.

The decision directly addresses widespread compliance deficiencies observed in practice and sets out a stricter approach to the interpretation of obligations under the Law No. 6698 on the Protection of Personal Data (“Code”).

At the core of the decision lies a fundamental principle: the obligation to inform data subjects and the requirement to obtain explicit consent are legally different processes and must not be conflated.

In this respect, the Authority clearly requires that;

• informative statement and explicit consent texts be prepared separately.
• Even where they are presented on the same page, they should be clearly written under seperate headings and the declarations for these two processes should be taken sperately for each. In other words, they should not be combined in a single declaration.
• Data subjects must be able to provide separate statements for each, ensuring that consent, where required, is based on a freely given and informed decision.

The decision places particular emphasis on incorrect wording frequently used in informative statements. Expressions such as “I have read and accepted” or “I have read and approved” are deemed unlawful within the context of an informative statement. The Authority underlines that informing the data subject is a unilateral obligation of the data controller and does not require any form of acceptance or approval. Accordingly, the appropriate phrasing should be limited to statements such as “I have read and understood.”

In addition, the Authority identifies several risk areas that may undermine the validity of the informative statements. These include the use of unclear, overly complex, or non-transparent language; reliance on generic or ambiguous expressions; the practice of copying texts from other organizations without tailoring them to actual data processing activities; unnecessarily lengthy and complicated drafting (the decision gives the example that writing one by one all the rights of the data subject under article 11 of the Code will cause the informative statement to be very long; therefore it should be written as “your rights governed under 11 of the Code”); and the inclusion of misleading or incomplete information.

Such deficiencies may result in the failure to duly fulfill the obligation to inform, even if a document formally titled as an informative statement exists.

The decision further reinforces that explicit consent must meet the established legal criteria of being specific, informed, and freely given. Where the processes of informing and obtaining consent are merged, there is a significant risk that consent will be deemed invalid. This is particularly relevant where the data subject is not clearly able to distinguish between being informed and giving consent.

Failure to comply with these principles may have serious legal consequences. The Authority explicitly highlights the risks of unlawful processing of personal data, invalidation of explicit consent, and the imposition of administrative fines. From a compliance perspective, invalid consent is especially critical, as it may eliminate the legal basis relied upon for processing activities.

In light of this development, data controllers operating in Türkiye are advised to review their current documentation and user interface practices. Informative statement and explicit consent mechanisms should be structurally and functionally separated, drafted in clear and plain language, and aligned with the actual data processing activities carried out by the organization. Moreover, reliance on explicit consent should be carefully assessed, and alternative legal bases should be considered where applicable to avoid over-reliance on consent.

This principle decision reflects the Authority’s continued focus on substantive compliance rather than formalistic approaches and signals increased scrutiny in enforcement practices. It is therefore essential for organizations to revisit their data protection frameworks to ensure alignment with the standards articulated in this decision.

Our Law Firm remains at your disposal for any further clarifications you may need.

Copyright © 2026 Cailliau&Colakel Attorney Partnership, All rights reserved.