2026 KVKK Update: Mandatory Separation of Explicit Consent and Privacy Notices in Türkiye

Decision No. 2026/347 changes how companies should design consent journeys, privacy notices, and onboarding flows in Türkiye.

Summary

On Tuesday, March 24, 2026, the Turkish Personal Data Protection Board published Principle Decision No. 2026/347 in the Official Gazette. The decision directly targets one of the most common compliance problems in practice: presenting the clarification text and the explicit consent request as if they were the same legal instrument.

For foreign-origin companies investing in Türkiye, opening a branch, appointing a local team, or selling to Turkish residents through digital channels, this matters immediately. Website forms, checkout pages, HR onboarding flows, mobile app permissions, and CRM collection points should now be reviewed carefully.

Why the Board Issued This Decision

The Board identified intertwined consent-and-notice drafting as a recurring issue in complaints and compliance reviews. In practice, many companies have been asking users to approve a privacy notice, treating disclosure language as if it were a consent mechanism, or combining the two in one text with one button.

The new decision makes the Board’s position clearer: clarification and explicit consent serve different legal functions and should not be merged into one legal statement.

Clarification Text vs. Explicit Consent

Common Mistakes the Board Wants Companies to Stop

• Merging texts: using one combined text for notice and consent instead of separating them.
• Copy-paste policies: using another company’s notice or consent wording without adapting it to your own processing activities.
• Unnecessary consent collection: asking for consent where another legal ground already applies.
• Vague wording: using broad, confusing, or misleading language about processing purposes, transfers, or categories of data.
• Poor interface logic: forcing the user to “accept” the notice as if the notice itself were a contractual opt-in.

Action Steps for 2026 Compliance

1. Separate the headings and the user actions. Even if the notice and consent request appear on the same page, they should be visually and legally distinct.
2. Map your legal basis first. Before redesigning any form, confirm whether the processing really depends on explicit consent or on another lawful ground.
3. Review every web and app collection point. Marketing sign-ups, checkout journeys, job application forms, employee onboarding, cookie layers, and vendor portals should be tested individually.
4. Rewrite for your actual operations. The Board clearly disfavors generic copy-paste texts. Tailor your notices to the categories of data, purposes, recipients, and transfer flows that actually exist.
5. Preserve evidence. If explicit consent is required, keep auditable records showing what the user saw, what they selected, and when.

What This Means for Foreign Companies

If your organization operates e-commerce channels, local hiring, Turkish-language marketing campaigns, or Turkish customer support, this decision is not a “policy wording” issue only. It affects UX, CRM logic, HR forms, cookie practices, and contract alignment.

In many cases, businesses should review the interaction between their privacy notice, cross-border transfer wording, processor arrangements, and service-provider contracts. That is especially true for teams working with vendors, SaaS tools, or regional shared-service models.

Depending on your structure, you may also need to review whether a Data Controller Representative in Türkiye becomes relevant and whether your contracts and workflow documents match the notice language used in public-facing forms.

Internal Linking: Practical TTL Resources

• For hands-on legal support, see our Compliance and Data Protection Services in Turkey.
• If your business is already selling online, our Compliance Framework for E-commerce and Retail Businesses is a useful next read.
• For a practical checklist mindset, see KVKK Compliance Checklist.
• For terminology and legal concepts, review KVKK Compliance, GDPR and KVKK Comparison, Data Processing Agreement, and Personal Data.

How Turkish Trade Lawyers Can Help

We advise foreign-origin companies entering or operating in Türkiye on practical compliance design, not just abstract policy drafting. That can include reviewing notice-and-consent flows, updating privacy texts, aligning data-processing clauses, checking cross-border data issues, and helping internal teams separate mandatory information obligations from optional or consent-based workflows.

If needed, we can also review whether your processing architecture, vendor relationships, and local-facing forms align with Turkish law and your broader regional compliance model.

Frequently Asked Questions

Can both texts appear on the same page?

Yes. But they should be placed under separate headings, with separate user declarations, so the disclosure function and the consent function remain distinct.

What if our company relies on a legal basis other than consent?

Then the company should usually fulfill the clarification obligation without requesting explicit consent unnecessarily. Consent should not be used as a default substitute for legal analysis.

Can we copy a privacy notice from another company?

No. The Board has signaled that copy-paste texts are a bad practice. Your wording should reflect your own actual data flows, purposes, transfer logic, and business model.

What is the enforcement risk?

The decision indicates that non-compliance may be treated as a failure to implement necessary administrative and technical measures and may trigger sanctions under the law.