Introduction

Explicit consent is one of the most discussed concepts under Turkish Personal Data Protection Law. Many companies operating in Turkey assume that every personal data processing activity requires consent. Others treat consent as a simple checkbox, a standard clause in a contract, or a general approval hidden inside terms and conditions. Both approaches may create serious compliance risks.

Under Law No. 6698 on the Protection of Personal Data, commonly known as KVKK, explicit consent is an important legal basis for processing personal data. However, it is not the only legal basis. In many cases, personal data may be processed without explicit consent if one of the legal grounds listed in the law applies. Conversely, where consent is truly required, it must be specific, informed, freely given, and based on a positive declaration of will.

This distinction is crucial for businesses, employers, e-commerce companies, healthcare providers, mobile application operators, digital platforms, financial institutions, advertising agencies, HR departments, and foreign companies processing data relating to individuals in Turkey. A company that requests unnecessary consent may weaken its legal position. A company that fails to obtain valid consent where consent is required may face complaints, administrative fines, regulatory investigation, and reputational damage.

This article explains when explicit consent is required under KVKK, when it is not required, how valid consent should be obtained, and which common mistakes businesses should avoid.

What Is Explicit Consent Under KVKK?

KVKK defines explicit consent as consent relating to a specific matter, based on information, and declared with free will. The Turkish Personal Data Protection Authority explains that explicit consent allows the data subject to determine the limits, scope, method, and duration of the personal data processing activity. It must include a positive declaration of will, and the burden of proving valid consent belongs to the data controller.

This definition shows that explicit consent is not a vague or general permission. It must be connected to a clearly identified processing activity. A statement such as “I consent to the processing of my personal data for all purposes” is not a strong consent mechanism. The Authority expressly warns against general “blanket consent” declarations that are not limited to a specific processing activity.

In practice, valid explicit consent should answer several questions. What personal data will be processed? Who will process it? For what purpose will it be processed? Will it be transferred to third parties? Is the data subject free to refuse? Can the data subject withdraw consent later? What happens if consent is not given?

A proper consent mechanism should be clear, separate, understandable, and documented. It should not be buried inside lengthy contracts, membership terms, employment documents, or privacy policies.

The Three Main Conditions of Valid Explicit Consent

The Turkish Personal Data Protection Authority identifies three main elements of explicit consent: it must relate to a specific subject, it must be based on information, and it must be declared with free will.

1. Consent Must Relate to a Specific Subject

Consent must be limited to a specific processing purpose. The data controller should not request broad consent for undefined future activities. For example, a company should not ask for consent to process data for “all commercial, legal, operational, and other purposes.” Such language is too broad and may be treated as invalid.

Instead, consent should be purpose-specific. If a company wants to send marketing messages, process biometric data for workplace access, transfer customer data abroad for a specific service, or use non-essential cookies for behavioral advertising, each activity should be explained separately.

2. Consent Must Be Informed

The data subject must understand what they are consenting to. This requires a meaningful explanation before consent is obtained. The obligation to inform and the consent process are related but separate. The Communiqué on the Obligation to Inform states that the obligation to inform must be fulfilled in any case, whether processing is based on explicit consent or another legal ground, and where processing is based on consent, the procedures for informing and obtaining consent must be performed separately.

This means that a privacy notice is not the same thing as explicit consent. A company cannot say, “By reading this privacy notice, you consent.” The privacy notice informs the data subject. The consent declaration, where needed, must be obtained through a separate affirmative action.

3. Consent Must Be Freely Given

Consent must be based on free will. If the data subject has no real choice, the consent may be invalid. For example, if a service is made conditional on consent to unnecessary data processing, the consent may be challenged. If an employee is pressured to consent due to the employer’s authority, the consent may not be considered freely given.

This is especially important in employment relationships. Because there is a power imbalance between employer and employee, employers should be cautious when relying on consent. If processing is required by law, employment contract, social security obligations, occupational health and safety rules, or legal defense needs, the employer should rely on the appropriate statutory ground rather than consent.

Explicit Consent Is Not Always Required

One of the most important rules under KVKK is that explicit consent is not always necessary. Article 5 provides that personal data shall not be processed without explicit consent. However, Article 5 also lists several situations where personal data may be processed without seeking explicit consent. These include where processing is expressly provided by law, necessary for the protection of life or physical integrity, directly related to the establishment or performance of a contract, necessary for compliance with a legal obligation, relates to data made public by the data subject, necessary for the establishment, exercise, or protection of a right, or necessary for legitimate interests of the controller provided that fundamental rights and freedoms of the data subject are not violated.

Therefore, the correct legal question is not “Have we obtained consent?” The correct question is: What is the appropriate legal basis for this processing activity?

If a company processes personal data to deliver a purchased product, the legal basis may be contract performance. If an employer processes payroll data, the legal basis may be legal obligation. If a business stores invoices, the legal basis may be statutory retention obligations. If a law firm processes documents for litigation, the legal basis may be establishment, exercise, or protection of a right.

Using consent where another legal basis applies may create confusion. If the data subject withdraws consent, the company may mistakenly believe that it must stop processing even though processing is legally required. For this reason, consent should be used carefully and only where it is truly necessary.

When Explicit Consent Is Usually Required

Explicit consent is generally required where no other legal basis under KVKK applies. It is also important for certain sensitive processing activities, some marketing activities, certain cookie practices, specific special category data processing activities, and limited exceptional international transfers.

Marketing and Promotional Communications

Marketing activities often require careful consent analysis. If a company wants to send promotional emails, SMS messages, calls, or personalized advertising based on customer behavior, consent may be required depending on the activity and other applicable Turkish electronic communication rules. KVKK consent should not be confused with commercial electronic message consent under separate legislation, but in practice both regimes may need to be considered together.

For example, collecting a customer’s email address to send an invoice or confirm an order may not require explicit consent if it is necessary for contract performance. However, using the same email address to send promotional campaigns may require a separate marketing consent mechanism.

Non-Essential Cookies and Tracking Technologies

Cookies used strictly for website functionality may not always require explicit consent under KVKK if they are necessary for the service. However, analytics cookies, advertising cookies, behavioral profiling tools, retargeting pixels, and third-party tracking technologies may require explicit consent, especially where they are not essential for the requested service.

A compliant cookie consent structure should allow users to accept or reject non-essential cookies separately. It should avoid pre-ticked boxes, forced consent, or vague statements such as “By using this website, you accept all cookies.”

Processing Without Another Legal Basis

Explicit consent is required where the company cannot rely on any Article 5/2 legal basis. For example, if a company wants to use customer data for a new unrelated purpose that is not necessary for contract performance, not required by law, not based on legitimate interest, and not connected to legal claims, explicit consent may be necessary.

When Explicit Consent Is Not Required

Explicit consent is not required where one of the statutory processing conditions applies. This is one of the most important compliance points under KVKK.

Processing Required by Law

If processing is expressly provided by law, the company does not need consent. For example, employers may process certain employee data due to labor law, social security law, tax law, and occupational health and safety obligations. Businesses may process invoice and accounting records under tax and commercial legislation.

Processing Necessary for Contract Performance

Where processing is directly related to the establishment or performance of a contract, consent is not required. For example, an e-commerce company may process the customer’s name, address, phone number, and order details to deliver goods. A hotel may process reservation information to provide accommodation. A service provider may process contact information to perform the service agreement.

However, this ground should not be interpreted too broadly. Data processing must be directly related to the contract. Using contract data for unrelated advertising, profiling, or third-party marketing may require a separate legal basis.

Processing Necessary for Legal Obligations

A data controller may process personal data where necessary to comply with its legal obligations. This may include tax records, employment records, regulatory reporting, consumer complaint records, accounting documents, workplace safety documentation, and legally required notifications.

Processing Necessary for Establishment or Protection of Rights

Personal data may be processed without consent where necessary for the establishment, exercise, or protection of a right. This is particularly important for litigation, enforcement proceedings, internal investigations, contract disputes, insurance claims, employment disputes, debt collection, and legal defense.

For example, a company may process emails, contracts, invoices, delivery records, camera footage, or correspondence where necessary to prove a legal claim or defend against a claim.

Legitimate Interest

Legitimate interest may be used where processing is necessary for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not violated.

This basis requires a balancing test. The controller should assess the business interest, necessity of processing, impact on the individual, reasonable expectations of the data subject, proportionality, and safeguards. Legitimate interest should not be used as a shortcut for every business purpose.

Explicit Consent and Special Categories of Personal Data

Special categories of personal data receive stronger protection under KVKK. These include data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, appearance, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, biometric data, and genetic data.

Following the 2024 amendment, Article 6 states that processing special categories of personal data is prohibited unless one of the listed conditions exists. These conditions include explicit consent, express legal provision, necessity for the protection of life or physical integrity, data made public by the data subject in line with the intention of disclosure, necessity for establishment or protection of a right, certain public health and healthcare-related purposes by persons under confidentiality obligations or competent institutions, and necessity for legal obligations in employment, occupational health and safety, social security, social services, and social assistance. Adequate measures determined by the Board must also be implemented.

This means that explicit consent is not the only legal basis for processing special categories of data. For example, an employer may process certain health data where necessary for occupational health and safety obligations, provided that legal requirements and adequate measures are satisfied. A healthcare provider may process health data for diagnosis, treatment, and healthcare services under the relevant legal framework. A company may process sensitive data where necessary for the establishment or protection of legal rights.

However, if no statutory condition applies, explicit consent may be required. Because special category data is high-risk, consent forms must be especially clear and specific.

Explicit Consent in Employment Relationships

Employment is one of the most sensitive areas for explicit consent under KVKK. Employers often include broad consent clauses in employment contracts, onboarding forms, employee handbooks, camera notices, payroll documents, and disciplinary procedures. This approach may be problematic.

Due to the employer’s authority and the employee’s dependence on employment, employee consent may not always be considered freely given. Therefore, employers should first identify whether the processing is based on law, employment contract, legal obligation, occupational health and safety duties, social security duties, legitimate interest, or protection of rights.

For example, processing employee identity data for payroll, social security registration, tax reporting, and workplace records generally does not require consent. Processing employee bank account information for salary payment may be based on employment contract performance. Processing disciplinary records may be necessary for employment management and protection of rights. Processing workplace accident records may be required by law.

However, explicit consent may be required for activities that are not necessary for employment or legal obligations, such as publishing employee photographs for promotional purposes, using biometric access systems where no statutory basis or proportional necessity exists, or sharing employee data with third parties for non-essential benefits.

Explicit Consent and Cross-Border Data Transfers

Cross-border data transfers have changed significantly under the 2024 amendment to KVKK Article 9. Under the amended system, personal data may be transferred abroad if one of the processing conditions under Articles 5 or 6 exists and there is an adequacy decision for the recipient country, sector, or international organization. If no adequacy decision exists, transfers may be possible through appropriate safeguards such as standard contracts, binding corporate rules, or written commitments approved by the Board.

Explicit consent still exists as an exceptional transfer ground, but its role is narrower than many businesses assume. In the absence of an adequacy decision and where appropriate safeguards cannot be ensured, personal data may be transferred abroad only under limited circumstances, provided that the transfer is incidental. One of those circumstances is explicit consent to the transfer after the data subject has been informed of potential risks.

This means that explicit consent should not be used as a routine solution for systematic international transfers. A company using a foreign cloud provider, global CRM system, international HR platform, analytics provider, or parent company database should first assess adequacy decisions and appropriate safeguards. Consent may be unsuitable for regular and continuous data flows.

Explicit Consent and Domestic Transfers

Domestic transfer of personal data is governed by Article 8. Personal data cannot be transferred without explicit consent unless one of the processing conditions under Article 5/2 applies. For special categories of personal data, transfer without explicit consent may be possible if one of the Article 6/3 conditions exists and sufficient measures are taken.

For example, a company may transfer employee payroll data to an accountant where necessary for legal obligations. An e-commerce company may transfer customer delivery information to a cargo company for contract performance. A company may transfer case-related documents to its lawyer for protection of rights. In such cases, explicit consent may not be required, provided that the transfer is necessary, proportionate, and properly disclosed.

However, if a company transfers customer data to a third-party marketing partner for independent promotional purposes, explicit consent may be required unless another valid legal basis exists.

Withdrawal of Explicit Consent

Explicit consent is a personal right closely connected to the data subject. The Turkish Personal Data Protection Authority states that explicit consent may be withdrawn at any time. Withdrawal has prospective effect, and processing activities based on consent must stop once the withdrawal statement reaches the data controller.

This rule has important practical consequences. A company relying on consent must have a system to record consent, receive withdrawal requests, verify the identity of the requester where necessary, stop consent-based processing, and update relevant systems.

For example, if a customer withdraws marketing consent, the company must stop sending marketing messages. If a user withdraws consent for non-essential cookies, the website should stop using those cookies for that user. If an employee withdraws consent for use of their photograph in promotional materials, the employer should remove or stop using the relevant content where reasonably possible.

However, withdrawal of consent does not automatically affect processing based on other legal grounds. If the company must retain invoice records due to legal obligations, the data subject cannot force deletion merely by withdrawing consent if the processing is not based on consent.

Consent Records and Burden of Proof

The burden of proving valid explicit consent belongs to the data controller. This means that businesses must keep reliable records showing when, how, and for what purpose consent was obtained.

For online platforms, consent logs should include the date, time, IP address where appropriate, user ID, consent text version, consent category, and withdrawal status. For physical forms, signed documents should be retained securely. For call centers, voice recordings or call logs may be relevant if consent is obtained orally. For mobile applications, consent screens and version histories should be archived.

Consent evidence is especially important in regulatory investigations and data subject complaints. A company that cannot prove valid consent may be treated as if consent was never obtained.

Common Mistakes in Explicit Consent Practices

One common mistake is combining the privacy notice and consent text. The obligation to inform and explicit consent must be handled separately where processing is based on consent.

A second mistake is using blanket consent. General statements covering all future processing activities are legally weak and may be invalid.

A third mistake is making unnecessary consent mandatory. If the service can be provided without the consent-based processing, the user should not be forced to consent.

A fourth mistake is relying on employee consent for all HR processing. Employers should identify statutory and contractual legal bases before relying on consent.

A fifth mistake is using pre-ticked boxes or passive consent. Explicit consent should reflect an affirmative declaration of will.

A sixth mistake is failing to provide an easy withdrawal mechanism. If consent can be given easily but cannot be withdrawn easily, the consent system may be criticized.

A seventh mistake is not keeping consent records. Without evidence, the controller may not be able to prove compliance.

A final mistake is relying on explicit consent for systematic cross-border transfers after the 2024 amendments. Regular international data flows should be assessed under adequacy decisions or appropriate safeguards before considering exceptional consent.

Practical Checklist for Valid Explicit Consent Under KVKK

A business preparing explicit consent forms under KVKK should follow a structured approach.

First, identify the exact processing activity. Consent should not be requested for undefined purposes.

Second, check whether another legal basis applies. If processing is required by law, contract performance, legal obligation, protection of rights, or legitimate interest, consent may not be necessary.

Third, prepare a separate privacy notice. The data subject must be informed before consent is obtained.

Fourth, prepare a separate consent text. It should be clear, specific, understandable, and limited to the relevant processing purpose.

Fifth, avoid bundled consent. Different processing purposes should be separated where appropriate.

Sixth, avoid pre-ticked boxes. Consent should be based on an affirmative action.

Seventh, do not make unnecessary consent a condition of service.

Eighth, keep records proving consent.

Ninth, create a withdrawal mechanism.

Tenth, update systems when consent is withdrawn.

Eleventh, review special category data separately.

Twelfth, review cross-border transfers under the amended Article 9 regime.

Administrative Fines and Legal Consequences

Improper consent practices may lead to several legal risks. If a company processes personal data without a valid legal basis, fails to inform data subjects properly, ignores withdrawal, or transfers data unlawfully, it may face complaints before the Turkish Personal Data Protection Board. Article 18 of KVKK sets administrative fines for failures such as breach of the obligation to inform, breach of data security obligations, failure to comply with Board decisions, breach of Registry obligations, and failure to notify standard contracts under Article 9/5. Administrative fines are subject to annual adjustment under Turkish law.

In addition to administrative penalties, unlawful processing may cause civil liability, contractual disputes, reputational harm, and criminal law exposure in certain circumstances. Therefore, explicit consent should be managed as part of a broader KVKK compliance program, not as a standalone formality.

Conclusion

Explicit consent under KVKK is important, but it is often misunderstood. It is not required for every personal data processing activity. Turkish Personal Data Protection Law provides several legal bases that may allow processing without consent, including legal obligation, contract performance, protection of rights, legitimate interest, and processing expressly provided by law. Businesses should therefore avoid treating consent as the default solution.

At the same time, where explicit consent is required, it must be valid. It must relate to a specific subject, be based on clear information, and be freely given. It must not be hidden in general terms, bundled with unrelated permissions, obtained through pressure, or drafted as a broad blanket approval. The data controller must also be able to prove that valid consent was obtained and must stop consent-based processing when consent is withdrawn.

For businesses operating in Turkey, the best approach is to conduct a detailed data mapping exercise, identify the correct legal basis for each processing activity, separate privacy notices from consent texts, use consent only where necessary, maintain consent records, and establish a reliable withdrawal mechanism.

A well-designed explicit consent framework protects not only the data subject’s rights but also the company’s legal position. It reduces regulatory risk, strengthens transparency, improves customer trust, and supports sustainable KVKK compliance in Turkey.