Except exemptions stated under the Law No. 6698 on the Protection of Personal Data (“Law”), the processing or transfer of personal data can only be legally made by obtaining an explicit consent from the data subject. Explicit consent is the first and most important stage of a personal data processing activity, which is still not commonly used in practice and therefore, is frequently referred under various decisions of the Personal Data Protection Board (“Board“). In this blog, we will explain how explicit consent should be obtained by considering the Board’s approach in this respect.
Explicit consent is defined as freely given, specific and informed consent under the Law [1]. In other words, explicit consent means giving approval by data subject to the processing or transfer of data at its own request of data subject or on request from the other party. Although obtaining explicit consent is not subject to any formal requirements under the Law, the burden of proof for whether such consent has been taken is on the data controller. Therefore, it is recommended to obtain explicit consent in writing so that the data controller will have a concrete evidence.
As can be seen from its definition, there are 3 main elements of an explicit consent:
A. Have a Specific Subject
In order for an explicit consent obtained during the processing or transfer of personal data to be valid, the scope of explicit consent is required to be limited to a specific subject matter and activity. Consents of a general nature are named as “blanket consents” and are considered void.
For instance, an explicit consent given only in the form of “I accept to the processing/transfer of my personal data” for multiple operations has no legal validity. It is required to be clearly determined by the data controller which specific personal data will be processed/transferred for which specific operations. In one of its earlier published decisions [2], the Board found invalid the consent obtained due to blanket consent to data processing in the privacy notice published on the website of service provider as data controller and decided to impose an administrative fine of TRY 100.000 for the data controller.
B. Must be Informed
Since explicit consent is a declaration of intention, in accordance with the obligation to inform set out in the Article 10 in the Law, the data subject who gives consent must be informed about the explicit consent. Informing is required to be performed clearly and accurately before any personal data is being processed. The validity of the explicit consent will not be possible when obtained after the processed/ transferred personal data. Additionally, the informing to be performed should be about the subject matter of the processing as well as the consequences of explicit consent.
C. Must be Based on a Free Will
Explicit consent must be based on a free will of the data subject. An explicit consent obtained in a circumstance that would invalidate data subject’s free will such as force, threat, fault and deception shall be considered as void. Indeed, the Board stated in its decision [3], that explicit consent cannot be instrumentalized as a precondition for the provision of a product or a service or for the use of a product or a service.
Moreover, explicit consent given by a third party on behalf of the data subject will not be deemed legally valid. However, explicit consent for children under the age of 18, can be given by their parents or legal guardians.
Explicit consent may be withdrawn at any time by the data subject. The declaration of withdrawal of explicit consent is not subject to any formal requirements and thus, it can be done verbally or in writing.
The withdrawal has a forward-looking consequence and the withdrawal declaration will become effective at the moment when it reaches the data controller. There is also no formal requirement for the request to withdrawal of explicit consent to reach the data controller. Accordingly, as soon as the request to withdraw the explicit consent reaches the data controller, all data processing activities carried out within the scope of the explicit consent must be suspended.
[1] 07.04.2016 tarihli ve 6698 sayılı Kişisel Verilerin Korunması Kanunu, madde 3/1-a
[2] Kişisel Verileri Koruma Kurulu’nun 27.02.2020 tarih ve 2020/173 sayılı kararı
[3] Kişisel Verileri Koruma Kurulu’nun 08.07.2019 tarih ve 2019/206 sayılı kararı