In the Personal Data Protection Law No. 6698 ("PDPL"), explicit consent is defined as “the consent that is based on information and given freely for a specific purpose.” This definition refers to the clear and voluntary consent given by an individual after being informed about which personal data will be processed, for what purposes, and in what manner.

Explicit consent is one of the fundamental requirements for lawful data processing. The individual providing consent has the right to be aware of the type of data to be processed, the scope of the processing process, and its purpose. This ensures that the individual has the opportunity to control the data processing process.

1. Elements of Explicit Consent

According to Article 3 of the PDPL, explicit consent consists of three basic elements:

• Being Related to a Specific Issue: Explicit consent can only be given for a clearly defined data processing activity aimed at a particular purpose. Broad and vague consent such as "I consent to the processing of all my personal data" is not considered valid under the PDPL. The purpose of data processing must be clearly stated, and data can only be processed within that scope. If the data processing activities exceed the specified scope, the data controller must obtain new explicit consent.
• Being Based on Information: Before obtaining explicit consent, the data controller must inform the individual. This information should include details such as the identity of the data controller, the types of data to be processed, the purpose of the processing, the details of the process, and the fact that explicit consent can be withdrawn. The information provided must be clear, understandable, and comprehensive. The data controller is responsible for proving that this information was provided.
• Being Given Freely: For explicit consent to be valid, the individual must make the decision freely. Consent given under duress, threat, or any coercion is not valid under the PDPL. Particularly in situations like employer-employee relationships, where there is an unequal power balance, it is crucial to prove that the consent was freely given by the employee.

2. How is Explicit Consent Obtained?

Under the PDPL, explicit consent can be obtained either in writing or orally. It can also be obtained through technological means, such as by ticking a consent box on a website. However, regardless of the method used, the data controller is responsible for proving that the explicit consent was obtained in accordance with the legal requirements.

The process of obtaining explicit consent must demonstrate that the individual was informed and made a decision freely. Written forms, digital platforms, or consent obtained after a phone call are considered valid methods of obtaining explicit consent.

3. Can Explicit Consent Be Withdrawn?

Yes, individuals have the right to withdraw their explicit consent at any time. Since explicit consent is a personal right, the individual can revoke their consent whenever they wish. Upon learning that explicit consent has been withdrawn, the data controller is obligated to cease the related data processing activities. This ensures that individuals retain control over their personal data.

4. Can Explicit Consent Be a Condition for Providing a Service?

According to the PDPL, the provision of a service cannot be conditioned on explicit consent. For example, if a bank requests permission to process data for marketing purposes from a customer applying for a loan, this would be contrary to KVKK. If the provision of a service is made conditional on giving explicit consent, it cannot be said that the individual has made a decision with free will.

If the processing of personal data is genuinely necessary for the provision of the service, it may be processed based on other legal grounds without requiring explicit consent (e.g., performance of a contract or legal obligation). However, if the processing of personal data is not essential for the provision of the service, explicit consent is required, and conditioning access to the service on such consent would be unlawful.

5. Situations Where Explicit Consent is Not Required

The PDPL allows data processing without explicit consent under certain conditions. These situations include:

• When Explicitly Stipulated by Laws: When laws explicitly require it, personal data can be processed without the individual's consent.
• Physical Impossibility: When it is necessary to protect the life or bodily integrity of an individual who cannot express consent due to physical impossibility.
• Performance of a Contract: When the processing of data is required for the performance of a contract.
• Legal Obligations: When processing data is necessary for the fulfillment of the legal obligations of the data controller.
• Publicly Disclosed Data: Data made public by the data subject themselves can be processed.
• Legal Claims: When data processing is necessary for the establishment, exercise, or defense of legal claims.
• Legitimate Interests: When data processing is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the individual.

In these cases, explicit consent is not required. However, data controllers may still request explicit consent in some situations, which could create a false impression for the individual. For instance, if explicit consent is obtained for data processing based on a legal basis, the individual might mistakenly believe that the data processing will stop if they withdraw their consent. However, data processing activities that are based on a legal basis will continue even if explicit consent is withdrawn.

6. Conclusion

The PDPL is an important regulation that safeguards individuals' rights regarding the protection and processing of personal data. Explicit consent is one of the cornerstones of this regulation and is essential for ensuring individuals' control over their personal data. However, explicit consent should only be obtained when necessary and should not be misused.

Recent legal developments indicate that monitoring and enforcement of data security and explicit consent processes are becoming stricter. The Personal Data Protection Authority imposes serious sanctions when irregularities are found in the explicit consent processes. Therefore, data controllers must ensure that the process of obtaining explicit consent is carried out in compliance with the PDPL, adopting a transparent and ethical approach while respecting individuals' rights.

Moreover, with the rapid advancement of digitalization, new technologies and protocols should be developed to ensure the security of explicit consent processes in electronic environments. Data subjects should also be aware of their rights and carefully evaluate the explicit consent processes.