Personal data cannot be processed without the explicit consent of the data subject where other legal bases are not applicable (Article 5(1) of the Data Protection Law). Explicit consent should be freely given, specific, and informed (Article 3 of the Data Protection Law).
Explicit consent: means the consent given by the data subject which is based on being clearly informed and given out with free will for a specific action.
Companies would be prudent to both record and retain consents, either in writing or electronically.
Explicit consent shall enable the data subject to determine the limits, scope, manner and time of the data which he consented to be processed. In this sense, explicit consent must include “positive declaration of intention” of the data subject who consents. Generally, it is also possible to take explicit consent through electronic media. The burden of proof here is on the data controller.
Under the definition of explicit consent set out in Article 3 of the Law, explicit consent has 3 following elements:
• Related to a specified issue.
• Based on the information.
• Declared by free will.
General explicit consents which are not restricted to a specified issue and the relevant transaction are accepted as “blanket consents” and are deemed legally invalid. For example; consent statements which do not indicate a specified issue or activity such as “all kinds of commercial transactions, banking transactions, and data processing activities” can be deemed blanket consents.
Giving explicit consent is a strictly binding right for the individual, the data subject can withdraw his explicit consent. Since the data subject has the right to determine the future of his personal data, he can withdraw his consent at any time. However, withdrawal of explicit consent will have forward-looking results, all transactions carried out on the basis of explicit consent must be stopped by the data controller as of the time he learns of the withdrawal.
How to compliantly transfer data abroad from Turkey
Penalties and enforcement decisions for breaches of Data Protection Law in Turkey
The rights of data subjects
The legal bases for compliant data processing
Key points on explicit consent for data protection compliance
KKTC YARGI ÖRGÜTÜNÜN GENEL YAPISI VE MAHKEME DÜZENİ
Data Controller Representation Service
Applications for international data transfers
Registration with Verbis
Data breach crisis management
Creation of information and explicit consent texts
Creation of data security, retention, erasure and privacy policies
Contracts with third party data processors & employees