Duyurular

Turkish Data Protection Authority Publishes the Guide on Generative Artificial Intelligence and Personal Data Protection (in 15 Questions)

Turkish Data Protection Authority (“DPA”) has published the Guide on Generative Artificial Intelligence and Personal Data Protection (in 15 Questions) (“Guide”) on its official website on 24 November 2025.

The Guide briefly addresses the following matters:

  • The Guide aims to assess the potential impacts of Generative Artificial Intelligence (“GAI”) systems in the context of personal data protection and to provide guidance to data controllers.
  • GAI is defined as a type of Artificial Intelligence (“AI”) trained on large-scale datasets and capable of generating content in various formats—such as text, images, videos, audio, or software code—in response to user-provided prompts. Unlike traditional AI systems, GAI models possess the capacity to produce entirely new content. Foundation models, which are typically trained on broad and diverse datasets, constitute the basis of such content generation
  • The lifecycle of a GAI model begins with the identification of its purpose and scope, and consists of the collection of the necessary data, training, fine-tuning, evaluation, deployment, and monitoring stages.
  • GAI is used in numerous fields, including law (such as contract drafting, legal document analysis, and case-law identification), healthcare, education, customer services, and marketing.
  • The primary risks arising from the use of GAI are as follows:
    • Hallucinations and Inconsistent Outputs: Due to the statistical and probabilistic nature of GAI models, outputs that appear plausible yet do not correspond to reality (hallucinations) may be generated. As these outputs may be erroneous or misleading, their accuracy is required to be regularly verified.
    • Bias and Discriminatory Outputs: Biases present in the training data may lead to the reproduction or reinforcement of discriminatory or offensive content in the model outputs. The black-box nature of these models renders decision-making processes difficult to interpret and complicates efforts to mitigate such biases.
    • Data Privacy and Security: In models trained on large-scale datasets (including data collected from the internet), there is a risk that personal data may be reflected in model outputs, potentially resulting in data leaks or privacy breaches.
    • Deepfakes and Manipulative Content: AI-generated or AI-altered synthetic images, audio, and video content carry the potential to harm individuals’ reputations and facilitate the dissemination of misinformation.
  • Due to the data-driven functioning of GAI systems, personal data processing activities may arise at every stage of the lifecycle. Even if the model is not specifically designed to process personal data, it may still generate information relating to an identifiable natural person at the output stage. Therefore, the provisions of Law No. 6698 on the Protection of Personal Data (“Law”) become applicable to such activities. As a rule, the provisions of the Law do not apply where anonymized data are used.
  • The complex and multilayered structure of GAI systems renders the identification of data controller and data processor roles challenging. The determination of the data controller must be made on a case-by-case basis by assessing who makes the fundamental decisions regarding the purposes and means of processing personal data. It is emphasized that contractual arrangements between the parties are not solely decisive and that the parties’ actual control must prevail.
  • Personal data processed within the scope of GAI systems must comply with the general principles set forth under Article 4 of the Law.
  • For each personal data processing activity carried out through GAI, it is mandatory to rely on at least one of the limited legal bases set forth under Articles 5 or 6 of the Law. Since different stages—such as the development and operation of GAI—may constitute separate and independent processing activities, an individual legal basis may be required for each of these stages.
  • Explicit Consent: For explicit consent to be valid, the data subject must be clearly informed that AI is being used, for what purpose the data will be processed (development or operation), and about the nature of the output.
  • Publicly Available Personal Data: The fact that personal data have been made public by the data subject does not mean that such data may be freely processed within GAI systems; the limits of the data subject’s intention to make the data public must not be exceeded.
  • Legitimate Interest: To rely on this legal ground, a balancing test must be conducted between the data controller’s interest and the fundamental rights and freedoms of the data subject. Where the data subject’s fundamental rights and freedoms would be harmed (for example, through the generation of a person’s imitation), this legal ground cannot be invoked.
  • Special Categories of Personal Data: The processing of such data is, as a rule, prohibited and is subject to the specific conditions set forth under Article 6 of the Law. Performance of a contract and legitimate interest do not constitute lawful bases for processing special categories of personal data.
  • Where GAI systems are used through service providers located abroad, the cross-border transfer of personal data must be carried out in compliance with Article 9 of the Law and the relevant provisions of the Regulation.
  • Transparency is ensured through the information obligation set forth under Article 10 of the Law. Systems that directly interact with users (such as chatbots) are required to clearly indicate that they are GAI-based.
  • The effective exercise of data subject rights guaranteed under Article 11 of the Law must also be ensured within the scope of GAI systems. In particular, the right of individuals to object to outcomes produced solely through automated systems that result in a decision against them (Art. 11/1(g)) is considered a critical safeguard in these systems.
  • Pursuant to Article 12 of the Law, data controllers are obliged to take appropriate technical and administrative measures to prevent the unlawful processing of and unauthorized access to personal data. In this regard, it is recommended that data protection impact assessments be carried out, that privacy-enhancing technologies be employed, and that technical controls be implemented against vulnerabilities specific to GAI (such as prompt injection). The adoption of privacy by design and privacy by default approaches is also suggested as part of preventive measures.
  • Individuals are advised, when using GAI applications, to avoid sharing personal data that allow direct identification—such as name–surname or identity information—, not to disclose personal data of third parties, and to refrain from sharing sensitive information relating to health, financial matters, or legal processes with such systems.
  • With respect to children’s use of GAI applications, it is important for parents to verify the age-appropriateness of the platforms used, to raise children’s awareness of the risks posed by manipulative content created by technologies such as deepfakes, and to ensure that children develop awareness regarding the non-disclosure of personal information.

You can access the full text of the Guide here.

 

Kind regards,

Zumbul Attorneys-at-Law

info@zumbul.av.tr

 

All information and documents on our website have been prepared by Zumbul Attorneys at Law for general informational purposes only, in accordance with the Attorneyship Law, other relevant legislation and the Professional Rules of Attorneyship of the Union of Turkish Bar Associations. These publications are not intended for advertising or commercial purposes. The information and documents provided are of a general nature and under no circumstances, do they guarantee or warrant that the content is complete, accurate, up-to-date, or reliable. You should not rely on the information and documents on this website without first consulting a lawyer or expert. The links included in our website’s publications are sourced from publicly available materials and are provided solely for the convenience of visitors in accessing additional information. These links do not constitute any form of recommendation or endorsement of the linked persons, institutions or organizations. The information on this website does not in any way constitute legal advice or establish an attorney-client relationship with visitors to the site. All content on this website is the property of by Zumbul Attorneys at Law, and no content may be copied, reproduced, or used without prior written permission.