Insights

Turkish DPA Publishes Guideline on Generative Artificial Intelligence and Personal Data Protection

Objective and Underlying Conceptual Framework of the Guideline

The Turkish Personal Data Protection Authority (“Authority”), in its announcement dated 24 November 2025, published the “Guideline on Generative Artificial Intelligence and the Protection of Personal Data (in 15 Questions)” (“Guideline”). In the Guideline, the Authority addresses the principles and obligations arising under Law No. 6698 on the Protection of Personal Data (“KVKK”) in connection with personal data processing activities that occur during the development and use of generative artificial intelligence (“GenAI”) systems across various sectors. These matters are examined within the framework of a lifecycle approach to the design and deployment of such systems.

The conceptual framework of the Guideline is primarily grounded in the “Glossary of Terms on the Protection of Personal Data” previously issued by the Authority. For terms not defined therein, the Guideline draws upon the terminology and interpretative guidance developed under European Union legislation, as well as by the European Data Protection Board (“EDPB”), the European Data Protection Supervisor (“EDPS”), and the International Association of Privacy Professionals (“IAPP”), among others. This approach ensures that the Guideline is aligned both with Turkish data protection law and with established international data protection standards.

Through the Guideline, the Authority provides a framework that goes beyond the technical functioning of GenAI systems. It outlines how the personal data processing activities carried out within these systems should be assessed in light of the general principles and lawful bases for processing under the Law, as well as in relation to the roles of data controllers and data processors, the cross-border data transfer regime, and the data security obligations. The Guideline also addresses practical considerations for individuals regarding the responsible and informed use of GenAI systems in daily life.

 

Generative AI: Main Attributes and Privacy Risks

“Generative artificial intelligence” has been defined as a form of artificial intelligence that has been trained using large data sets and can create content in different forms, like text, images, videos, audio, and software, in accordance with a prompt given by a user. GenAI systems rely on artificial neural networks that detect patterns in data and generate new, practically applicable outputs.

In this context, GenAI can analyse current data and categorize it based on the patterns learned during the training phase. GenAI can then regenerate data, including information that could qualify as personal data, and create synthetic data that is highly realistic and unique, which cannot be found in the input dataset. Considering this, the Guide specifically addresses “deep fake” technologies, which utilize GenAI systems to produce visual, audio, and video-based content. While these technologies have creative and innovative applications, they also pose significant risks to individuals’ privacy, reputation, and security, by altering or realistically imitating people’s appearance, voices or other identity elements.

 

Distinction Between Single-Modal and Multi-Modal Systems and the Lifecycle Approach

In the Guideline, generative artificial intelligence systems are classified into two main categories according to the types of data they process: i) single-modal models, which process only one type of data and generate outputs of the same type; and ii) multi-modal models, which are capable of processing multiple types of data and generating outputs in different formats.

As another critical element, the lifecycle process of GenAI systems is emphasized. In this respect, the Guideline underlines that: i) each phase of the GenAI lifecycle should be carefully planned and effectively managed, and ii) GenAI technologies should be developed and implemented in a human-centric, secure, responsible, and socially beneficial manner. Accordingly, it is noted that every stage of the GenAI lifecycle must be conducted with diligence and precision, and that in addition to technical requirements, ethical, legal, and societal aspects should also be taken into account.

 

Balancing Efficiency and Legal Risks in the Use of Generative AI

Generative artificial intelligence systems, owing to their content generation, data analysis, and content reprocessing capabilities, can serve as efficiency-enhancing tools across numerous fields such as healthcare, law, customer relationship management, education, marketing, and software development.

However, the Authority emphasizes that a careful balance must be maintained between the efficiency gains offered by such technologies and the legal, ethical, and security-related risks they introduce. In this respect, the Guideline draws particular attention to risks associated with erroneous, false, or inconsistent outputs, discriminatory outcomes stemming from biases in training data, as well as violations of privacy and intellectual property rights, and the generation of deep-fake or manipulative content. Even in cases where user prompts provided to GenAI systems do not contain personal data, the Guideline underlines that outputs may still qualify as personal data if they are derived from patterns within the training data. Therefore, it cannot be concluded solely from the content of the input that no personal data processing has occurred under the Law; rather, the outputs must also be evaluated within the same framework. It is further emphasized that, since GenAI lacks true contextual understanding and generates results based on statistical probability derived from the data on which it was trained, this limitation heightens the associated risks.

 

How Personal Data Are Processed in Generative AI Systems

The Guide states that GenAI systems process and learn in a data-driven manner, utilizing large-scale datasets for their training processes. Traditional AI training involves presenting extensive datasets to models, enabling these models to understand patterns and relationships within the data. Upon completion of the training process, the model generates outputs based on the patterns it has learned. It is essential to note that if personal data belonging to individuals is included in the training data during this learning process, it may influence the model’s internal structure and the outputs it generates.

Conversely, activities involving the processing of personal data may also occur at different stages within GenAI lifecycle. Such occurrences may take place during the creation of training data sets, the execution of the training process, the creation and deployment of the model, the extraction of new or additional information, and through the data entered and outputs generated while the system is operational. Although this processing of personal data is not always the primary focus, it may still directly or indirectly involve personal information during the background processing stages.

Moreover, although the model is not designed for the direct processing of personal data, it may indirectly process such data during its operation. Consequently, it is imperative to conduct regular checks and carry out systematic reviews at all stages.

The use of anonymous or anonymised data in the operation of GenAI systems has also been addressed. In this regard, the definition of ‘anonymisation’ under the KVKK has been reiterated, and it has been stated that, since they do not constitute personal data, both anonymous data that cannot be associated with a specific individual from the outset and data that has been anonymised subsequently are not subject to the provisions of the KVKK.  In this context, it has been stated that if only anonymous or anonymised data is used in processes such as the design, development, and testing of GenAI, this data processing activity will, as a rule, fall outside the scope of data protection legislation. However, it has been emphasized that it is essential to verify whether data claimed to be anonymized has in fact been anonymized.

 

Identification of Controller and Processor Roles

The multi-actor structure of GenAI systems complicates the determination of roles between data controllers and data processors compared to traditional processes. When determining roles, it is crucial to consider who is responsible for the purposes and means of processing personal data, rather than being overly focused on legal status or contractual definitions.

In this context, it has been stated that, in the case of actors in the positions of ‘developer’ and ‘deployer’ in GenAI systems, the roles of controller and processor do not overlap in every case. Therefore, when determining these roles, a case-by-case assessment is required, and a concrete assessment should be made based on the nature and context of each processing activity and the actual roles of the parties involved, rather than a generalised approach.

 

Implementation of Data Protection Principles in Generative AI Systems

It is imperative that processing activities in GenAI systems are carried out in accordance with fundamental principles set out in Article 4 of the Law. The Guide clarifies the necessity of applying the principles of processing for ‘specific, explicit and legitimate purposes’, ‘being relevant, limited and proportionate to the purpose’ and ‘retention for the necessary period’. In this regard, an assessment has been made for each principle:

Principle of Lawfulness and Integrity

The Guideline emphasizes that during the development, training, and implementation phases of GenAI systems, the principle of lawfulness and fairness must be observed. In this regard, personal data must be collected lawfully, data subjects must be provided with clear and comprehensible information, and data processing activities must be carried out transparently. Within this framework, it is underlined that individuals should be informed in a timely, sufficient, clear, and accessible manner regarding the purposes for which their data are processed, the scope of such processing, and the potential effects on them. Furthermore, the principle is considered to encompass the requirement that data processing activities be conducted in a manner consistent with the reasonable expectations of data subjects, that potential impacts of processing be anticipated in advance, and that the fundamental rights and freedoms of individuals be duly respected. In this context, the Guideline notes that algorithmic biases that may arise within GenAI systems should be addressed with particular care when evaluating compliance with this principle.

Principle of Accuracy and Data Currency

The Guideline notes that generative artificial intelligence systems rely on large volumes of data,often including personal data,throughout their entire lifecycle, particularly during the training phase. Accordingly, it is emphasized that the principle of accuracy and, where necessary, keeping data up to date must be applied. In this regard, the Guideline underlines that developers, providers, and users of GenAI systems should adopt appropriate measures to identify and remove misleading or unverifiable information contained within training datasets. Moreover, where personal data appear in system outputs, it is considered advisable to establish and operate adequate monitoring and filtering mechanisms to ensure data accuracy and compliance with the Law.

Principle of Purpose Limitation and Data Minimization

Controllers are required to limit their personal data processing activities at every stage of the system to only what is relevant and necessary for the purposes of processing. They must also avoid personal data processing activities carried out beyond these defined needs. In this regard, it is stated that vague and broad terms such as ‘to use in our GenAI systems’ or ‘to develop our database’ do not clearly and specifically state the purpose of data processing and therefore constitute a violation of the principle of ‘processing for specific, explicit and legitimate purposes’ set out in Article 4 of Law No. 6698.

It is essential that developers specify distinct, clear, and justifiable purposes for each stage of the system’s life cycle, rather than broad purposes such as ‘developing the GenAI model’, and that they can demonstrate why the processing activities are necessary to achieve these purposes. In this regard, it has been emphasised that data sets must be carefully structured, supported by an appropriately supervised training process, subject to regular monitoring, and that data processing must be carried out within the limits of necessity and in connection with the purpose.

Data Retention and Storage Limitation Principle

It is stated that determining reasonable, clear, and justifiable retention periods for datasets containing personal data used in the training of generative artificial intelligence (“GenAI”) systems is of critical importance. In this regard, data controllers are expected to regularly review which categories of personal data are retained and for how long, and to establish data retention and destruction policies that align with these determinations.

 

Determining the Lawful Basis for Processing Personal Data in Generative AI Systems

The processing of personal data must be based on at least one of the processing conditions listed in Article 5 of the KVKK and the processing reasons covered by Article 6 of the KVKK for special category personal data. A key consideration when processing personal data using GenAI is that different personal data processing activities, such as the development, operation, and use of GenAI outputs, may coexist in a given situation. As each of these steps may constitute an independent data processing activity, it is essential to establish separate processing conditions for each.

From this perspective, in the operation of the large language model, the following processes may arise  I) processing of personal data entered by the user for the purpose of operating the model, ii) the use of this data for the purpose of developing the model, iii) the use of outputs generated by the model for to personalise interaction with the user, iv) the use of outputs generated by the model for the purpose of developing the model. Therefore, it is emphasised that separate processing conditions may need to be determined for each processing activity.

 

Cross-Border Transfer of Personal Data

The transfer of data abroad may be involved in applications such as model training, storage, and cloud-based service usage of GenAI systems. In instances where controllers operating within Turkey utilise GenAI systems via designated service providers based overseas, and personal data is transferred internationally through these systems, it is imperative to adhere to the stipulations outlined in Article 9 of the KVKK and the Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad.

 

Ensuring Transparency in Generative AI Systems

Ensuring transparency in GenAI systems is crucial to inform data subjects about data processing activities and enable them to exercise their control rights over their personal data effectively. In this context, when personal data is obtained, the controller or authorised person must inform the data subjects about the elements listed in Article 10 of the KVKK. In addition, the obligation to provide information must be fulfilled whenever personal data is processed based on the explicit consent of the data subject or other processing conditions in the KVKK.

It is emphasised that when there is a change in the purpose of personal data processing, the data subjects must be informed again about this purpose. It is imperative to provide clear and precise information for processing conducted using a GenAI system or its interface, as well as for processing undertaken to develop existing systems and models. Furthermore, in data processing processes based on explicit consent, it is essential to fulfil the information obligation and the process of obtaining explicit consent separately. In this context, the notification made to the data subject within the scope of the information obligation must be presented in clear, straightforward, and simple language.

 

Data Subject Rights

Practical difficulties may be encountered in the application of data subject rights guaranteed under Article 11 of Law No. 6698 due to the structural and functional characteristics of GenAI systems. However, the Authority emphasises that controllers’ obligations to ensure the effective exercise of data subject rights remain valid in relation to GenAI systems. The effective exercise of these rights is contingent on establishing appropriate technical and administrative mechanisms, taking into account the unique characteristics of AI systems.

The role and use of GenAI in decision-making, whether as an auxiliary or a controlling factor, are directly relevant to the exercise of data subject rights. It is worth noting that individuals have a legitimate right to oppose an outcome that affects them negatively if that outcome is based solely on the automated processing of their personal data. In this regard, Article 11(1)(g) of the Law stipulates that individuals have a legitimate right to request a reassessment of decisions made through automated decision-making.

Automated decision-making mechanisms are widely used in areas such as recruitment, credit assessment, and insurance, and GenAI can also play a role in shaping decisions about individuals in these processes. The Authority emphasises that the complexity of the algorithms used in these systems and the limited transparency in decision-making processes can make it difficult for individuals to exercise their rights.

Considering this, when the use of GenAI in decision-making processes is planned, careful consideration must be given to whether such use could lead to unfair, discriminatory, or unethical outcomes. Where risks cannot be sufficiently anticipated or managed, a cautious approach to the use of such systems would be appropriate.

The right of the data subject, as regulated in Article 11(1)(g) of the Law, can be seen as a means of requesting not only a review of the outcome of the decision taken, but also a reassessment of the grounds on which the decision was based. It is asserted that this right constitutes a critical safeguard in terms of enhancing transparency in data processing, fortifying individuals’ control over their data, and promoting fair decision-making mechanisms.

Data subjects’ rights are not limited to decision-making processes; they apply to all stages of personal data processing in GenAI, including training data, fine-tuning processes, model outputs, and user queries. The Authority emphasises the importance of establishing clear, accessible, and functional mechanisms to enable individuals to exercise their rights under Article 11 of the Law effectively.

 

Ensuring the Security of Personal Data in Generative AI Systems: Key Considerations

The Guide states that security risks specific to GenAI may arise in relation to the security of personal data, and that these may stem from factors such as unreliable training data, the structural complexity of systems, a lack of transparency, and inadequate testing processes. In this context, when personal data is processed within the lifecycle of GenAI, controllers must ensure an appropriate level of security in accordance with Article 12 of Law No. 6698. They must take all necessary technical and administrative measures to ensure an adequate level of protection, preventing the unlawful processing of personal data and unauthorized access to such data, and to ensure the protection of personal data.

In this context, some technical and administrative measures that may be considered to ensure personal data security in GenAI are provided below as examples:

  • The approaches of ‘privacy by design’ and ‘privacy by default’ have been noted to play a supportive role in protecting personal data throughout the entire lifecycle of data processing activities, starting from the initial stage.
  • A data protection impact assessment should be conducted to identify, evaluate, and manage the risks that may arise at every stage of the system’s lifecycle.
  • The integration of privacy-enhancing technologies into GenAI systems will enable privacy to be technically observed in the processing of personal data.
  • In traditional information technology systems, it is imperative to integrate technical controls against known vulnerabilities in GenAI systems (such as model inversion attacks, request injection, jailbreak attempts, and membership extraction attacks) and to monitor and review these controls on a continuous basis.
  • ‘Red teaming’ techniques should be applied to identify unknown risks.
  • It would be beneficial for controllers to use only data sets obtained from reliable sources and to perform regular validation and verification checks, including on internal data sets.

 

Conclusion 

The Institution’s Guide, which outlines the procedures and principles for processing personal data within the scope of generative artificial intelligence systems developed and used by controllers and processors, serves as an essential resource for controllers. It clarifies their obligations under the KVKK and supports the practical implementation of personal data protection obligations in relation to GenAI systems.

 

 

 

 

 

 

 

 

 

For detailed information, you may reach us:

EBRU TEMİZER

SİNAN ABRA

SERAY APAK

LORIN TUTCI

Download PDF
Print Friendly, PDF & Email PrintFriendly

SEE More

  • Data Protection
The Administrative Fine Amounts under the PDPL Have Been Updated for 2026
  • Data Protection
Amendments Introduced to the Regulation on Personal Health Data
  • Data Protection
Personal Data Protection Authority’s Principle Decision on the Recording of Turkish ID Card Photocopies in the Tourism and Hospitality Sector
  • Data Protection
Two-Minute Recap – Data Protection Law Matters – Around the Globe – 2025 November

© 2024 Gen Temizer Erdoğan Girgin Avukatlık Ortaklığı – All rights reserved.

by mare.design