info@srp-legal.com
Şakayıklı Sokak No:10 | Levent 34330 | İstanbul | Türkiye
 

Legal AlertArtificial Intelligence Alert from the Personal Data Protection Authority: Agentic AI and Data Protection Risks

12 March 2026

The Turkish Personal Data Protection Authority (“Authority”) published the Agentic Artificial Intelligence (Agentic AI) Guide (“Guide”) on 12 March 2026.

The Authority has issued this Guide to assess the potential impacts of developments in artificial intelligence technologies on the protection of personal data. The Guide particularly focuses on evaluating the risks that the increasing autonomous decision-making and data-processing capabilities of agentic AI systems may pose to personal data protection.

The primary objectives of the Guide are as follows:

  • To define the concept of agentic artificial intelligence (Agentic AI) and its fundamental characteristics;
  • To outline the potential effects of these systems on personal data processing activities;
  • To identify key assessment areas that require attention from a personal data protection perspective.
  1. What is Agentic Artificial Intelligence (Agentic AI)?

According to the Guide, agentic AI refers to artificial intelligence systems capable of interpreting environmental conditions, adapting to changing circumstances, and initiating actions with a high degree of autonomy to achieve specific objectives. Key features of these systems include:

  • The ability to manage multi-step processes and evaluate different activities simultaneously;
  • The capacity to plan and execute actions based on contextual conditions to achieve objectives;
  • Extensive data processing and learning capabilities.
  1. Assessment from a Personal Data Protection Perspective

The widespread use of agentic AI systems introduces new assessment areas under personal data protection law. The Guide emphasizes the following points:

  • Scope of data processing activities: Such systems may process personal data while performing predictions, analyses, and recommendations on large datasets. Therefore, the legal basis and limits for each data processing activity must be clearly determined.
  • Autonomy and decision-making: Increased autonomy may render data processing more dynamic and multi-step, requiring data controllers to reassess the transparency of their processes, data security measures, and compliance with data minimization principles.
  • Risk management and security measures: Throughout the lifecycle of agentic AI systems, appropriate technical and administrative measures must be implemented to protect the confidentiality, integrity, and accessibility of personal data.
  1. Recommendations for Compliance

For data controllers and entities developing or operating AI systems, the following areas are critical for ensuring legal compliance:

  • Data processing inventory and classification: Identify and document the data processing activities associated with each AI function.
  • Determination of legal bases: Evaluate the applicable legal bases for processing personal data (e.g., explicit consent, contractual necessity, legitimate interest).
  • Transparency and information obligations: Inform data subjects about what data is processed, for which purposes, and their rights effectively.
  • Impact assessment and risk analysis: Conduct Data Protection Impact Assessments (DPIAs) for high-risk AI applications.
  • Technical and organizational measures: Implement advanced security measures (e.g., encryption, anonymization) to ensure that systems comply with data protection principles.
  1. Conclusion

The Authority’s 12 March 2026 Agentic AI Guide provides an informative and evaluative framework regarding the impact of AI systems on personal data. While the Guide does not constitute directly binding legislation, it serves as an important reference highlighting the key points to consider in the context of personal data protection in AI applications.

The full text of the Guide published by the Turkish Data Protection Authority can be accessed via the link below.

Agentic Artificial Intelligence (Agentic AI) | Turkish Personal Data Protection Authority

For detailed information and professional support during the compliance process, feel free to contact us.

This Legal Alert has been prepared for general information purposes only on current legal issues, and the evaluations contained in this Legal Alert do not constitute legal advice or a legal opinion. It is not possible to impose any liability on SRP-Legal Law Office due to the content of this Legal Alert. It is recommended to obtain the opinion of a legal advisor regarding your questions and enquires within the scope of this Legal Alert.

<<<
A Major Shift in Loyalty Card Practices: Mandatory Verification Requirement Introduced by the Turkish Personal Data Protection Authority
>>>
Public Announcement by the Turkish Personal Data Protection Authority on VERBIS Notification Requirements for Business Partnerships, Consortia, and Ordinary Partnerships