The Personal Data Protection Authority published the Guide on Generative Artificial Intelligence and the Protection of Personal Data (“Guide”) on November 24, 2025. The Guide aims to assess the potential impacts of Generative Artificial Intelligence (“ÜYZ”) systems in the context of personal data protection, promote the development of ÜYZ systems, encourage an approach that respects individuals’ privacy when using ÜYZ systems, and serve as a guide for data controllers. The Guide addresses issues such as the content production process, areas of use, stages of the life cycle, and the types of risks associated with the use of AI systems within the framework of the Personal Data Protection Law No. 6698 (“KVKK”). It also aims to be consistent with the approach of European Data Protection Authorities to the protection of personal data, legislation, and technological developments covering artificial intelligence and AI systems.
The relevant Guide explains certain concepts and definitions related to artificial intelligence and data protection as defined by European Data Protection Authorities and regulations. The Guide has published the relevant topics in the form of 15 questions, which will also be explained here in the same order.
1) What is Generative Artificial Intelligence?
This section compares “generative/creative artificial intelligence” with “traditional/classical artificial intelligence” technologies and defines generative artificial intelligence.
2) How is Content Production Achieved in Generative Artificial Intelligence Systems?
The design, purpose, and context of these models used in content creation can vary significantly depending on the type of content to be produced. As with artificial intelligence systems, the main methods used in data-driven AI systems are Machine Learning, Artificial Neural Networks, Image Generating Artificial Intelligence, and Text Generating Artificial Intelligence. Text Generating Artificial Intelligence is classified into three categories: General Purpose Transformers, Large Language Models, and Generative Pre-trained Transformers. Image Generating Artificial Intelligence is classified into two categories: Generative Adversarial Networks and Variational Autoencoders. The design, intended use, and context of the models vary depending on the content type. The text generation process, the image generation process, and the basic classification of ÜYZ models are explained.
3) What stages comprise the life cycle of Generative Artificial Intelligence Model?
The fundamental stages of the life cycle of ÜYZ models are outlined. The first stage of this life cycle involves determining the purpose and scope of the model. Sometimes a suitable base model can be identified for the process, while other times a model must be developed from scratch. The next stage involves collecting and preprocessing the data. Data sources used in training ÜYZ models, primarily “web scraping,” are discussed. The third stage involves training the model for its intended purpose and performing “fine tuning.” Optimization methods and their purposes are discussed/explained. The next stage involves evaluating and monitoring the model. The aim is to establish evaluation criteria to examine factors such as accuracy and suitability for the intended purpose. The final stage involves deploying the model using the criteria from the previous stages, with continuous monitoring and regular evaluation, followed by providing regular feedback. The ÜYZ lifecycle is a holistic process. Given its technical and critical requirements, ethical, legal, and social significance and impact, ÜYZ technologies must be used safely, responsibly, and for the benefit of society.
4) In Which Fields Is Generative Artificial Intelligence (ÜYZ) Used?
ÜYZ is becoming a tool capable of performing basic tasks such as creating content from incoming instructions, reprocessing existing content, and analyzing data, thereby increasing productivity and contributing to the development of new systems. The current areas of application for ÜYZ include Customer Service, healthcare, education, marketing and advertising, cultural industries and arts, software development, search and information access, and law.
5) What Risks Does the Use of Generative Artificial Intelligence (ÜYZ) Pose?
Despite offering numerous opportunities with features such as effective and rapid decision-making, constant accessibility, and dynamic personalization, ÜYZ systems pose risks in terms of protecting individual rights and ensuring public safety. Therefore, it is crucial that these systems are designed, developed, and used responsibly and consciously. The risks raised by ÜYZ, as mentioned, are as follows: “Hallucinations” and Inconsistent Outputs, Bias and Biased Outputs, Data Privacy and Security, Intellectual Property Rights Violations, and Deep Fakes and Manipulative Content. Despite the advantages of ÜYZ, it is noted that models can be wrong, inconsistent, biased, or misleading/manipulative.
6) Are Personal Data Processed in Generative Artificial Intelligence Systems?
Most artificial intelligence systems and ÜYZ systems involve a data-driven processing and learning process that utilizes large-scale data. When personal data belonging to individuals is included in training data, it can influence the internal structure and outputs of the model in artificial intelligence and ÜYZ systems, thereby engaging in personal data processing activities in various ways throughout different stages of the life cycle. The processing of personal data occurs in the background, and information that is not targeted, random, or of a personal nature may be directly or indirectly involved. Therefore, personal data may be processed even if the purpose is not to process personal data and even if the system is not designed for that purpose. Control mechanisms should be implemented to assess the validity of the situation. In addition to data protection regulations, artificial intelligence data governance frameworks and standards are also required. It has been stated that artificial intelligence and ÜYZ systems fall under the scope of the KVKK in the processing of personal data, and examples have been provided. the KVKK. According to Article 3(1)(b) of the KVKK, the use of only anonymous or anonymized data in the design, development, and testing processes of ÜYZ systems is, as a rule, outside the scope of the KVKK. However, whether data is truly anonymous must be determined using technical methods and objective criteria. Since data sets retain their personal data status until they are anonymized, all data processing activities during this process must be carried out in compliance with the KVKK.
7) How should the Data Controller and Data Processor be determined within the scope of the Life Cycle of Generative Artificial Intelligence Systems?
Here, the Guide provides definitions of “data controller” and “data processor” as defined in the KVKK, discusses what they do, how they can be identified, and what matters the data controller can delegate to the data processor through a personal data processing agreement. Due to the multi-layered structure and complexity of ÜYZ systems, identifying the data controller and data processor can be difficult. There are numerous diverse actors with varying levels of control or decision-making authority. As the nature and scope of data processing activities change dynamically, the determination of responsibility should be based not on contractual terms but on the parties’ actual control over these activities and their decision-making authority regarding the processing of personal data. Therefore, roles such as “developer” and “host” may not always correspond directly to the role of data controller/processor; a concrete assessment must be made based on the nature of each processing activity and the actual roles of the parties. Therefore, when conducting assessments regarding data responsibility in ÜYZ systems, consideration should be given to who makes fundamental decisions regarding the processing of personal data. as these decisions are decisive in terms of elements such as the nature, scope, purpose, and context of the data processing activity and include matters such as what type of data will be processed, what categories the data to be processed belong to, and from which sources this data will be obtained. In some cases, however, the level of control and influence over the nature and scope of an organization’s data processing activities cannot be clearly established. This is particularly true for “closed access” models, which are widely used today. In such cases, it is important to consider the roles of the parties in the data processing processes, the information to which the host has access, and the nature of the level of control provided by the developer. Rather than a general approach, each data processing activity should be assessed in terms of its nature, context, the actual roles of the parties, and its compliance with the application.
8) How Should the General Principles for Processing Personal Data Be Applied in Generative Artificial Intelligence Systems?
ÜYZ systems also fall under Article 4 of the KVKK, and the processing of data in accordance with the general principles governing the processing of personal data is a legal requirement. These principles are: compliance with the law and the principle of fairness, accuracy and, where necessary, updating, processing for specified, explicit, and legitimate purposes, processing that is relevant, limited, and proportionate to the purposes for which it is processed, and retention for the period required by the relevant legislation or necessary for the purposes for which it is processed. These principles are explained individually in the Guide.
9) How Should the Conditions for Processing Personal Data in Generative Artificial Intelligence Systems (Legal Basis) Be Determined?
In order for personal data to be processed lawfully in ÜYZ systems, it is mandatory to rely on at least one of the processing conditions specified in Article 5 of the KVKK or Article 6 of the KVKK for special category personal data. Although the conditions for processing personal data are limited in number, the conditions set out in the Law also cover personal data processing activities carried out with new techniques and processes. Since ÜYZ systems may require intensive processing of data at every stage, each of these processes must be evaluated according to the characteristics of the system, model, or application and the specific circumstances. The following conditions listed in Article 5 of the KVKK are explained separately in the Guide:
– The existence of the relevant person’s explicit consent.
– Explicit provision in the laws.
– It is necessary to protect the life or physical integrity of the person who is unable to express their consent due to actual impossibility or whose consent is not legally valid, or that of another person.
– It is necessary for the establishment or performance of a contract, provided that it is directly related to the contract and the processing of personal data belonging to the parties to the contract.
-It is necessary for the data controller to fulfill its legal obligations.
-It has been made public by the data subject.
-Data processing is necessary for the establishment, exercise, or protection of a right.
-Data processing is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.
Since ÜYZ systems fall within the scope of the provisions on special categories of personal data and processing conditions listed in Article 6 of the KVKK, the processing of special categories of data is only possible in the cases specified in the article. The law provides for more specific measures against the risks that may arise due to the nature of this data, and these measures are also required for ÜYZ systems.
10) How Should the Transfer of Personal Data Abroad in Generative Artificial Intelligence Systems Be Assessed?
The transfer of personal data abroad may be carried out by the data controller and data processor in accordance with the Regulation on Procedures and Principles Regarding the Transfer of Personal Data Abroad and the Guide on the Transfer of Personal Data Abroad, as stipulated in Article 9 of the KVKK and the remaining legislation.
11) How Can Transparency Be Achieved in the Context of Generative Artificial Intelligence Systems?
Article 10 of the KVKK stipulates the Data Controller’s Obligation to Inform, which covers the subjects that the data controller or authorized persons are obliged to provide information about. In the context of ÜYZ systems, this obligation must be fulfilled in accordance with the relevant provision, legislation, and the provisions of the “Communication on the Procedures and Principles to be Followed in Fulfilling the Obligation to Inform.” ÜYZ systems are also included in this scope. The Guide specifies how the information obligation should be fulfilled at each separate and distinct stage of ÜYZ systems and outlines important details. However, it is necessary to ensure sufficient transparency at every stage of ÜYZ systems and to develop practices such as policies and control mechanisms against potential privacy and data protection risks in terms of personal data protection.
12) How Can the Rights of Data Subjects Be Exercised in the Context of Generative Artificial Intelligence Systems?
Automated decision-making systems are subject to all provisions of the Personal Data Protection Law (KVKK) and are also covered by Article 11 of the KVKK, which regulates the rights of the “data subject.” Considering the unique characteristics of automated decision-making systems, the establishment of appropriate technical and administrative mechanisms contributes to the effective exercise of data subject rights within the scope of these systems. However, certain practical difficulties arise in the application of data subject rights in relation to AI systems. The widespread use of automated decision-making mechanisms in many areas, the complexity of the algorithms used in these systems, and the low level of transparency regarding decision-making processes make it difficult for individuals to understand the rationale behind decisions made about them and to exercise their rights in this context. The Guide anticipates careful consideration in such situations and includes mechanisms and methods such as an objection mechanism, “data mapping,” and “data labeling.” It also adopts the approaches of “privacy by design” and “privacy by default.”
13) What Should Be Considered Regarding the Security of Personal Data in Generative Artificial Intelligence Systems?
There are security risks specific to ÜYZ systems. Therefore, in accordance with Article 12 of the KVKK, in order to prevent the unlawful processing of personal data and unlawful access to such data, and to ensure the protection of personal data, it is necessary to take all necessary technical and administrative measures to ensure an appropriate level of security. These technical and administrative measures are listed and examined in the Guide. The “Personal Data Security Guide (Technical and Administrative Measures)” prepared by the Personal Data Protection Authority shall also be taken into consideration along with the legislation.
14) When Using Productive Artificial Intelligence Applications in Daily Life, What Should Individuals Pay Attention to in Terms of Personal Data Protection?
The Guide emphasizes that individuals should adopt a conscious approach that prioritizes personal data security when using ÜYZ systems and applications, and that they should be sufficiently aware of the serious consequences that could arise if certain types of data are compromised. care should be taken not to share third-party data in the systems, anonymized and generalized expressions should be preferred as much as possible when sharing information with ÜYZ systems, and privacy settings should be reviewed.
15) What Precautions Can Parents Take Regarding Children Using Generative Artificial Intelligence Tools?
Children also use social media applications today, and this usage is increasing. The Guide includes some precautions that parents can take: checking whether social media platforms offer age-appropriate content, being aware of the potential dangers posed by deep fake content and providing support to deal with them, informing children in an age-appropriate manner, raising awareness and ethical awareness, and setting limits on usage.
You can access the full text of the “Guide to Generative Artificial Intelligence and Personal Data Protection” from the link below.
KVKK-Üretken Yapay Zeka ve Kişisel Verilerin Korunması Rehberi .pdf
This Legal Alert has been prepared for general information purposes only on current legal issues, and the evaluations contained in this Legal Alert do not constitute legal advice or a legal opinion. It is not possible to impose any liability on SRP-Legal Law Office due to the content of this Legal Alert. It is recommended to obtain the opinion of a legal advisor regarding your questions and enquires within the scope of this Legal Alert.
.
