The Personal Data Protection Authority has published a guideline addressing the principles that generative artificial intelligence systems must observe under Law No. 6698 on the Protection of Personal Data (KVKK) at the data collection, training, and output stages. The document complements the Authority's earlier guidance on automated decision-making and aims to provide data controllers with a workable compliance framework as generative AI tools become embedded across the customer journey.
Background and Scope
The guideline covers data processing activities related to large language models, image generation, and similar foundation models, regardless of whether the system is developed in-house, licensed from a provider, or accessed as a managed service. It clarifies that responsibility under KVKK is allocated according to the actual processing role: a controller that fine-tunes a model on customer data remains a controller for that activity, while the underlying provider may act as a processor depending on the contractual setup.
Data Collection and Training
At the data collection stage, the guideline reiterates that the lawful basis requirements of Article 5 of KVKK apply in full. Where training datasets include personal data, the data controller must identify a valid legal ground; explicit consent under Article 5/1 or one of the conditions in Article 5/2 such as legitimate interest must be documented through a structured assessment. For sensitive personal data within the meaning of Article 6, training without explicit consent is permitted only in the narrowly defined cases laid down by the article.
Transparency obligations under Articles 10 and 11 require privacy notices to disclose the use of AI training in clear terms, including the categories of data used, the purpose of training, and the data subjects' rights. The guideline addresses the legal status of data obtained by web scraping and underlines that publicly accessible data is not, by itself, a lawful basis for processing; a documented legitimate interest balancing test, retention controls, and opt-out mechanisms are required.
Output and Deployment
When generative AI systems are integrated into customer-facing processes, controllers must ensure that data subjects can exercise their rights under Article 11, including access, rectification, and objection to fully automated decisions. The guideline expects controllers to deploy prompt-injection and output-filtering controls to prevent the disclosure of personal data through model outputs, and to maintain incident response procedures aligned with Article 12 security obligations.
Compliance Checklist
Data controllers are advised to update their VERBİS registrations, processing inventories, privacy notices, and Data Processing Impact Assessments to reflect their generative AI use cases. Vendor contracts should be revisited to allocate KVKK roles and to address cross-border data transfer requirements under Article 9. Our office assists clients in building AI-specific compliance programs, drafting model-card style transparency materials, and preparing for engagement with the Personal Data Protection Authority.