Generative AI & Personal Data Protection Under KVKK

15-Question Guide on Generative AI
Masoud Salmani
November 25, 2025

Generative AI & Personal Data Protection Under KVKK: A Comprehensive Breakdown of the New KVKK “15-Question Guide”

Generative AI (Üretken Yapay Zekâ – ÜYZ) is rapidly transforming how organizations create content, automate tasks, and deliver digital services. But as these systems generate text, images, video, audio, and even deepfakes, they interact deeply with personal data, raising critical compliance questions under Turkey’s Law on the Protection of Personal Data (KVKK).

To address these questions, the Turkish Data Protection Authority (KVKK) released a new official document:
“Üretken Yapay Zekâ ve Kişisel Verilerin Korunması Rehberi (15 Soruda)”,
a detailed 63-page guide that outlines how generative AI systems should be used, governed, and assessed from a data protection perspective.

This blog post provides a full, structured English summary of the guide—explaining KVKK’s expectations, key definitions, obligations for organizations, risks, transparency requirements, and recommended safeguards.

1. What Is Generative AI According to KVKK?

KVKK begins with a foundational definitions section , describing major concepts needed to understand generative AI:

Large Language Models (LLMs)

Models trained on massive text datasets that learn patterns between characters, words, and sentences to perform tasks like text generation, summarization, and Q&A. (Page 4)

Algorithmic Decision Systems

Systems that analyze high volumes of personal data to derive correlations or support decision-making.

Big Data

Large-scale datasets requiring special technologies and techniques to extract meaningful insights.

Narrow/Weak AI

AI designed to perform specific tasks at high proficiency.

The guide also explains how generative AI is used across different media types:

Text Generation

Producing summaries, articles, Q&A content, creative writing, and conversational responses.

Image & Video Generation

Creating images, animations, concept art, or videos based on text prompts, often using large visual datasets.

Audio & Music Generation

Producing synthetic voices, sound effects, or music compositions.

Deepfake Technology

A highlighted concern in the guide—especially for misuse scenarios and child protection implications.

2. Why Generative AI Raises Data Protection Concerns

The guide emphasizes that generative AI systems can process personal data even if users do not explicitly input it. Key risks include:

  • Training on personal data (including public sources scraped at scale)
  • Inferring or reconstructing personal information
  • Producing outputs that contain sensitive or private data
  • Cross-border transfers within AI model pipelines
  • Opacity in how training data is collected, used, or stored

3. When Does KVKK Apply to Generative AI Systems?

KVKK applies whenever:

  1. Personal data is processed (collected, stored, analyzed, or used)
  2. Processing occurs fully or partially by automated means
  3. The data relates to an identified or identifiable person

This includes:

  • AI service providers
  • Developers training models
  • Organizations integrating AI into products
  • End-user companies using AI tools in business operations

Even if an organization is not training models, but only using AI tools, KVKK obligations still apply if personal data is involved.

4. Key KVKK Compliance Principles Relevant to Generative AI

The guide aligns with the standard KVKK principles but highlights new interpretations for AI systems:

a. Lawfulness, Fairness, Transparency

AI users and providers must inform individuals about data processing in clear terms.

b. Purpose Limitation

Data collected for training must be used for clearly defined, legal purposes.

c. Data Minimization

Only data strictly necessary to train or operate the model can be processed.

d. Accuracy

Generative systems can produce incorrect or misleading outputs—organizations must mitigate this.

e. Storage Limitation

Data retention limits apply not only to user data but also to logs, model training sets, and embeddings.

f. Security and Confidentiality

Organizations must implement technical and administrative safeguards comparable to those described in KVKK’s “Technical and Administrative Measures Guide”.

5. Transparency Obligations for Generative AI (Aydınlatma Yükümlülüğü)

One of the most explicit and detailed sections is the transparency requirement, explained on page 49 of the guide. KVKK emphasizes that transparency is essential so individuals can control their data.

KVKK restates that the full Article 10 Aydınlatma text applies to AI, and organizations must disclose:

  • Identity of the data controller or representative
  • Purpose of processing
  • To whom data will be transferred
  • Method and legal basis of collection
  • Rights of the data subject

The guide specifically requires separate and explicit transparency notices for:

  1. Using an AI system (e.g., interacting with a chatbot)
  2. Using data to train or improve models

This separation is critical because the legal bases, purposes, and risks differ.

6. Legal Bases for AI-Related Processing Under KVKK

The guide does not create new legal bases but clarifies how existing ones apply:

  • Explicit consent may be required for:
    • Training models using personal data
    • Profiling or inference-based processing
    • Processing sensitive data
  • Legitimate interest may be used only where:
    • Processing is proportionate
    • Data subjects’ rights do not override the controller’s interests
    • Necessary safeguards are implemented
  • Legal obligation, contract necessity, and establishment/protection of rights remain valid but must be strictly interpreted.

7. Cross-Border Data Transfers in AI Systems

AI tools often transfer data internationally due to:

  • Cloud providers
  • Model hosting
  • Training infrastructure
  • Logging and telemetry
  • Third-party APIs

KVKK explicitly ties this to the Cross-Border Transfer Guide (2025) referenced in the appendix.

Organizations must comply with:

  • Adequacy list rules
  • Safeguard requirements
  • Commitment letters
  • Board approvals (where necessary)

8. Risks Identified in the Guide

The guide highlights several risk categories:

a. Hallucinations / False Outputs

Incorrect information may harm individuals or misrepresent them.

b. Bias and Discrimination

Training data may embed historical or societal biases.

c. Deepfake Misuse

Particularly dangerous for children, harassment, and identity manipulation.

d. Security Vulnerabilities

Prompt injection, data leakage, or adversarial inputs.

e. Excessive Data Collection

Including scraping of large datasets without a legal basis.

9. Technical & Organizational Measures (TOMs) for Safe Use

KVKK expects organizations to follow the standard administrative and technical measures—similar to those described in other KVKK guides (2025 editions referenced in the annex). Key TOMs include:

  • Access controls
  • Encryption
  • Logging and monitoring
  • Segregation of duties
  • Risk assessments
  • Regular audits
  • Data anonymization/pseudonymization
  • Dataset hygiene and filtering
  • Incident response planning

10. Using Generative AI Safely in Daily Life (For Individuals)

Section 14  offers advice for everyday users:

  • Do not share sensitive or private information with AI tools
  • Review permissions and privacy settings
  • Understand how your data may be stored or reused
  • Be cautious of AI-generated misinformation or deepfakes
  • Prefer official or trusted AI platforms

(Referenced via page listing)

11. Special Recommendations for Children (For Parents)

Section 15 provides guidelines for protecting children from misuse of AI tools:

  • Actively participate in the child’s digital interactions
  • Teach them not to upload photos, private data, or identifiable details
  • Enable parental controls
  • Be aware of risks from deepfake content
  • Choose age-appropriate AI tools

12. Governance Expectations for Organizations

To comply with KVKK, organizations should establish internal AI governance structures, including:

  • AI risk assessments (AIRIAs)
  • Algorithmic impact evaluations
  • Data protection audits
  • Record of processing activities (ROPA)
  • Vendor/third-party assessments
  • Human-in-the-loop decision mechanisms

13. Key Takeaways

  • KVKK applies fully to generative AI systems that process personal data.
  • Transparency and explicit aydınlatma are mandatory.
  • Training and operational uses must be separated in disclosures.
  • Appropriate legal bases must be selected and justified.
  • Cross-border transfers must follow KVKK’s rigorous requirements.
  • Organizations must apply strong technical and administrative safeguards.
  • Special attention is required for deepfakes, children, and biased outputs.

Final Thoughts

This new 15-question KVKK guide is one of the most comprehensive official resources on generative AI released by any data protection authority globally. It aligns with international standards (EDPB, EDPS, ICO, UNESCO), while adding Turkey-specific obligations around transparency, transfer rules, explicit consent, and risk management.

For organizations building, training, or integrating generative AI into products or workflows, this guide is now an essential compliance reference.

source: https://www.kvkk.gov.tr/

Masoud Salmani
Ready to transform your business?
Get started
Privacy & Cookie PoliciesKVKKLegal DisclaimerInformation Security PolicyTerms of ServiceLogos of payment methods: iyzico, Elo Débito, Mastercard, Visa, American Express, and Troy.