Source: Mondaq

Mondaq reports that the Turkish Data Protection Authority (DPA) published a comprehensive "Guide on Generative Artificial Intelligence and Personal Data Protection" on November 24, 2025. The guide addresses the growing privacy risks associated with Generative AI (GAI), such as "hallucinations" (false outputs) and the reinforcement of biases found in training data. It clarifies that the lifecycle of GAI models—from data collection and training to deployment—involves personal data processing at every stage, thus triggering compliance obligations under the Turkish Data Protection Law.

The guidelines emphasize that even publicly available personal data cannot be freely used for AI training without a valid legal basis, and explicit consent must be obtained where necessary. It specifically warns against the creation of deepfakes that infringe on personality rights and mandates that data controllers implement "privacy by design" and "privacy by default." Furthermore, the DPA provides recommendations for users, advising against sharing sensitive data with chatbots, and calls for strict measures to protect children from manipulative content. Cross-border data transfer rules are also reinforced for companies using foreign AI service providers.