Artificial intelligence (“AI”) technologies are systems that learn by processing large volumes of data and can produce human-like outputs. Today, they are used not only in the technology sector but also in many fields such as healthcare, law, finance, education, and public services. One of the most important building blocks of these technologies is data. As the diversity and currency of data increase, the performance of AI systems improves. However, a significant portion of the processed data qualifies as personal data, and in Turkey, alls within the scope of the Personal Data Protection Law no. 6698 (“PDPL”).
The operating logic of AI-based systems is based on learning patterns from large datasets. These processes are generally addressed in three main stages: training, validation, and use. In the training stage, very large volumes of data are used for the model to learn. Such data may be collected from public sources (websites, social media, etc.), licensed datasets, or directly from the user. Where datasets contain personal data, at least one of the processing conditions set forth in Articles 5 and 6 of the PDPL must be met.
In the validation stage, personal data may also be processed while testing the accuracy and reliability of the model. Where datasets contain personal data, a legal basis under Article 5 (processing conditions) or Article 6 (special categories of personal data) must be ensured.
In the use stage, user inputs to the system (text, images, audio, documents, etc.) are processed. At this stage, in accordance with the data minimization principle (Article 4 PDPL), only the necessary data should be collected; retention periods should be determined; and feedback into the training process should be avoided unless strictly necessary.
In AI systems, data security is not only a legal obligation but also an ethical responsibility. Technical measures such as anonymization, masking, pseudonymization, access controls, encryption, and differential privacy should be selected based on a risk-based approach and documented. At this point, these measures play a critical role in fulfilling the data security obligations set forth in Article 12 of the PDPL.
All of these general principles provide a basis for understanding the data-processing dimension of AI systems. Within this framework, large language models, which have recently become widespread and interact with millions of users, are among the examples that deserve special consideration in terms of personal data protection.
Compliance of ChatGPT and Similar Models with the PDPL
Large language models, such as the well-known ChatGPT, are systems that process user inputs to generate responses. In doing so, it is quite possible for users to share personal data without realizing it. The information obligation under Article 10 PDPL is of particular importance for such systems: users must be clearly informed, in Turkish, of the purposes for which their data is processed and stored, to whom and for what purpose it is disclosed, the method of data collection, and the legal basis. If no other lawful basis under Articles 5 and 6 exists, explicit consent must be obtained. AI features should also be labelled (e.g., “AI-powered chat”), and the effects of any automated decision-making should be explained.
In practice, the full compliance of these models with the PDPL is often debated. With the amendments that entered into force on 1 June 2024, the former approach relying mainly on explicit consent for cross-border data transfers has been abandoned. Now, transfers may be carried out; (i) to countries and/or sectors with an adequacy decision, (ii) with appropriate safeguards (e.g., standard contractual clauses, binding corporate rules), or (iii) under the statutory derogations.
The most common method, standard contractual clauses, must be notified to the Authority within five business days from the date of signature.
It is essential for system providers to act in line with the principles of transparency and accountability, not only as a legal obligation but also as a critical factor for user trust.
Artificial Intelligence and Explicit Consent
Under the PDPL, valid explicit consent is a declaration of intent that is related to a specific matter, based on information, and given with free will. In the context of AI, this means that the user must understand which of their data is processed, for what purpose, to whom it is disclosed, and how long it will be retained. Explicit consent must not be made a condition for benefiting from the service; otherwise, the element of free will is compromised. Implied consent is not valid under the PDPL; for example, assuming that the use of the system implies consent is legally incorrect.
When consent is withdrawn, the withdrawal should be recorded, and processing activities based on that consent must cease. In addition, in AI systems, it is important for the consent process to be technically verifiable (e.g., log records, timestamps) in order to avoid potential future disputes.
Deepfake Technology and Risks
Another data protection issue arising from artificial intelligence is deepfake technology. Deepfake refers to highly realistic fake content created by manipulating a person’s face, voice, or movements using artificial intelligence and deep learning algorithms. While such content may be used for entertainment or artistic purposes, it can also be exploited for fraud, blackmail, reputational harm, or spreading false information.
The Turkish Personal Data Protection Authority’s 2025 information note clearly highlights the risks deepfakes pose to personal data security. Vulnerable groups, particularly children and the elderly, may be targeted by deepfake attacks.
Protection against these technologies requires a combination of technical, administrative, and legal measures. Technical measures include anti-deepfake software, automated detection systems, watermarking, and storing original content in reference databases. Administrative measures include access authorization, internal awareness training, and incident response plans. Legal measures include swift complaint mechanisms, content removal, access blocking, and claims for damages. At the international level, there are ongoing discussions on platform providers’ liability and the mandatory labelling of AI-generated content.
Conclusion
While the development of AI systems offers major opportunities across many fields, it also creates significant risks in terms of personal data protection. The PDPL provides a legal framework for these technologies through its provisions on explicit consent, information obligations, and data security. However, unless an approach based not only on legal obligations but also on ethical principles is adopted, it will be difficult to ensure values such as trust, transparency, and accountability. AI developers and data controllers must base their processing of personal data not only on “compliance with the law” but also on an approach that “respects human dignity.”