ARTICLE
19 February 2025

Esin DigiDiary

EA
Esin Attorney Partnership

Contributor

Esin Attorney Partnership logo
Esin Attorney Partnership, a member firm of Baker & McKenzie International, has long been a leading provider of legal services in the Turkish market. We have a total of nearly 140 staff, including over 90 lawyers, serving some of the largest Turkish and multinational corporations. Our clients benefit from on-the-ground assistance that reflects a deep understanding of the country's legal, regulatory and commercial practices, while also having access to the full-service, international and foreign law advice of the world's leading global law firm. We help our clients capture and optimize opportunities in Turkey's dynamic market, including the key growth areas of mergers and acquisitions, infrastructure development, private equity and real estate. In addition, we are one of the few firms that can offer services in areas such as compliance, tax, employment, and competition law — vital for companies doing business in Turkey.
Explore Firm Details
Following the amendments to the Law on the Protection of Personal Data ("Law") including provisions on the cross-border transfer of personal data ("Amendments") adopted on March 12, 2024...
Turkey Privacy
Can Sozer,Ecem Elver,Yigit Acar
+7 Authors
 Your Author LinkedIn Connections

Protection of Personal Data

Guidelines on the Cross-Border Transfer of Personal Data Published

Following the amendments to the Law on the Protection of Personal Data ("Law") including provisions on the cross-border transfer of personal data ("Amendments") adopted on March 12, 2024 and the Regulation on the Procedures and Principles Regarding the Cross-Border Transfer of Personal Data ("Regulation") published by the Personal Data Protection Authority ("Authority"), the Authority was expected to publish guidelines to address questions regarding the implementation of the Amendments. In this regard, the Authority published the Guidelines on the Cross-Border Transfer of Personal Data ("Guidelines") on its website on January 2, 2025. The Guidelines provide information on (i) the objective and grounds of the Amendments, (ii) which transfers are considered as cross-border data transfers under Article 9 of the Law, (iii) how the mechanisms stipulated for the cross-border transfer of personal data, in particular standard contractual clauses ("SCCs"), shall be implemented, and (iv) the occasional cases where the cross-border data transfer is permitted as per the Law, including various practical examples on the interpretation of the Amendments.

The highlights of the Guidelines under each heading are as follows:

  1. Objective and Grounds of the Amendments: The Guidelines indicate that the Amendments mainly aim to ensure harmonization with the European Union General Data Protection Regulation ("GDPR") with regard to processing personal data and pave the way for investments to be made in Türkiye by providing alternative mechanisms for the crossborder data transfer.
  2. Scope of the Cross-Border Data Transfers: The Guidelines state that for a personal data transfer to be qualified as a cross-border transfer under Article 9 of the Law, the following criteria must be met: (i) the data controller or data processor must be subject to the Law for the personal data processing activity in question; (ii) the personal data processed by the data exporter must be transferred or made accessible through another way; and (iii) the data controller or data processor to which the data is transferred must be located in a third country. Accordingly, the Guidelines clarify and confirm that cases where the data controller in the third country directly collects the personal data of data subjects in Türkiye – direct collection – are not considered as cross-border transfers of personal data under Article 9 of the Law.
  3. Transfers Based on Appropriate Safeguards: The Guidelines mostly reflect the provisions of the Law and the Regulation with respect to appropriate safeguards for cross-border data transfers. However, in addition to the provisions of the Law and the Regulation, the Guidelines provide guidance on the minimum content requirements for binding corporate rules and how annexes of the SCCs shall be filled out. Accordingly, the highlights in the Guidelines on appropriate safeguards are as follows:
    • Binding Corporate Rules: The Guidelines provide information on the minimum content requirements for binding corporate rules and provide guidance on how the binding corporate rules application procedure should be followed, depending on whether the associated group is mainly resident in Türkiye. In addition, pursuant to the Guidelines, information on the contact person/unit to whom the Authority may reach out for questions about the application shall be provided in the binding corporate rules. For practical reasons, the Guidelines recommend that this be a person/unit residing in Türkiye.
    • Standard Contractual Clauses: The Guidelines provide information on how to fill out the annexes of SCCs, whether SCCs can be issued in double columns, and official documents issued by foreign authorities that are submitted together with SCCs. Accordingly, when filling out the SCCs' annexes, the group or groups of data subjects to whom the transferred personal data relates must be specified. In addition, the Guidelines confirm that, provided that the Turkish version would prevail, SCCs may be issued in both Turkish and foreign languages, in a dual column format. Lastly, with regard to official documents issued by foreign authorities submitted together with SCCs, the Guidelines state that official documents issued in a country that is a party to the Convention Abolishing the Requirement of Legalisation for Foreign Public Documents must be apostilled before being submitted to the Authority. While the Guidelines provide useful guidance in terms of transfers that rely on SCCs, it does not address all problems and uncertainties experienced in practice, such as whether SCCs can be signed via e-signatures by the companies located outside of Türkiye. Accordingly, the Authority is expected to address uncertainties in future decisions.
  4. Occasional Transfers: The Guidelines emphasize that, for a personal data transfer to be considered occasional, it is necessary to consider whether the transfer falls within the ordinary course of business of the data exporter, irrespective of whether it is made one or more times. Accordingly, transfers made in the ordinary course of business are not considered as occasional transfers. In addition, the Guidelines state that explicit consent, which is one of the legal grounds provided under the Law for occasional transfers, may only be relied upon if the data subject is informed about the potential risks. In this regard, the information to be provided to the data subject must include the following: (i) explicit consent is a legal ground for the transfer; (ii) there is no adequacy decision published by the Authority regarding the country to which the data will be transferred; and (iii) the potential risks that may occur due to the transfer.

The Guidelines mainly address the problems experienced by data controllers and/or data processors in practice regarding the cross-border transfer of personal data and illustrate the regulations with practical examples. While the Authority's decisions will be influential in the future regarding how the transfer processes will progress after the Amendments, it is significant for data controllers and data processors to consider the explanations and information provided in the Guidelines in addition to the Law and the Regulation in terms of cross-border transfer activities.

You can access the Guidelines here (in Turkish). For detailed information on the Guidelines, you may access our legal bulletin here.

Guidelines on Good Practices in the Banking Sector on the Protection of Personal Data Updated

Amendments to the Law regarding the cross-border transfer of personal data and the processing of sensitive personal data entered into force on June 1, 2024. After the Amendments became effective, the Authority updated its Guidelines on Good Practices in the Banking Sector on the Protection of Personal Data ("Banking Guidelines") on January 8, 2025.

With the Amendments, the existing regime for the cross-border data transfer was changed, and new mechanisms, particularly SCCs, were stipulated. Further, alternative legal bases for the processing of sensitive personal data were introduced. In this regard, numerous companies, including those operating in the banking sector, were required to review their personal data processing activities. However, secondary regulations to be published by the Authority were expected, with respect to the uncertainties regarding the implementation of the Amendments. The updated Banking Guidelines include (i) the legal basis stipulated in the Law regarding the processing of sensitive personal data and (ii) the cross-border transfer mechanisms in line with the Amendments. However, the Banking Guidelines do not include any substantive revisions in terms of other guidance that banks should pay attention to in their personal data processing activities.

With the Amendments, for the first time in the Law, the notification to the Authority regarding the signing of the SCCs is deemed sufficient for crossborder transfers, which paved the way for a new mechanism that does not require the Authority's approval. In this regard, SCCs are expected to stand by foreign authorities submitted together with SCCs, the Guidelines state that official documents issued in a country that is a party to the Convention Abolishing the Requirement of Legalisation for Foreign Public Documents must be apostilled before being submitted to the Authority. While the Guidelines provide useful guidance in terms of transfers that rely on SCCs, it does not address all problems and uncertainties experienced in practice, such as whether SCCs can be signed via e-signatures by the companies located outside of Türkiye. Accordingly, the Authority is expected to address uncertainties in future decisions. iv. Occasional Transfers: The Guidelines emphasize that, for a personal data transfer to be considered occasional, it is necessary to consider whether the transfer falls within the ordinary course of business of the data exporter, irrespective of whether it is made one or more times. Accordingly, transfers made in the ordinary course of business are not considered as occasional transfers. In addition, the Guidelines state that explicit consent, which is one of the legal grounds provided under the Law for occasional transfers, may only be relied upon if the data subject is informed about the potential risks. In this regard, the information to be provided to the data subject must include the following: (i) explicit consent is a legal ground for the transfer; (ii) there is no adequacy decision published by the Authority regarding the country to which the data will be transferred; and (iii) the potential risks that may occur due to the transfer. The Guidelines mainly address the problems experienced by data controllers and/or data processors in practice regarding the cross-border transfer of personal data and illustrate the regulations with practical examples. While the Authority's decisions will be influential in the future regarding how the transfer processes will progress after the Amendments, it is significant for data controllers and data processors to consider the explanations and information provided in the Guidelines in addition to the Law and the Regulation in terms of cross-border transfer activities. You can access the Guidelines here (in Turkish). For detailed information on the Guidelines, you may access our legal bulletin here. out among the cross-border transfer mechanisms stipulated under the Amendments and become the preferred transfer mechanism for many financial institutions. However, the confidentiality regulations under Banking Law No. 5411 ("Banking Law") are of a special nature compared to the provisions of the Law. In this regard, the cross-border transfer of information, including bank secrets and/or customer secrets, is not subject to the Amendments and must be carried out in accordance with Article 73 of the Banking Law and its secondary regulations.

You may access the updated Banking Guidelines here (in Turkish). For further information on the Amendments, you can visit our legal bulletin here.

Information Note on the Implementation of the Time-Related Aspects of the Amendments to the Data Protection Law Published

The Authority published the information note ("Information Note") on the implementation of the time-related aspects of the Amendments made to the Law on its website on December 19, 2024. The Information Note provides guidance on the implementation of the administrative penalties stipulated under the Law in terms of time-related aspects for violations concerning the processing of sensitive personal data and cross-border transfers following the Amendments that became effective as of June 1, 2024. Accordingly, (i) the status of the action (instantaneous and/or continuous) and the date of interruption, and (ii) the date of the decision of the Personal Data Protection Board ("Board") are significant for the implementation of administrative penalties.

Pursuant to the Information Note, to determine the administrative penalties to be imposed on an act, it is necessary to accurately determine the time when the action was committed. Accordingly, a distinction shall be made according to whether the action is instantaneous or continuous, and evaluations regarding the temporal rules of law should be considered in accordance with the general principles of criminal law. In this regard, pursuant to the Information Note, the interpretation should be made based on the moment when the action was performed in the case of an instantaneous act and the moment when the action was completed in the case of continuous actions.

The reference point to be considered regarding when the unlawful act has occurred/ceased varies depending on whether the breach is related to the processing of sensitive personal data or the cross-border data transfer. Accordingly, in the case of a breach of law regarding the processing of sensitive personal data, the effective date of the Amendments, June 1, 2024, should be considered, and in the case of a breach arising from the crossborder transfer of personal data, the last day of the transition period, September 1, 2024. Accordingly, if the date of interpretation of the violating act is before the Amendments – provided that the relevant date should be determined on a case-by-case basis as per the foregoing explanations – the favorable law will apply. However, if the action in question started before the Amendments and is still occurring, the new law will apply. In this framework, the Information Note provides a summary table on the applicable law regarding administrative penalties with respect to time-related aspects as follows:

Status Interruption/Completion Time of the Action Date of Complaint Applicable Explanation
The action was performed and completed before the Amendments. Instantaneous action/ interrupted continuous action (completed) The complaint was filed before/after the Amendments. The favorable law will apply. For actions that took place and were completed before the Amendments, the timing of the complaint is irrelevant. If the Board's decision is rendered after the effective date of the Amendments, the favorable law will apply
The action started before the Amendments and is ongoing. Continuous action (ongoing) The complaint was filed before the Amendments. If the action was interrupted before the Amendments, the favorable law applies. If the action was interrupted or continues after the Amendments, the new law will apply In this situation, the action started before the Amendments but is still occurring. In such a case, the time of the interruption of the action is important. If the Board's decision is issued after the Amendments' effective date, the new law applies, as the action will be interrupted by the Board's decision. However, if the action was interrupted before the Amendments, the favorable law will apply
The action started before the Amendments and is ongoing. Continuous action (ongoing) The complaint was filed after the Amendments. If the action was interrupted after the Amendments, the new law will apply. If the action is still occurring and the Board's decision is issued after the Amendments' effective date, the new law will apply, as the action will interrupted by the Board's decision.
The action was performed after the Amendments. The new law will apply. For actions that occur after the Amendments, the new law will apply, as there is no question of implementation in terms of time.

In light of the principle of legal certainty, the Information Note provides guidance on the problems experienced in practice regarding the application of administrative penalties in terms of time-related aspects after the Amendments became effective. To that end, it is important for stakeholders who wish to conduct a risk assessment of a company in terms of personal data processing activities to review the explanations in the Information Note, which sets forth a framework for the administrative penalties that may be imposed by the Authority on data controllers and data processors.

You may access the Information Note here (in Turkish).

New Decision Summaries Published

Last January, the Authority published two new decision summaries on its website regarding the processing of personal data and the technical and administrative measures taken by data controllers to ensure data security. The decision summaries are as follows:

Decision numbered 2024/1176 and dated July 18, 2024: In the decision, the data subject filed a complaint before the Authority against the data controller on the grounds that their personal data was unlawfully obtained and processed by manipulating their will during the establishment of internet subscription. In its defense, the company that allegedly violated the Law claimed that it is the dealer of the parent company that concludes subscription agreements and that it is a data processor pursuant to the solution partnership agreement. The Board assessed that (i) the data subject was manipulated and did not give explicit consent to the processing of personal data, as they clearly stated that they do not want to be a subscriber of the brand in question; (ii) there is no doubt that the dealer company acts as a data controller, since the dealer company appears as the data controller in the privacy notice on the relevant websites and exceeds the instructions given by the parent company under the solution partnership agreement concluded between the parent company and the dealer company; and (iii) the explicit consent cannot be relied upon as the data controller company as it deceived the data subject by using images of another company in a misleading manner. In this regard, the Board concluded that the data controller has failed to fulfill its obligation to take the necessary technical and administrative measures to ensure the appropriate level of data security to prevent the unlawful processing of personal data, stipulated under Article 12/1(1) of the Law, and imposed an administrative fine of TRY 450,000 on the data controller. You may access the summary of the relevant decision here (in Turkish).

Decision numbered 2024/1385 and dated August 8, 2024: The Board decided that the data controller did not take appropriate technical and administrative measures to ensure data security as a result of a data breach notification submitted to the Authority by an e-commerce platform. The decision concerns a data controller company that operates an e-commerce platform where users acting as vendors can sell products. The breach occurred as a result of unauthorized access to some vendor accounts by unauthorized third person(s) who attempted to use the username and password information used by sellers on other platforms and channels at the seller portal of the data controller. The Board assessed that the data controller has failed to fulfill its obligations under Article 12/1 of the Law for the following reasons: (i) the security interface used by the data controller is insufficient as the application used by vendors to log on to the platform can be compromised by attackers; (ii) the one-time password system, which is activated when vendors log on to the portal for the first time or when they log on with an IP address different from their last IP address, was implemented after the breach, but the measures that should have been taken before the breach were not taken; (iii) the data controller was late in detecting the breach; and (iv) the two-factor authentication measure, which is a measure that can reduce the negative effects of the breach, was implemented after the breach. Accordingly, the Board decided to impose an administrative fine of TRY 3,250,000 on the data controller. You may access the summary of the relevant decision here (in Turkish).

Geographical Data

Amendments Introduced to the Law on Geographical Information Systems and Amendments to Certain Laws

Law No. 7534 on the Amendments to the Village Law and Certain Laws, which provides amendments ("Amendments to the Geographical Information Systems Law") to Law No. 7221 on Geographical Information Systems and Amendments to Certain Laws ("Geographical Information Systems Law"), was published in the Official Gazette on December 12, 2024. In our November 2023 DigiDiary issue, we reported that the provision of the Geographical Information Systems Law stipulating that license/permit obligations would be determined by the Ministry of Environment, Urbanization and Climate Change ("Ministry") was annulled by the Constitutional Court's decision dated May 18, 2023 and numbered 2023/99, and that the legal basis for the regulations determining the procedures and principles regarding the permit and license obligations were ceased. The Amendments to the Geographical Information Systems Law have been introduced to comply with the Constitutional Court's annulment decision and regulate the principles and procedures, as well as sanctions, concerning the permit obligation.

With the Amendments to the Geographical Information Systems Law, the distinction between permission and license in terms of real persons and private legal entities collecting, producing, sharing or selling geographical data, conducting data mining or generating new data is removed, and all applications will be considered as permit applications before the Ministry. In this regard, persons who process geographical data in commercial operations and generate income in this way are required to apply for a permit. The noteworthy points among the regulations introduced by the Amendments to the Geographical Information Systems Law are as follows:

  • Validity Period of the Permit: The Amendments to the Geographical Information Systems Law stipulate that the permit's validity period will be no less than one year and no more than five years and will be approved by the Ministry on a yearly basis upon the permit applicant's request. The commencement date of the permit will be considered as the date of the application's approval by the Ministry.
  • Calculation of the Permit Fee: When calculating the permit fee, the distinction between foreign and domestic persons is preserved, and the calculation of the fee will be based on the date of application, on the condition that the application documents are fully provided. For Turkish operators, the permit fee will be calculated by multiplying the coefficients set out for differing criteria provided in the table annexed to the Geographical Information Systems Law by the permit coefficient fee, which is set at TRY 1,750 in the Amendments to the Geographical Information Systems Law and will be updated annually by the revaluation rate. Accordingly, based on the published revaluation rate, the permit coefficient fee will be TRY 2,519 for the year 2025.
  • Sanctions in the Case of Activities Without a Permit: If it is found that the geographic data permit has not been obtained, the relevant person/legal entity will be given 15 days from the date of notification to apply for a permit. Administrative fines will be applied for persons who do not apply within this period. A distinction is made between Turkish and foreign persons in terms of the amount of the administrative fines. Accordingly, the amount of the administrative fine is stipulated as the highest permit fee for one year for Turkish persons and twice the cost of the annual permit fee for foreign persons.
  • Status of Applications Prior to the Amendments to the Law: Provisional Article 1 of the Geographical Information Systems Law states that permits and licenses issued prior to the Amendments to the Geographical Information Systems Law are valid until their expiry date. However, applications that have not yet been approved will be deemed invalid.

The hesitation experienced in the sector in terms of geographic data processing operations following the Constitutional Court's annulment decision is anticipated to end following the Amendments to the Geographical Information Systems Law, and the Ministry's operations regarding geographic data processes are expected to increase. In this regard, reviewing the Amendments to the Geographical Information Systems Law and taking the necessary actions are of significance of actors who are required to obtain permit.

You may access the Amendments to the Geographical Information Systems Law here (in Turkish).

Cybersecurity

New Developments in Cybersecurity

Increasing cyber threats in recent years require countries to include cybersecurity measures in their national security strategies. To that end, several steps have been taken to ensure cybersecurity in Türkiye in recent months. Accordingly, with Presidential Decree No. 177 on the Cybersecurity Presidency ("Presidential Decree") published in the Official Gazette dated January 8, 2025, and numbered 32776, the Cybersecurity Presidency ("Cybersecurity Presidency") was established. Pursuant to the Presidential Decree, which regulates the procedures and principles regarding the authorities and responsibilities of the Cybersecurity Presidency, the Cybersecurity Presidency's has duties such as conducting cybersecurity-related studies and projects, conducting vulnerability assessments, carrying out legislative efforts, ensuring coordination in cybersecurity activities, establishing emergency plans, conducting R&D and performing technology transfers in areas where cybersecurity is critical.

Following the Presidential Decree's publication, the Draft Law on Cybersecurity ("Draft Law"), which aims to establish regulations to protect public institutions and organizations against cyberattacks and establish strategies and policies to strengthen the country's cybersecurity stance, was submitted to the Grand National Assembly of Türkiye on January 10, 2025. Similar to the Presidential Decree, the Draft Law also includes provisions on the duties, authorities and responsibilities of the Cybersecurity Presidency. In addition to the Cybersecurity Presidency, the Draft Law envisages the establishment of the Cybersecurity Board ("Cybersecurity Board"), consisting of the President of the Republic of Türkiye, the Vice President, the President of Cybersecurity and various ministers and heads of public institutions. Accordingly, the Cybersecurity Board has the following duties: (i) to take decisions on regulatory efforts, such as action plans and policies related to cybersecurity; (ii) to take decisions on the implementation of the technology road map drafted by the Cybersecurity Presidency; (iii) to identify critical infrastructure sectors and decide on primary areas to be incentivized in the field of cybersecurity; and (iv) to take decisions on disputes that may arise between the Cybersecurity Presidency and public institutions and organizations. Another striking point in the Draft Law text is the regulation of the duties and responsibilities of those who are covered by the relevant legislation and who provide services, collect data, process data and carry out similar activities using information systems in relation to cybersecurity. Accordingly, these real and legal persons shall be liable for the following: (i) submitting the information and documents requested by the Cybersecurity Presidency; (ii) taking the measures stipulated by the legislation and reporting vulnerabilities or cyber incidents to the Cybersecurity Presidency; (iii) procuring cybersecurity products, systems and services to be used in critical infrastructures from cybersecurity experts and companies authorized and certified by the Cybersecurity Presidency; (iv) obtaining the approval of the Cybersecurity Presidency within the scope of the existing regulations before starting operations by cybersecurity companies subject to certification, authorization or documentation; and (v) fulfilling the matters set forth in documents such as policies, strategies and action plans determined by the Cybersecurity Presidency.

The Draft Law differentiates between the severity of cybersecurity offenses to establish effective sanction mechanisms. It proposes imprisonment for certain offenses, such as cyberattacks, leaking of personal or corporate data, and dissemination of leaked data. Conversely, administrative fines will be imposed for other less severe actions, such as failing to implement measures required by legislation and not conducting audit activities.

The establishment of the Cybersecurity Presidency and the legislative activities conducted in the field of cybersecurity underscore Türkiye's objective of creating a robust framework for cybersecurity. Accordingly, in the coming periods, it is anticipated that the implementation of the new structure in the field of cybersecurity will take shape, and the legal framework will be clarified.

You may access the Presidential Decree here (in Turkish), and the Draft Law here (in Turkish).

World News

Cyber Resilience Act Published in the European Union Official Gazette

In the DigiDiary published in November 2024, we reported that the Council of the European Union adopted the Cyber Resilience Act ("Cyber Resilience Act"), on October 10, 2024. The Cyber Resilience Act aims to bring hardware and software products to the market with fewer vulnerabilities and imposes various requirements on a wide range of stakeholders in the digital ecosystem to ensure the security of products containing digital elements. Subsequently, the Cyber Resilience Act was signed by the Council of the European Union and the European Parliament and published in the Official Gazette of the European Union on November 20, 2024. According to the final version published in the Official Gazette of the European Union, the Cyber Resilience Act will enter into force gradually, starting from December 10, 2024, and will become effective with all its provisions as of December 11, 2027.

The Cyber Resilience Act classifies products with significant digital elements through a risk-based approach and imposes various requirements on actors involved in the production, design or development of those products according to their classification. As part of these requirements, products containing digital elements must now include the "CE" marking when they enter to the European Union market, which indicates that these products comply with the standards set forth in the Cyber Resilience Act. The requirements that relevant actors must fulfill to obtain the "CE" marking are as follows:

  • The product to be introduced to the market shall be classified in accordance with the regulation and assessed for compliance with the regulations stipulated under the Cyber Resilience Act (conformity assessment).
  • Following this assessment, a certification of the technical specifications of the relevant product will be provided. The documents to be prepared must include details on the design, development, production, possible vulnerabilities and risk assessment of the product.
  • Following the conformity assessment and the preparation of the necessary technical documentation, the relevant actors are required to sign a declaration of conformity with the European Union on the product containing digital elements. Details on how to complete the declaration of conformity are included in the annex to the Cyber Resilience Act. By signing the declaration of conformity, the relevant stakeholders shall be deemed to have full responsibility for the product's compliance with the applicable regulations.

According to the final version of the text published in the Official Gazette of the European Union, starting from December 11, 2027, products containing digital elements that lack the CE marking will be prohibited from entering the European Union market. This makes obtaining the CE marking critical for manufacturers intending to operate within the European Union. In this regard, actors are required to complete conformity assessments on the product they intend to bring to the European Union market until June 11, 2026. They must also complete the technical documentation that will include the product's possible security vulnerabilities until September 11, 2026.

For detailed information on the Cyber Resilience Act, you may access the DigiDiary issue published in November here, and the finalized text published in the Official Gazette of the European Union here.

European Data Protection Board Issues Opinion Concerning the Use of Personal Data in the Development and Deployment of Artificial Intelligence Models

The European Data Protection Board published Opinion No. 28/2024 on the Use of Personal Data in the Development and Deployment of Artificial Intelligence Models ("Opinion") on December 18, 2024. The Opinion primarily answers the Irish Data Protection Authority's questions regarding (i) when and under which conditions an artificial intelligence model can be considered anonymous, (ii) whether legitimate interest can be relied upon as the legal basis for personal data processing activities carried out during the development and use of an artificial intelligence model, and (iii) actions to be taken in the event of unlawful processing of personal data during the development of an artificial intelligence model. The outstanding explanations under these headings are as follows:

  • Deeming the artificial intelligence model as anonymous: The Opinion recommends that data protection authorities make a case-by-case assessment of when and under which circumstances an artificial intelligence model should be deemed anonymous. Accordingly, for an artificial intelligence model to be considered anonymous, (i) the persons whose personal data is processed during the generation of the artificial intelligence model should not be directly or indirectly identified and (ii) it should not be possible to obtain such data through queries made over the relevant artificial intelligence model. The Opinion also includes a non-exhaustive list of methods that can be used by artificial intelligence model developers to demonstrate that the relevant artificial intelligence model is anonymous.
  • Relying on legitimate interest in data processing activities carried out for the development and deployment of artificial intelligence models: Pursuant to the Opinion, developers of artificial intelligence models can carry out data processing based on their legitimate interests in the development of the relevant artificial intelligence model. Moreover, the Opinion indicates that a three-phase balancing test must be applied to rely on a legitimate interest lawfully. Accordingly, it is necessary to assess (i) the existence of a legitimate interest, (ii) whether the data processing is necessary to achieve such interest, and (iii) whether the relevant interest overrides the fundamental rights and freedoms of data subjects. In addition, to mitigate the adverse impact of data processing on individuals, data controllers are expected to enhance the transparency of processing, take necessary technical and administrative measures or use methods that enable individuals to exercise their rights effectively.
  • Unlawful processing of personal data during the development of an artificial intelligence model: The Opinion also provides guidance on possible actions that can be taken by data protection authorities and data controllers in the case of an artificial intelligence model developed with unlawfully processed personal data. Accordingly, data protection authorities, who are expected to conduct a case-by-case assessment, may instruct data controllers to remedy such unlawfulness before the artificial intelligence model is implemented. For instance, such unlawfulness may be remedied by the anonymization or destruction of personal data used by data controllers. Pursuant to the Opinion, failure to remedy the unlawfulness during the model's development phase will directly affect the lawful implementation/deployment of the artificial intelligence model.

The increasing use of artificial intelligence models and the interaction of generative artificial intelligence models with personal data in certain scenarios require data controllers to carry out personal data processing activities lawfully during the development and deployment of these models. In this framework, it is important for artificial intelligence model developers to consider the assessments and guidance provided in the Opinion when shaping their data processing processes.

You may access the Opinion published by the European Data Protection Board here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Can Sozer
Can Sozer
Photo of Ecem Elver
Ecem Elver
Photo of Aybuke Gundel Solak
Aybuke Gundel Solak
Photo of Yigit Acar
Yigit Acar
Photo of Berfu Oztoprak
Berfu Oztoprak
Photo of Ecenur Etiler
Ecenur Etiler
Photo of Başak Dadaş
Başak Dadaş
Photo of Berk Furkan Derici
Berk Furkan Derici
Photo of Beril Kosegil
Beril Kosegil
Photo of Erdogan Karadag
Erdogan Karadag
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More