With the advancement of artificial intelligence technologies, the emergence of new risks—particularly in relation to the protection of personal data—has increased the need for concrete guidance for developers, manufacturers, and service providers in this field. Due to the current gaps in legislation, relevant public institutions and authorities have been publishing various proposals, decisions, and recommendations on the subject.
The Personal Data Protection Authority ("Authority") closely follows developments in artificial intelligence and has been actively working in this field. In this context, the Authority had previously shared a set of recommendations titled "Recommendations on the Protection of Personal Data in the Field of Artificial Intelligence" on February 11, 2025, via its social media accounts. Subsequently, on July 11, 2025, the Authority shared a new announcement titled "Recommendations on the Protection of Personal Data in the Field of Artificial Intelligence" with the public via its social media accounts.
These recommendations serve as a guide for developers, producers, and service providers to ensure the protection of personal data during the development and implementation of AI systems.
The key points highlighted in the Authority's statement are as follows:
- In the design process, an approach that places personal data privacy at its core should be pursued, in consistency with national and international regulations and/or relevant instruments.
- A precautionary approach based on appropriate risk prevention and mitigation measures should be taken, considering potential adverse effects on fundamental rights and freedoms.
- At every stage of data processing, including data collection, the risk of discrimination or other adverse effects and biases against data subjects should be prevented by considering fundamental rights and freedoms.
- The quality, nature, source, amount, category, and content of the personal data used should be assessed, and a data minimization approach should be followed; the accuracy of the developed model should be continuously monitored.
- Algorithmic models detached from context should be carefully evaluated due to their potential to cause negative impacts on individuals and society.
- Academic institutions that can contribute to the design of human rights-based, ethical, and socially oriented artificial intelligence applications, as well as the identification of potential biases, should be engaged; in areas where transparency and stakeholder participation may be challenging, the opinions of impartial experts and organizations should be sought.
- Individuals should be granted the right to object to processing activities based on technologies that affect their opinions or personal development.
- Considering the capacity of AI systems to analyse and use personal data, data subjects' rights arising from national and international legislation must be protected during personal data processing.
- Risk assessments based on the active participation of individuals and groups who are likely to be particularly affected by the application should be encouraged.
- Products and services should be designed in a way that ensures individuals are not subjected to decisions based solely on automated processing that significantly affects them, especially without considering their own views.
- Alternative solutions that interfere less with personal rights should also be offered during production, and users' freedom to make informed choices must be safeguarded.
- Algorithms that ensure accountability for all stakeholders in terms of compliance with personal data protection laws should be adopted from the design phase and throughout the product or service lifecycle.
- Users must be granted the right to stop data processing activities, and it should be possible to design mechanisms that allow the deletion, destruction, or anonymization of users' data.
- Individuals interacting with the application should be informed about the reasons for the processing of personal data, the details of the methods used in such processing, and the potential consequences; furthermore, an effective consent mechanism for data processing should be designed where necessary.
The Authority's recommendations aim to promote the adoption of an approach that prioritizes individual rights in the personal data processing activities of artificial intelligence systems. In this regard, it is of great importance that developers and service providers act in accordance with these recommendations during the design of their products and services, in order to fulfil their legal and ethical obligations. This can only be achieved if developers and users, when employing AI-supported model-based tools in their products and services, are able to identify and assess the presence and impact of such tools at the design stage, test the processes and outcomes of the models, transparently share the effects and results of the AI applications with users, implement necessary oversight mechanisms throughout all stages, and fully comply with their obligation to inform data subjects accordingly.
Special thanks to İsmail Arslan for his contributions.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
