ARTICLE
6 July 2026

EU AI Law Comes Into Force On August 2nd: How Will This Law Affect Turkey?

E
Egemenoglu

Contributor

Egemenoglu is one of the largest full-service law firms in Turkey, advising market-leading clients since 1968. Egemenoğlu who is proud to hold many national and international clients from different sectors, is appreciated by both his clients and the Turkish legal market with his fast, practical, rigorous and solution-oriented work in a wide range of fields of expertise. Egemenoğlu has been considered worthy of various rankings by the world’s most leading and esteemed rating institutions and legal guides. We have been ranked as Recognized in “Project and Finance” and “Mergers and Acquisitions” areas by IFLR 1000. We also take place among the top- tier law firms of Turkey at the rankings of Legal 500, at which world’s best law firms are regarded, in “Employment Law” and “Real Estate / Construction” areas. Also our firm is regarded as significant by Chambers& Partners in “Employment Law” area as well.
The European Union’s (“EU”) Artificial Intelligence Act No. 2024/1689 (Regulation (EU) 2024/1689) was published in the Official Journal of the European Union on 12 July 2024.
European Union Technology
Ecem Kuş’s articles from Egemenoglu are most popular:
  • in European Union
  • in European Union
  • with readers working within the Media & Information industries
Egemenoglu are most popular:
  • within Technology and Privacy topic(s)

The European Union’s (“EU”) Artificial Intelligence Act No. 2024/1689 (Regulation (EU) 2024/1689) was published in the Official Journal of the European Union on 12 July 2024.The Act introduces a risk-based and comprehensive compliance framework for artificial intelligence systems. Its general application date is 2 August 2026. From that date, significant obligations will apply, particularly for high-risk AI systems. The Act may also affect providers and deployers established outside the EU, including in Türkiye, where the output of their AI systems is used in the EU. For this reason, companies in Türkiye should assess AI use together with personal data protection and cross-border data transfer requirements.

I. The EU AI Act: Key Obligations Applying from 2 August 2026

The EU AI Act follows a phased implementation timeline. Provisions on prohibited AI practices and AI literacy have applied since 2 February 2025. Governance rules and obligations for general-purpose AI models have applied since 2 August 2025. 2 August 2026 is the key date for many high-risk AI systems under Annex III and for transparency obligations. AI systems used in areas such as biometrics, critical infrastructure, education, employment, access to essential services, law enforcement, migration and border control, justice and democratic processes will be subject to requirements on risk management, data governance, technical documentation, record-keeping, transparency, human oversight and cybersecurity. EU law may provide longer transition periods for certain categories of high-risk systems.

II. EU Enforcement Regime: Financial Consequences of Non-Compliance

The Act provides for significant administrative fines. Violations of prohibited AI practices may result in fines of up to EUR 35 million or 7% of annual worldwide turnover. Non-compliance with obligations for high-risk AI systems may result in fines of up to EUR 15 million or 3% of turnover. Providing incorrect, incomplete or misleading information may result in fines of up to EUR 7.5 million or 1% of turnover. In each case, the higher amount applies. A separate enforcement regime may also apply to general-purpose AI models through the European Commission. These amounts exceed the penalty scale under the General Data Protection Regulation (GDPR).

III. Türkiye’s AI Regulatory Framework: Current Landscape

Türkiye’s regulatory framework for AI is developing rapidly. The AI Research Commission established within the Turkish Grand National Assembly (“TBMM”) has completed its work, and several legislative proposals on the safe, ethical and fair use of AI systems have been brought to the parliamentary agenda. The draft law submitted on 23 July 2025 proposes amendments on liability arising from AI, personal data protection, deepfake content, cybersecurity and administrative sanctions. The proposal is still in the legislative process.

Institutional structures are also being strengthened. Presidential decrees dated 25 December 2025 established the National Technology and AI General Directorate under the Ministry of Industry and Technology and expanded the duties of the Presidential Cybersecurity Directorate in relation to digital government, AI in the public sector and data governance. The Personal Data Protection Authority (Authority) published the “Generative AI and Personal Data Protection Guide” in 2025 and the “Use of Generative AI Tools in the Workplace” document in 2026. These developments show that AI use should be treated not only as a technology issue but also as a data protection, governance and compliance issue.

IV. Cross-Border Data Transfer Risks in the Use of Artificial Intelligence

Many generative AI tools used in daily business operations rely on servers, subprocessors or support teams located abroad. For this reason, entering employee information, customer data, contracts, litigation files, tender documents or trade secrets into tools such as ChatGPT, Copilot, Gemini or similar platforms may create a cross-border personal data transfer risk, depending on the specific use case. Even if data is only displayed, accessed for technical support or processed on the platform to generate an output, the process should be assessed under the Turkish Personal Data Protection Law No. 6698 (KVKK).

This is where the risk of “Shadow AI” arises. Shadow AI refers to employees using AI tools outside the company’s policy, approval or supervision. Without a clear policy and oversight mechanism, employees may unknowingly transfer personal data to platforms located abroad. If the cross-border transfer requirements under Article 9 of the KVKK are not met, this may lead to administrative fines, data breach notifications, reputational harm and compensation claims. A data controller’s statement that it was not aware of such use may not, by itself, remove liability.

V. Priority Action Steps for Companies

  • An AI usage policy should be adopted: The company should clearly define which AI tools may be used, for which purposes and which data must not be entered into such tools. The policy should be communicated to all employees and its implementation should be monitored regularly.
  • An AI system inventory should be prepared: All AI systems used by the company, procured from suppliers or provided to third parties should be listed. For each system, the purpose, data categories, business unit, supplier and risk level should be identified.
  • Cross-border data transfer processes should be reviewed: Data flows created through AI tools should be mapped, and it should be assessed whether standard contracts, binding corporate rules, explicit consent or another legal mechanism is required.
  • Privacy notices and consent processes should be updated: Where personal data is processed through AI systems, this activity should be reflected in privacy notices. Automated decision-making processes should be explained clearly and explicit consent should be obtained where required.
  • Human oversight should be ensured for automated decisions: In processes such as recruitment, performance evaluation, credit scoring or risk analysis, companies should not rely solely on AI outputs. Human control should be established so that the decision can be understood and, where necessary, challenged or corrected.
  • Data security measures should be strengthened: Technical and organisational measures such as access limitations, log management, penetration testing, data masking, anonymisation and synthetic data use should be implemented. Sensitive or confidential data should not be entered into public platforms.
  • VERBIS records should be reviewed: Personal data categories, recipient groups and cross-border transfer processes related to AI systems should be reflected in the Data Controllers Registry Information System (“VERBIS”) records.
  • Employee awareness training should be provided: Employees should know which data must not be entered into AI tools, the privacy and cross-border transfer risks, the company policy and the notification process to be followed in case of an incident.
  • Supplier and data processor agreements should be reviewed: Agreements with AI service providers should clearly regulate controller/processor roles, data security obligations, subprocessor use, data retention periods and cross-border transfer provisions.

VI. KVKK Administrative Fines and the Board’s Current Approach

Administrative fines regulated under Article 18 of the Turkish Personal Data Protection Law are updated annually in line with the revaluation rate. As of 2026, these fines range from TRY 85,437 to TRY 17,092,242, depending on the type of violation. Failure to fulfil the obligation to inform, failure to take necessary data security measures, non-compliance with decisions of the Personal Data Protection Board (the “Board”), and breach of the obligation to register with the Data Controllers Registry may each be subject to separate administrative fines.

In this context, uncontrolled personal data processing activities carried out through artificial intelligence systems may not be limited to a single area of risk. For example, employees uploading personal data to artificial intelligence tools without anonymising the data or carrying out the necessary checks may simultaneously give rise to multiple violations under the Turkish Personal Data Protection Law, such as insufficient fulfilment of the obligation to inform, unlawful cross-border data transfers and inadequate data security measures.

The Board’s decisions on cross-border data transfers and data security also show that data controllers may be held responsible for data processing activities that occur without their knowledge or are not subject to sufficient oversight. Therefore, it is important for companies to manage the use of artificial intelligence tools through written policies, technical controls and employee awareness training. Otherwise, the consequences may not be limited to administrative fines; erosion of customer trust, disclosure of trade secrets, reputational damage and compensation claims may also arise.

VII. Conclusion

2 August 2026 is a critical compliance threshold not only for companies operating in the European Union, but also for companies in Türkiye whose artificial intelligence system outputs are used in the European Union. Considering the extraterritorial effect of the EU AI Act, the ongoing regulatory initiatives in Türkiye, the guidelines issued by the Personal Data Protection Authority and the obligations under the Turkish Personal Data Protection Law, it is no longer safe for companies to manage their use of artificial intelligence with a “wait and see” approach.

Therefore, companies should identify the artificial intelligence tools they use, map their data flows, review their cross-border transfer mechanisms, train their employees and manage the use of artificial intelligence through written policies. Otherwise, in addition to administrative fines, serious risks such as data breaches, reputational damage, disclosure of trade secrets and compensation claims may arise.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More