- with Inhouse Counsel
- with readers working within the Advertising & Public Relations industries
April 2026 – March 2026 was a particularly active month for technology law in Türkiye, with a strong focus on artificial intelligence developments. The Turkish Personal Data Protection Authority (the “DPA”) issued two guidance documents on AI, while the Grand National Assembly of Türkiye published its long-awaited AI Research Commission Report. In parallel, the DPA released several principle decisions addressing key data protection issues, reinforcing its regulatory expectations.
AI in Focus: Key Developments in Türkiye
1. AI Takes Centre Stage: Parliamentary Report Published
The Turkish Parliament’s AI Research Commission Report (the “Report”) sets out key policy recommendations for the development of the AI ecosystem in Türkiye.
The Report adopts a comprehensive approach, addressing data privacy, ethics and transparency, accountability and governance mechanisms and provides a high-level framework relevant for both public and private sector stakeholders.
Key points from the Report include:
- AI development should be supported by clear governance and regulatory frameworks;
- data protection must remain central to AI adoption and deployment;
- ethical principles, transparency, and accountability should be embedded in AI systems.
2. Shadow AI on the Rise: Workplace Guidance
On 5 March 2026, the DPA published guidance on the use of generative AI tools in the workplace, focusing on employee use of third-party tools. The guidance reflects the DPA’s expectations and aims to raise awareness of emerging risks.
A key concept highlighted in this guidance is “Shadow AI”: the use of AI tools by employees without organisational oversight. Although these tools may enhance efficiency, the DPA warns of significant risks, including unauthorised data sharing, personal data breaches, exposure of trade secrets and IP, and reliance on inaccurate or biased outputs.
The DPA clarifies that the Turkish Personal Data Protection Law (“DP Law”) applies fully to AI-related processing activities and recommends a governance-based approach rather than a blanket prohibition. In this context, organisations are encouraged to:
- establish clear internal policies on AI use;
- limit the sharing of personal and sensitive data;
- ensure employee awareness and appropriate human oversight.
3. Agentic AI: New Risks, New Considerations
The DPA has also published guidance on agentic AI, highlighting a new generation of AI systems capable of independently carrying out multi-step tasks.
Unlike conventional AI tools that mainly generate content or respond to user instructions, agentic AI systems can analyse information, make intermediate decisions, and coordinate a series of actions with limited human intervention. In practice, this may include systems that manage workflows, organise schedules, compare travel options, or analyse financial data to generate tailored outputs.
Against this background, the DPA highlights key considerations from the personal data protection perspective, including the characteristics of such systems, their potential use cases, and the risks they may create, particularly given their autonomous, multi-layered, and evolving nature.
DPA Principle Decisions
1. Clear Separation Required: Privacy Notices & Explicit Consent
On 24 March 2026, the DPA published Principle Decision No. 2026/347 clarifying that privacy notices and explicit consent texts must be separate. The decision reiterates that:
- the obligation to inform is independent and must be fulfilled before data processing;
- consent should only be requested where it is actually required;
- privacy notices and consent texts must be clearly distinguishable;
- “bundled” consent (e.g.. I have read and accept) is not valid;
- privacy notices must be clear, specific, and tailored to the relevant processing activities.
Public Disclosure Not Allowed: Posting Residents’ Debt Information
On 31 March 2026, the DPA published Principle Decision No. 2026/348 addressing the practice of displaying residents’ debt information in shared areas of buildings such as entrances, elevators, and corridors.
The DPA acknowledged that certain processing activities in residential complexes may rely on legal grounds under the Turkish Condominium Law. However, it made clear that publicly displaying residents’ names, apartment numbers, and debt information in shared areas does not comply with the DP Law.
The DPA stated that, where residents need to be informed, more proportionate and secure methods should be used, such as restricted email groups, messaging channels, or dedicated applications.
DPA Event Highlights
DPA Event: 10 Years of Turkish Personal Data Protection Law
To mark the tenth anniversary of the entry into force of the Turkish Personal Data Protection Law, the DPA organised the event “10 Years of Data Protection: Future Perspective in Light of the GDPR”. The event focused on the future of the DP Law in the context of GDPR alignment, sanction regimes, and AI-related data processing risks.
Data Breach Notification
The DPA’s data breach notifications published for March 2026 may be accessed from this link.
Notably, a significant number of the incidents published this month relate to the healthcare sector, indicating the DPA’s continued focus on personal data security in health-related processing activities.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
[View Source]
