An HR team adopted a generative AI tool to speed up a pile of applications: the tool scanned résumés, scored candidates, and automatically rejected the lowest. Efficiency went up — until a rejected candidate wrote to ask, “did an algorithm reject me, and what’s the reasoning?” The company had neither an explanation of how the decision was made nor a human to re-examine the process. The problem wasn’t using the tool; it was failing to notice that the tool carried a responsibility.
Generative AI has quietly embedded itself in most company processes: marketing copy, customer support, code, hiring, analysis. But from a KVKK standpoint the core principle is simple, and unchanged: AI is a tool; you are the controller responsible for the personal data processed with it. On 24 November 2025, the Personal Data Protection Authority published its “Generative AI and the Protection of Personal Data Guide,” making its expectations concrete. In this piece, we build the framework a company needs to use generative AI in line with KVKK.
Core Principle: The Tool Is Automatic, the Responsibility Is Yours
The moment you give a generative AI tool customer data, employee data, or candidate data, you are carrying out personal data processing — and the controller responsible is the one using the tool, not the one providing it. This means a “the tool’s fault” defense doesn’t hold against KVKK. Both the algorithm’s output and the data you feed it are your responsibility.
Every Processing Needs a Lawful Basis
For each personal data processing carried out with generative AI, you must rely on at least one of the limited conditions in KVKK art. 5 (general data) or art. 6 (special-category data). “We use the tool, it was convenient” is not a lawful basis. The practical question is: do I have explicit consent, a contractual necessity, or a legitimate interest for putting this data into this tool — and can I document it?
Solely-Automated Decisions and the Right to Object
This is the heart of the opening example. Under KVKK art. 11(1)(g), a data subject has the right to object to decisions producing an adverse result against them that are reached solely by automated processing. This creates three practical obligations: the person must be able to request a human re-examination of the process, the logic behind the decision must be explainable, and the person must be told this right exists. In other words, you cannot leave hiring, credit, or pricing decisions entirely to the machine.
Human-in-the-Loop Is No Longer Optional
The Board’s stance is clear: decisions with significant consequences must involve meaningful human intervention. The word “meaningful” is critical — a human who can actually evaluate and change the decision, not one who rubber-stamps it. For applications involving large-scale processing, automated decision-making, or special-category data, the Board’s 2021 AI Recommendations strongly advise carrying out a privacy impact assessment (DPIA).
Silent Risks: Data Leakage and Training Data
Two further risks escape most companies. First: customer data pasted into a public AI tool may be transferred to that tool’s infrastructure — often abroad — creating a separate transfer obligation. Second: whether the data you supply is used to train the model. For corporate use, choosing tools that exclude training and have clear data-processing terms is a decision to make upfront.
A Checklist for In-House Generative AI Use
A minimum framework so your teams can use AI safely:
- Usage policy — define in writing which tools may be used with which data; set clear rules for personal/special-category data.
- Lawful-basis mapping — tie each AI-assisted process to a processing condition under arts. 5/6, and document it.
- Human intervention — establish meaningful human review/approval for significant decisions.
- Transparency — explain AI processing and automated decision-making in your privacy notices; honor the right to object and to request.
- Tool selection — prefer corporate tools that exclude training and whose processing and transfer regime can be documented.
- DPIA where high-risk — run a privacy impact assessment for large-scale/automated/special-category processing.
Don’t Ban AI — Frame It
Banning generative AI is neither possible nor wise; your teams are already using it. The right approach is to make use visible and framed, rather than hidden and unruled. KVKK is not a wall in front of AI; it’s a guide to using it responsibly. You are the one using the tool — so you are responsible both for its output and for building its framework.
Is your team using AI? Let’s frame that use in line with KVKK. Schedule a call →
Frequently Asked Questions
Who is responsible when using an AI tool?
You, the data controller — not the tool provider. Both the output and the data you feed it are your responsibility.
Can I leave a hiring decision entirely to AI?
No. Against solely-automated decisions, the data subject has the right to object and to request human review (art. 11(1)(g)).
Are there extra obligations if I also sell into the EU?
Yes; the EU AI Act adds separate duties such as a risk class and a compliance file.
Sources
- KVKK — Generative AI and the Protection of Personal Data Guide (15 Questions, 24.11.2025): https://www.kvkk.gov.tr/Icerik/8547/uretken-yapay-zeka-ve-kisisel-verilerin-korunmasi-rehberi-15-soruda
- KVKK — Recommendations on the Protection of Personal Data in the Field of AI (2021): https://www.kvkk.gov.tr/Icerik/7048/Yapay-Zeka-Alaninda-Kisisel-Verilerin-Korunmasina-Dair-Tavsiyeler
- Law No. 6698 on the Protection of Personal Data (arts. 5, 6, 11): https://www.mevzuat.gov.tr/mevzuatmetin/1.5.6698.pdf
This article is for general information only and does not constitute legal advice. For a specific situation, please consult Vircon Legal.
Author
-
View all postsMümtaz is the Managing Partner of Vircon Legal, which he founded in 2016. He advises founders, investors and operators on financing rounds, M&A, cross-border incorporations and regulated verticals — including crypto-asset infrastructure, fintech and games — bringing a former startup founder's perspective to every engagement.
More from Vircon Insights
The KVKK Compliance Audit: A Step-by-Step Guide to Measuring Your Data-Protection Health
June 25, 2026The Clock Is Running: A Data-Breach Response Plan and the 72-Hour Rule
June 30, 2026When the "Delete My Data" Email Arrives: Handling Data-Subject Requests
June 29, 2026The Risk That Quietly Kills a Round: Data-Protection Due Diligence in Funding and M&A
June 26, 2026Notification Comes Earlier Than You Think: Turkey's New Merger-Control Thresholds and the Tech Exception
July 2, 2026KVKK Compliance for Residential Site and Apartment Management in Türkiye
June 9, 2026Related Practice Areas
Privacy & Cybersecurity
KVKK and GDPR compliance, breach response, cybersecurity governance.
View service →Corporate Law
Share transfers, capital increases, board structuring, governance.
View service →US Company Formations & Flip-Ups
Delaware C-Corp, flip-up structures, SAFE/convertible notes, 83(b).
View service →