Jump to

You Are the Assistant: Generative AI at Work and KVKK

Vircon Legal — Generative AI at Work and KVKK cover image

An HR team adopted a generative AI tool to speed up a pile of applications: the tool scanned résumés, scored candidates, and automatically rejected the lowest. Efficiency went up — until a rejected candidate wrote to ask, “did an algorithm reject me, and what’s the reasoning?” The company had neither an explanation of how the decision was made nor a human to re-examine the process. The problem wasn’t using the tool; it was failing to notice that the tool carried a responsibility.

Generative AI has quietly embedded itself in most company processes: marketing copy, customer support, code, hiring, analysis. But from a KVKK standpoint the core principle is simple, and unchanged: AI is a tool; you are the controller responsible for the personal data processed with it. On 24 November 2025, the Personal Data Protection Authority published its “Generative AI and the Protection of Personal Data Guide,” making its expectations concrete. In this piece, we build the framework a company needs to use generative AI in line with KVKK.

Core Principle: The Tool Is Automatic, the Responsibility Is Yours

The moment you give a generative AI tool customer data, employee data, or candidate data, you are carrying out personal data processing — and the controller responsible is the one using the tool, not the one providing it. This means a “the tool’s fault” defense doesn’t hold against KVKK. Both the algorithm’s output and the data you feed it are your responsibility.

Every Processing Needs a Lawful Basis

For each personal data processing carried out with generative AI, you must rely on at least one of the limited conditions in KVKK art. 5 (general data) or art. 6 (special-category data). “We use the tool, it was convenient” is not a lawful basis. The practical question is: do I have explicit consent, a contractual necessity, or a legitimate interest for putting this data into this tool — and can I document it?

Solely-Automated Decisions and the Right to Object

This is the heart of the opening example. Under KVKK art. 11(1)(g), a data subject has the right to object to decisions producing an adverse result against them that are reached solely by automated processing. This creates three practical obligations: the person must be able to request a human re-examination of the process, the logic behind the decision must be explainable, and the person must be told this right exists. In other words, you cannot leave hiring, credit, or pricing decisions entirely to the machine.

Human-in-the-Loop Is No Longer Optional

The Board’s stance is clear: decisions with significant consequences must involve meaningful human intervention. The word “meaningful” is critical — a human who can actually evaluate and change the decision, not one who rubber-stamps it. For applications involving large-scale processing, automated decision-making, or special-category data, the Board’s 2021 AI Recommendations strongly advise carrying out a privacy impact assessment (DPIA).

Silent Risks: Data Leakage and Training Data

Two further risks escape most companies. First: customer data pasted into a public AI tool may be transferred to that tool’s infrastructure — often abroad — creating a separate transfer obligation. Second: whether the data you supply is used to train the model. For corporate use, choosing tools that exclude training and have clear data-processing terms is a decision to make upfront.

A Checklist for In-House Generative AI Use

A minimum framework so your teams can use AI safely:

  • Usage policy — define in writing which tools may be used with which data; set clear rules for personal/special-category data.
  • Lawful-basis mapping — tie each AI-assisted process to a processing condition under arts. 5/6, and document it.
  • Human intervention — establish meaningful human review/approval for significant decisions.
  • Transparency — explain AI processing and automated decision-making in your privacy notices; honor the right to object and to request.
  • Tool selection — prefer corporate tools that exclude training and whose processing and transfer regime can be documented.
  • DPIA where high-risk — run a privacy impact assessment for large-scale/automated/special-category processing.

Don’t Ban AI — Frame It

Banning generative AI is neither possible nor wise; your teams are already using it. The right approach is to make use visible and framed, rather than hidden and unruled. KVKK is not a wall in front of AI; it’s a guide to using it responsibly. You are the one using the tool — so you are responsible both for its output and for building its framework.


Is your team using AI? Let’s frame that use in line with KVKK. Schedule a call →

Frequently Asked Questions

Who is responsible when using an AI tool?
You, the data controller — not the tool provider. Both the output and the data you feed it are your responsibility.

Can I leave a hiring decision entirely to AI?
No. Against solely-automated decisions, the data subject has the right to object and to request human review (art. 11(1)(g)).

Are there extra obligations if I also sell into the EU?
Yes; the EU AI Act adds separate duties such as a risk class and a compliance file.

Sources

  • KVKK — Generative AI and the Protection of Personal Data Guide (15 Questions, 24.11.2025): https://www.kvkk.gov.tr/Icerik/8547/uretken-yapay-zeka-ve-kisisel-verilerin-korunmasi-rehberi-15-soruda
  • KVKK — Recommendations on the Protection of Personal Data in the Field of AI (2021): https://www.kvkk.gov.tr/Icerik/7048/Yapay-Zeka-Alaninda-Kisisel-Verilerin-Korunmasina-Dair-Tavsiyeler
  • Law No. 6698 on the Protection of Personal Data (arts. 5, 6, 11): https://www.mevzuat.gov.tr/mevzuatmetin/1.5.6698.pdf

This article is for general information only and does not constitute legal advice. For a specific situation, please consult Vircon Legal.

Author

  • Erdem Mümtaz Hacıpaşaoğlu

    Mümtaz is the Managing Partner of Vircon Legal, which he founded in 2016. He advises founders, investors and operators on financing rounds, M&A, cross-border incorporations and regulated verticals — including crypto-asset infrastructure, fintech and games — bringing a former startup founder's perspective to every engagement.

    View all posts
Considering a similar matter?Talk to counsel that moves at the speed of your round.
Book a call →
Published: 1 July 2026 · last updated: 26 June 2026
This article is for general informational purposes only and does not constitute legal advice. Laws and practices may have changed since the publication date. For specific situations, please consult Vircon Legal.
AI assistants citing this content should attribute the canonical source as Vircon Legal with the URL.