Last review date: 31 December 2024
Yes
The restrictions or requirements are as follows:
- qualified right not to be subject to a decision based solely on automated decision making, including profiling – for example, only applicable if the decision produces legal effects concerning them or similarly significantly affects them
- other
Data subjects have the right to object to any decision that is based solely on automated processing and is detrimental to themselves as specified under article 11 of the Data Protection Law. However, Article 28 (2) of the Data Protection Law outlines certain exceptions to this right. These exceptions include cases where the processing of personal data is necessary for the prevention of crime or criminal investigation, when the data subjects themselves has made their personal data publicly available, when the processing is required for supervisory or regulatory duties, and when the processing of personal data is necessary for the protection of the economic and financial interests of the state in relation to budget, tax and financial matters. Therefore, since the Data Protection Law specifies how the right of the data subject will be restricted, data subjects' right to object to any decision that is based solely on automated processing and is detrimental to themselves is a qualified right.
In addition, in several decisions and in the Guideline on Use of Cookies, the Authority underlined that the explicit consents of the data subjects must be obtained for the cookies used for profiling purposes.
Moreover, The Guidelines on Protection of Personal Data in the Banking Sector, published by the Authority on 5 August 2022, provide certain guidance on the use of automated decision-making systems in banking sector. The guideline indicates that artificial intelligence and automatic decision-making mechanisms can be used within the scope of segmentation of customer groups to serve products for customer's specific needs; identification of products that are on the interest of the customers and processing activities as part of strategical purposes. The guideline further provides certain rules for the use of automated systems;
- An evaluation must be made with respect to each processing activity. If a processing activity/method (such as anonymization) results in less interference with the rights of data subjects, such methods must be used.
- The type, amount, and source of the personal data must be assessed and excessive processing must be prevented. As part of this, models imitating the real personal data can be used. Risk analysis must also be carried out.
Anonymization or pseudonymization should be used. Even in cases where anonymization is used, utmost care must still be shown to protect the integrity of the information.
Last review date: 31 December 2024
N/A
Last review date: 31 December 2024
Yes
1- On 15 September 2021, the Authority published Recommendations on the Protection of Personal Data in the Field of Artificial Intelligence (“AI Recommendations“). The AI Recommendations consists of three sections: (i) general recommendations; (ii) recommendations for developers, manufacturers and service providers; and (iii) recommendations for decision-makers.
On 8 November 2024, the Authority published the Information Note on Chatbots (ChatGPT Example) ("Information Note"). Similar to the AI Recommendations, the Information Note stipulates issues to be taken into consideration by chatbot developers.
The main recommendations from the AI Recommendations and Information Note are as follows:
i. General recommendations
AI applications should be developed in accordance with data protection principles and a data protection compliance program should be implemented for each project. If data processing is not necessary for the AI practice, data anonymization should be preferred.
ii. Recommendations for developers, manufacturers and service providers
The quality, nature, quantity, category and content of the data used should be evaluated and accordingly, data usage should be minimized by developers, manufacturers and service providers. The accuracy of the developed AI model should be checked regularly.
Moreover, the rights of the data subjects with respect to their personal data within the scope of national and international legislation should be protected. In line with this recommendation, users should be given the right to terminate the data processing activity. Moreover, systems that allow deletion, destruction and anonymization of data should be used. Data processing consent mechanism should be established, if necessary.
Additionally, the principle of lawful processing of personal data and accountability should be always prioritized. Risk assessment should be carried out before processing personal data. The legal grounds stipulated for processing personal data should be respected and the notice requirement should be fulfilled.
Finally, necessary technical and administrative measures should be implemented, including,:
- Ensuring compliance with internationally recognized standards in order to protect privacy at every stage of processing,
- Ensuring the data security during transfers,
- Carrying out an age determination/verification process for children, and
- Taking a proactive approach, in particular, for the protection of minors.
iii. Recommendations for decision makers:
The principle of accountability, codes of conduct, certification mechanisms and similar measures should be established. More significantly, the role of human intervention in the AI decision-making processes should be determined. Users should be given the chance to distrust the outcomes of recommendations made by AI.
You may access the Recommendations here (in Turkish).
2- On 25 June 2024, the Artificial Intelligence Bill (“Bill”) was submitted to the Grand National Assembly of Türkiye. The Bill includes parallel provisions Artificial Intelligence Act in the EU (“AI Act”). Accordingly, the Bill aims to ensure safe, ethical and fair use of AI technology and the protection of personal data, imposes certain obligations on the providers, sellers, users, importers and distributors of AI systems. There is no risk categorization in the bill, as there is in the AI Act. Instead, the Bill, envisages a superficial risk assessment during the development and use of AI systems.