Legal AlertThe Personal Data Protection Authority published an Information Note on Chat Robots (Chat GPT Example).

10 January 2025

An Information Note on Chat Robots (Chat GPT Example) was published on the website of the Personal Data Protection Authority (“Authority”) dated on 08.11.2024.

In the information note published due to being subject to the Law No. 6698 on the Protection of Personal Data (“Law No. 6698”) in cases where personal data is processed, including applications using artificial intelligence systems with the development of technological developments and personal data processing tools, the definition of chat robots, personal data processed with artificial intelligence chat robots, evaluation in terms of the security of personal data and explanations on what to consider when developing chat robot applications are included.

In the published information note, a Chatbot is defined as “a software that simulates human conversation with the end user, trying to fulfill the tasks/directions given to it by the user through an interface”. In particular, the fact that artificial intelligence chatbots have a continuous learning and development process with the knowledge gained from previous interactions with users distinguishes them from other chatbots.

In the information note, the personal data that is mainly processed when using Artificial Intelligence chatbots is listed as follows;

  • Account information when you create an account, including your name, contact details, account credentials, payment card details and transaction history,
  • Content information included in inputs, file uploads or feedback provided when apps are used,
  • Content and contact information of the messages sent,
  • Social media information selected to be provided when communicating with social media pages,
  • The Internet protocol (IP) address, browser type and settings, access times, and the type of computer or mobile device that the browser or device automatically sends,
  • Cookie information and other personal data provided by individuals (text content, speech and voice data, etc.).

It has been emphasized that the first issue to be considered in artificial intelligence chatbots in terms of personal data security is “Transparency”. Such applications should be careful to provide sufficient information on how and for what purposes the data they process is used, with whom it will be shared, which data will be stored for how long, the identity of the data controller and its representative, if any, and the rights of the person concerned, so that the relevant persons can control their personal data.

In addition, it is stated that problems arising from lack of user awareness, such as users sharing information at a level that could put their privacy at risk (oversharing, etc.), should be prevented.

The information note lists the points to consider when developing chatbot applications as follows:

  • A risk assessment should be made before starting to process personal data.
  • The principle of accountability must be followed when creating applications.
  • Personal data processing activities must be carried out in accordance with the general principles set out in personal data protection legislation.
  • Personal data must be processed in accordance with Articles 5 and 6 of the Law No. 6698.
  • If personal data is processed, the legal basis for this must be clearly stated.
  • Within the framework of Article 10 of the Law No. 6698, data controllers must fulfill their obligation to inform when obtaining personal data.
  • Necessary technical and administrative measures should be taken regarding personal data security. In this context; It is important that such applications that involve personal data processing activities comply with certain internationally accepted standards in order to protect privacy and ensure data security, that they have certificates, and that privacy and default privacy approaches are taken into consideration at every stage of the application development process from the beginning. In data communication, secure methods should be preferred for the transmission of inputs such as text, sound, speech and images to the environments where they will be hosted.
  • Developers, manufacturers, service providers and decision makers operating in the field of artificial intelligence should pay attention to the recommendations set by the Turkish Personal Data Protection Board.
  • As a data controller or data processor, the obligations under the personal data protection legislation must be fulfilled.
  • Age determination for children must be done accurately and reliably.
  • In particular, a proactive approach should be adopted to prevent children from having negative experiences.

You may access the full text of The Information Note on Chat Robots (Chat GPT Example)  from the link below.

KİŞİSEL VERİLERİ KORUMA KURUMU | KVKK | Sohbet Robotları (ChatGPT Örneği) Hakkında Bilgi Notu

For detailed information and professional support during the compliance process, feel free to contact us.

This Legal Alert has been prepared for general information purposes only on current legal issues, and the evaluations contained in this Legal Alert do not constitute legal advice or a legal opinion. It is not possible to impose any liability on SRP-Legal Law Office due to the content of this Legal Alert. It is recommended to obtain the opinion of a legal advisor regarding your questions and enquires within the scope of this Legal Alert.