Announcement of the Personal Data Protection Authority Titled “Use of Generative Artificial Intelligence Tools in Workplaces” Has Been Published

On 05.03.2026, the Personal Data Protection Authority (“Authority”) published a document titled “Use of Generative Artificial Intelligence Tools in Workplaces.” The document aims to raise awareness particularly regarding the use of generative artificial intelligence tools offered by third parties and publicly accessible in workplaces, to identify potential risks, and to highlight responsible use approaches from the perspective of institutions.

The document emphasizes that although the increasing use of generative artificial intelligence tools in business processes provides efficiency, certain considerations should be taken into account in terms of personal data protection, information security, and corporate risk management. In this context, the key points highlighted are summarized below:

• The use of generative artificial intelligence tools in workplaces by employees without any corporate policy or guidance is characterized as “Shadow AI,” and may give rise to various risks with respect to data security, auditability, and legal compliance.
• Within the scope of shadow artificial intelligence use, the sharing of corporate data, internal correspondence, customer information, trade secrets, or information constituting personal data with third-party platforms may lead to risks such as data breaches, violations of intellectual property rights, and loss of corporate reputation.
• When using generative artificial intelligence tools, it is recommended that obligations arising under the protection of personal data be fulfilled and that the use of anonymized or generalized data be preferred as much as possible.
• It is recommended that institutions and organizations establish a clear corporate policy regarding the use of generative artificial intelligence tools, carry out awareness and training activities for employees, and manage access to these tools within certain rules.
• It is emphasized that outputs generated by generative artificial intelligence tools should not be relied upon absolutely, and that human supervision and evaluation over these outputs should be maintained.