The Personal Data Protection Authority (“Authority”) published an informational document on 05.03.2026 regarding the use of generative artificial intelligence tools in workplaces. The document aims to raise awareness among institutions and employees about the risks that may arise from the use of artificial intelligence tools in corporate environments, particularly those provided by third-party providers and publicly accessible.

While the Authority acknowledges that these tools may enhance efficiency in business processes, it draws attention to the fact that uncontrolled use may create various risks in terms of personal data protection, information security, and corporate compliance. In particular, the use of artificial intelligence tools by employees without any corporate policy or guidance is defined as “Shadow AI,” and it is stated that this situation may entail risks such as the transfer of corporate data to third-party platforms. In this context, the sharing of customer data, internal correspondence, or information constituting trade secrets with such systems may lead to consequences such as data breaches, intellectual property issues, and reputational damage.

The document also states that, when using generative artificial intelligence tools, information containing personal data should be processed in anonymized or generalized form as much as possible. Institutions and organizations are advised to establish clear rules regarding the use of these tools, conduct training and awareness activities for employees, and manage access within the framework of certain control mechanisms. In addition, it is emphasized that the accuracy of content generated by artificial intelligence should always be evaluated through human oversight.

Best Regards,

DT Law