Information Note on Chat Robots (ChatGPT Example) Published by Turkish Data Protection Authority

Data Protection Law

Turkish Data Protection Authority (“Authority”) published the Information Note on Chat Robots (ChatGPT Example) (“Information Note”) on its official website on 8.11.2024.

According to the Information Note;

  • A chatbot can be defined as a software that tries to fulfil the tasks / instructions given to it by the user through an interface, simulating human conversation with the end user. The communication of the users with the chatbot can be voice, written, etc. methods. When the user communicates with the chatbot, the chatbot needs to understand the inputs given by the user.
  • Artificial intelligence chatbots generally utilise natural language processing (NLP) technology and its sub-branches natural language understanding (NLU) and natural language generation (NLG). Artificial intelligence-supported systems inherently require diverse and large amounts of data in order to operate at optimum performance.
  • In this context, although the data processed may differ depending on the place and purpose of the application, it can be processed for many purposes such as providing, managing, maintaining and/or analysing services, providing a better user experience, improving services, communicating with users, ensuring the security of information technology systems, developing new programs and services, fulfilling legal obligations and protecting the legitimate interests of data controllers.
  • In terms of personal data security, the issue of transparency in artificial intelligence chatbots is one of the issues to be considered. The ability of such applications to provide sufficient information on issues such as how and for what purposes the processed data is used, with whom it will be shared, which data will be stored for how long, the identity of the data controller and its representative, if any, and the rights of the data subject, is one of the issues that should be taken into consideration in order to ensure control over the personal data of the data subjects.
  • While developing chatbot applications;
  1. A risk assessment should be made before starting to process personal data,
  2. The principle of accountability should be respected while creating applications,
  3. Personal data processing activities should be carried out in accordance with the general principles set out in the personal data protection legislation,
  4. Personal data must be processed in accordance with Articles 5 and 6 of the Law No. 6698 on the Protection of Personal Data,
  5. If personal data is processed, the legal basis for this should be clearly stated,
  6. Within the framework of Article 10 of the Law No. 6698 on the Protection of Personal Data, data controllers must fulfil the obligation to inform during the acquisition of personal data,
  7. Necessary technical and administrative measures regarding personal data security should be taken.

You can access the full text of the Information Note (in Turkish) here.

Kind Regards,

Zumbul Attorneys-at-Law

info@zumbul.av.tr