Use of Generative Artificial Intelligence Tools in the Workplace: Recommendations from Data Protection Perspective

1- Introduction

On 5 March 2026, the Turkish Personal Data Protection Authority (“Authority”) shared with the public its recommendations regarding the use of generative artificial intelligence systems in business life under the title “Use of Generative Artificial Intelligence Tools in the Workplace”.

The Authority defines “Generative Artificial Intelligence” (GenAI) as artificial intelligence (AI) systems trained on large-scale datasets that are capable of generating content in different formats such as text, images, video, audio, or software code in response to prompts or commands provided by the user. In terms of the use of GenAI in business life, examples include drafting emails and text documents, summarizing documents, and creating meeting notes. The ease of use and the ability to generate outputs in a short time make these tools attractive to employees. However, the Authority has determined that the use of these tools is not carried out within the framework of a clearly defined institutional strategy and is mostly shaped by the individual preferences of employees.

2- The Phenomenon of “Shadow AI” and Lack of Oversight

The concept of “Shadow AI” refers to situations where GenAI tools are used by employees without the knowledge, approval, or institutional control of the organization. The Authority compares this situation to the “Shadow IT” practices known in the literature. Unlike Shadow IT—which includes examples such as employees using personal cloud accounts to access corporate data externally—Shadow AI carries risks of a much broader scope due to its capacity to directly affect data processing, content generation, and decision-making mechanisms. The loss of visibility makes it more difficult to assess regulatory compliance and to carry out incident response processes.

3- Key Legal, Operational and Cybersecurity Risks

The Authority lists the potential areas of violation that may arise from uncontrolled use of GenAI as follows:

• Personal Data Breaches: The sharing of personal data through tools outside institutional control increases the risk of data breaches and may lead to such data becoming accessible to unauthorized persons. In particular, the reflection of personal data shared through prompts in the generated outputs constitutes a serious security concern. At this point, the Authority recommends that data controllers take into consideration the document titled “Generative Artificial Intelligence and the Protection of Personal Data Guide (in 15 Questions)” previously published.
• Disclosure of Intellectual Property and Trade Secrets: Sharing source codes, product designs, or business strategies through external GenAI tools may lead to violations of intellectual property rights and may result in such information being used in the model development processes of third parties.
• Decision Quality and Automation Bias: The tendency of users to accept outputs produced by automated systems as correct without questioning them is referred to in the literature as “automation bias”. In addition, the generation of incorrect content that does not reflect reality (hallucinations) by GenAI tools may cause errors in business processes and damage corporate reputation.
• Auditability and Cybersecurity: Since outputs generated through GenAI tools become difficult to identify afterwards, accountability is undermined. Moreover, insecure application interfaces expand the cyber attack surface of organizations.

4- Insufficiency of Prohibitive Approaches and Corporate Policies

It is emphasized that completely banning the use of GenAI tools will not produce realistic outcomes and may even encourage uncontrolled use. Instead, a clear corporate policy setting out the conditions of use should be established. By presenting a concrete vision for such policies, the Authority states that certain uses—such as the linguistic correction of texts or summarizing general content available on the internet—may be permitted, whereas the sharing of sensitive information such as customer files, human resources data, or internal correspondence through GenAI tools should under no circumstances be considered appropriate.

5- Data Minimization and Access Control Measures

The Authority also recommends operational measures for data controllers:

• Abstraction and Anonymization: During interactions with GenAI tools, anonymized and abstract expressions should be preferred instead of directly indicating personal names, dates, or locations.
• Caution with Sensitive Data: A much more cautious approach should be adopted for data relating to health, finance, and legal processes.
• Access Restrictions: It is recommended that access to external platforms be restricted at the network level, that such tools be used only through corporate devices, and that role-based approaches be implemented.
• Feedback Mechanisms: Mechanisms should be established through which employees can share the issues they encounter, and areas for improvement should be identified.

6- Conclusion and Assessment

The Authority’s document titled “Use of Generative Artificial Intelligence Tools in the Workplace” constitutes an important guide that delineates the boundaries of GenAI technology, which is rapidly becoming widespread in working life, and concretizes the associated risks. The document clearly demonstrates that rather than banning the use of artificial intelligence, it should be managed by integrating it into corporate risk management processes. In this context, it is essential for data controllers not to treat outputs generated by GenAI tools as the ultimate basis for decision-making and to place human oversight at the center. Adopting a holistic approach that takes risks into account will both sustain efficiency and contribute to the prevention of legal violations.