Current Regulations on Data Protection and Management in Artificial Intelligence Solutions

What is GDPR?

GDPR is the abbreviation of the term “General Data Protection Regulation.” It can be translated into Turkish as “Genel Veri Koruma Tüzüğü.” This regulation includes rules aimed at ensuring the processing and security of user data belonging to citizens of European Union (EU) member states. It entered into force on May 25, 2018. GDPR completely replaced the Data Protection Directive 95/46/EC, which had been in use since 1995.

GDPR is binding for all institutions, organizations, and enterprises operating within the borders of the EU. EU member states may apply stricter sanctions based on GDPR according to their own national laws. In this respect, GDPR is a fundamental regulation that includes the basic requirements and rules regarding the protection and processing of user data. The scope of GDPR covers personal user data such as name, address, identification number, location, IP address, internet data, biometric and physical appearance data (photos, etc.), race and origin information, and medical data.

The scope of GDPR sanctions includes businesses that start operations or provide services within EU borders during the process of processing user data. Even if these services continue outside EU borders, GDPR compliance is still expected. User consent must be obtained before processing personal data, and the consent text must be clear and easy to understand. Users have the right to know which of their data will be processed, how, where, and for how long they will be stored. They also have the rights to access, update, restrict, delete, and be forgotten.

What is KVKK?

The “Law on the Protection of Personal Data,” dated 07.04.2016 and numbered 29677, was published in the Official Gazette and defines the procedures and principles that real and legal persons processing personal data in Turkey must comply with. This law applies to real persons whose data are processed and to real and legal persons who process these data fully or partially by automatic means or by non-automatic means provided that they are part of a data recording system. Today, it corresponds to GDPR, which is valid within the borders of the EU.

KVKK aims to raise awareness about data privacy and security and to ensure that data protection is adopted as an integral part of institutions and organizations. The fundamental principles within KVKK must be included in all activities and operations related to personal data processing, and these principles must be taken into consideration during execution. These principles can be stated as processing data in accordance with legal rules, processing data for specified purposes, ensuring data are accurate and up to date, storing the minimum necessary data, processing data in legally appropriate environments, and retaining them only for the required period. For more detailed information, you can review the relevant Official Gazette issue dated 07.04.2016 and numbered 29677.

What is ISO/IEC 42001?

ISO/IEC 42001 is an international standard that defines the requirements for AI producers to establish, implement, maintain, and continuously improve artificial intelligence management systems (AIMS - Artificial Intelligence Management System). It was first published in December 2023 by the International Organization for Standardization (ISO) under the name ISO/IEC 42001:2023.

ISO/IEC 42001 is the world’s first artificial intelligence management system standard, aiming to guide AI producers on ethical issues, transparency principles, and similar topics brought by artificial intelligence. As AI-related studies continue to advance rapidly, this standard is becoming increasingly important. It will serve as a guide for producers in the control and certification stages of AI systems. For more detailed information, you can access it by purchasing it from the ISO/IEC 42001:2023 web page.