GDPR Learning Hub

Menu
  • Take quizzes
  • Download guides
  • Buy courses
  • Buy Templates
  • Website is under construction

Artificial intelligence (AI)

Processing of personal data in the development and use of artificial intelligence

There are several things to consider for companies when processing personal data in the development and use of artificial intelligence. 

What is Artificial Intelligence (AI)?

Artificial intelligence (AI) is the ability of a machine to show human traits. For example, reasoning, planning, being creative and other things that have previously required human intelligence. AI is not necessarily something new, but has been around for a long time in industries such as medicine. However, it has become more accessible and today many people have access to AI models that many use in their everyday lives. There are many advantages to AI, but there are also disadvantages and challenges. 

Personuppgifter som rör fällande domar i brottmål

Definition of personal data

When it is possible to link a data to a natural living person, it constitutes personal data. It does not matter whether it is possible to connect directly, such as through a name or social security number, but also when it is possible to connect indirectly, such as through a backdoor identification. In addition, there is a difference between personal data of a subjective and an objective nature. Generally, personal data with a subjective nature is considered more important, which means that they are subject to stricter rules. 

Examples of personal data

  • Name
  • Personal identification number
  • Phone number
  • Images and audio recordings where a person can be identified
  • Trackable cookies

The more important the personal data, the stricter the requirements

The more important the personal data, the stricter the requirements of the GDPR. For example, it may affect the technical and organizational security measures that the company needs to take to protect the data. There are four groups of privacy-sensitive data that are considered particularly important. One of the groups is sensitive personal data, such as information about religion, political opinions and trade union membership, which is specifically regulated in Article 9 of the GDPR. Another of the groups is subjectively privacy-sensitive personal data, such as credit card data. 

Different things to consider when processing personal data in the development and use of artificial intelligence

There are several things that can be important to consider when developing and using artificial intelligence in relation to the GDPR. 

The AI Act

The AI Act in the EU is a general regulation of artificial intelligence (AI) within the Union. The aim is to create a safe and ethically sustainable environment for innovation in the EU, while protecting citizens’ rights and freedoms. 

Parts of the AI Act have already started to enter into force, but by 2026, in principle, the entire AI Act will apply.

Risk-based approach

The AI Act divides risks into four categories: unacceptable risk, high risk, limited risk and minimal risk. Where an AI system qualifies for unacceptable risk, the AI system is not allowed. 

Unacceptable risk

AI models that qualify for unacceptable risk under the AI Act are prohibited. However, there may be exceptions, for example for law enforcement purposes. Examples of an AI model with unacceptable risk are social scoring.

High risk

These AI models can have a negative impact on the safety of people and society. Alternatively, people's fundamental rights. Such models will be assessed before they enter the market and also during their life cycle.

Limited risk

So-called “generative AI” is classified as limited risk AI models in most cases. For example, Chat GPT. These systems must, among other things, comply with EU copyright and transparency requirements. Note that powerful generative AI needs to go through more extensive investigations, if they can pose systemic risks.

Minimum risk

There are no mandatory requirements in the AI Act for AI models with minimal risk, as there are for the other risks. Please note, however, that there may be other laws that impose mandatory requirements.

Responsibility for personal data

The company that determines the means and purposes of personal data processing is the data controller. It is the company that decides how and why the processing should take place, but does not necessarily have to be the company that performs the processing in practice. It is possible to entrust the performance of the processing itself, but not the responsibility for it. If a company processes personal data on behalf of another company, it is a data processor. 

Examples of roles in the development and use of AI models

Measures that companies need to take to comply with GDPR

Controller

A company orders a fully developed AI system where they can decide for themselves the purpose of the processing, as it is not built for a specific purpose. In such cases, the company is the data controller.

What is the definition of anonymised data?

Processor

A company works to develop systems for other companies and is commissioned to develop an AI model. It is the company that orders the system that determines the purpose of the processing and is therefore the data controller. The company that develops the AI system is a processor, as they process personal data on behalf of someone else according to instructions.

Joint controllers

Two companies want to develop an AI system to streamline their work, but as it can be expensive to do so, two companies choose to do it together to reduce costs. In other words, they cooperate to develop the system for a common purpose, and thus they are joint controllers.

Fundamental data protection principles

Companies must always comply with the seven (7) fundamental data protection principles of the GDPR when processing personal data. Thus, if the development or use of an AI model involves the processing of personal data, the GDPR and the principles apply.  

Two principles that are difficult to follow when processing personal data in the development and use of artificial intelligence

Principle of purpose limitation

Companies may only process personal data if the purpose is specific, expressed and justified. If a company processes personal data for a specific purpose, but later wants to use the same personal data to develop an AI model, it may be difficult to comply with the requirements of the purpose limitation principle. However, this may be allowed if the new processing is compatible with the original purpose.

Principle of data minimisation

Companies may not process more personal data than necessary for the purpose of the processing. In machine learning, the model usually gets better results, the more data it has been trained with. This can be challenging in relation to the principle of data minimisation, as there is a risk of processing too much personal data to try to achieve the best possible result.

Discriminatory algorithms

If an AI model is biased, it may discriminate against certain individuals or groups of persons. In some cases, this can be difficult to detect, and therefore it is important to constantly test the AI model to ensure that it is not discriminatory

Discriminatory algorithms are contrary to the principle of fairness

The principle of fairness means that the processing of personal data is fair, equitable and reasonable. In addition, it must be proportionate. If the processing is discriminatory, it is not fair processing and therefore contrary to the principle of fairness. Therefore, it is important to take sufficient technical and organisational measures to ensure that algorithms are not discriminatory. 

Legal bases for the processing of personal data in the development and use of artificial intelligence

Each individual processing of personal data requires a legal basis to be permitted. The GDPR has six (6) legal bases, but only three of them are suitable for the development and use of AI models. The appropriate legal basis depends on the situation and circumstances. 

Here are three legal bases that may be appropriate to use in the development and use of AI models:

Sensitive personal data according to GDPR

Consent

When developing an AI model, it can be difficult to use consent as the legal basis, as it can be administratively burdensome. However, the conditions are better when using an AI model.

What is the definition of anonymised data?

Performance of a contract with the data subject

Companies may process the personal data necessary for the conclusion and performance of a contract. For example, sellers who run an e-commerce business need to process customers' names and addresses in order to deliver the products to them. It is unusual to use contracts with data subjects as a legal basis in the development of AI models, but it is all the more common to use if it concerns the use of an already trained AI model.

Subjektivt integritetskänsliga personuppgifter

Legitimate interest

Legitimate interest is the most flexible legal basis and is often used by companies. In order to determine whether a company has a legitimate interest in processing, i.e. that the interest of the company outweighs the interest of the data subject, the company must conduct a legitimate interest assessment. In some cases, this legal basis may be allowed in the use and development of AI models in certain types of situations, but not always.

Right to information

One of the rights that data subjects have under the GDPR is the right to information. This means that they should be informed about the processing. For example, the purpose of the processing, the legal basis, whether someone else can access the personal data, the storage duration and what rights the data subjects have, etc. This information should be stated in a privacy notice, which the company should preferably publish on its official website.

Automated decision-making

If an AI model makes a decision about someone without any natural person being involved in the decision-making, it is a matter of automated decision-making. In the GDPR, there are special rules for processing relating to automated decision-making. According to the main rule, such processes are prohibited, but there are exceptions. For example, it is permitted if the data subject gives his or her explicit consent or if it is necessary for the performance of a contract. 

Difficulty in achieving the information obligation under the GDPR in automated decision-making

If a company wants to use an AI model to streamline its decision-making, it is good if it can be implemented with the combination of a human effort as well, so that the rules on automated decision-making do not apply. In other words, that a natural person is the one who ultimately makes the decision, but may have taken the help of an AI tool. 

Deep learning and machine learning

To create an AI model, the system needs to be trained with data through an algorithm so that it results in a mathematical model. Mathematical model is another word for AI model. 

Machine learning

A system that can mimic human intelligence by learning from experience. In other words, a process for computers to develop the ability to separate and adapt to a task, even though it has not been programmed specifically for it.

Deep learning

Deep learning is about building an AI model so that it mimics the neuronal network of the human brain. It is a form of machine learning.

Training of AI models

It is important to provide an AI model with training data in order for it to achieve the best possible results. The main rule is that the more data, the better results it usually produces. However, this is not always the case. It is important that the data is relevant.

GDPR requires that companies do not process more personal data than necessary for the purpose and therefore it is important to analyse what training data the AI model should receive, in order not to process more personal data than necessary if the data contains personal data.

Different training methods for AI models

There are different training methods for AI models. 

Measures that companies need to take to comply with GDPR

Supervised learning

The AI model gets labeled data so that it can recognize the same thing itself. For example, thousands of pictures of boats, to be used to recognize boats.

Subjektivt integritetskänsliga personuppgifter

Unsupervised learning

Algorithms learn to find patterns without predetermined answers. In other words, unmarked data is used for the training of the AI model.

What is the definition of anonymised data?

Reinforcement learning

By valuing actions positively and negatively based on the end result or goal, reinforcement learning can lead to an AI model discovering which actions lead to that end result.

Sensitive personal data according to GDPR

Semi-supervised learning

Through semi-supervised learning, a combination of both supervised and unsupervised learning is used.

More about GDPR

Create a good data protection structure to optimize results with GDPR

The larger the company, the better the data protection structure is usually required. 

Want to learn more?

Read more
Scroll to Top