GDPR Learning Hub

Menu
  • Take quizzes
  • Download guides
  • Buy courses
  • Buy Templates
  • Website is under construction

Artifciel inteligence

Roles in the development and use of AI systems

It is important to analyse and clarify the roles in the development and use of AI systems.

Roles in the development and use of AI systems: Responsibility for personal data

There are different roles in the GDPR that a company can have when processing personal data.

The actual relationship determines the role and responsibilities of a company, not what is stated in the agreement. Therefore, it is important to regulate the relationship between the parties correctly in a contract. 

What breaches of the GDPR can lead to an administrative fine?

Controller

The company that determines the means and purposes of the processing is the data controller. This entails a great responsibility for ensuring that the processing is carried out in accordance with the rules of the GDPR. It is not an individual in the company that holds the role, but it is the company itself that does it. However, it can be an individual in some cases, for example if it is a sole trader. Private individuals and public bodies can also be data controllers.

What is the definition of anonymised data?

Processor

A processor processes personal data on behalf of a controller, in accordance with its instructions. It is always the controller of personal data that determines the purpose of the processing carried out by a personal data processor. For example, when a company hires an accounting firm to handle payroll and bookkeeping on behalf of the client company.

Subjektivt integritetskänsliga personuppgifter

Joint controllers

It is possible for several actors to be joint controllers. In such cases, they jointly determine the purpose and means of the processing. Thus, it is important to agree on the relationship of responsibility between the parties, such as who will fulfil the rights of the data subjects and other obligations under the GDPR, in order not to accidentally miss it.

Do data processing agreements have to be in writing?

Yes, data processing agreements must be in writing in order to be valid, as this is a formal requirement of Article 28 of the GDPR. In most cases, oral agreements are as valid as written agreements, but there are exceptions. In some cases, contracts must be in writing in order to be valid, if this is expressly stated in the legal text. 

Examples of when companies can be controllers, processors and joint controllers

Businesses use a fully-developed AI system

A company uses a fully developed AI system to, for example, analyze customer feedback to improve its services/products. The AI system is not developed for any specific purpose, but the company using the system itself is allowed to do so. The system allows companies to make minor adjustments to adapt it to the company’s purpose. 

Since it is the company itself that determines the purpose of the processing of personal data when using the AI system, it is the company that is the personal data controller. Please note that the company should choose an AI system that they can ensure complies with the rules of the GDPR.

Companies hire developers to create an AI model

A company wants to manage payroll with the help of an AI system to streamline work. The company therefore wants to develop its own AI system by using an external party. The company therefore gives instructions on how the AI system should be developed, the purposes of the processing of personal data, how long the processing of personal data should take place, which personal data should be processed, etc. Therefore, it is the company that engages the developers, i.e. the principal, who is the controller for the processing. 

The third party undertaking the contract, that is to say the contractor, carries out the processing of the personal data in the role of personal data processor, since the processing is carried out on behalf of the principal. The principal and the contractor must therefore enter into a written data processing agreement with each other before the processing begins.

Two companies develop an AI system together by hiring an external party

Two companies want to develop an AI system together to reduce the costs it would entail to do it by themselves. They determine the purpose together, make a joint analysis of the processing operations required for the AI model, how long the processing will last and the scope of the processing. However, only one company will train the AI model and access it for use, while the other company will only access it for use. This results in them being joint controllers.

Please note that both parties are not required to carry out the processing of personal data in practice in order for both parties to be joint controllers. It is sufficient that they affect the processing sufficiently or have an influence that is significant enough for it to be considered a joint controllership under the GDPR.

Learn more

Automated decision-making

If an AI model is used to make a decision about a person, without any individual being involved in the decision-making process, it is an automated decision-making process. In such cases, special rules apply in the GDPR. According to the general rule, it is forbidden to do such processing, but there are exceptions. Note that it is not a matter of automated decision-making if the AI model is used as an auxiliary tool, but it is a natural person who ultimately makes the decision.

Want to learn more?

Read more
Scroll to Top