GDPR Learning Hub

Menu
  • Take quizzes
  • Download guides
  • Buy courses
  • Buy Templates
  • Website is under construction

Artificial intelligence

Use AI to make decisions about people

It is not uncommon to use AI to make decisions about people. In such cases, it may be an automatic decision-making process, which is regulated in particular by the GDPR. The general rule prohibits the processing of personal data by automated decision-making, but there are exceptions. 

Definition of automated decision-making

When a decision is taken without the involvement of any natural person, it is an automatic decision-making process. It is not automated decision-making if a person uses an AI model as support, but ultimately makes the decision itself. 

Obligation to provide information on automated decision-making

Companies must inform data subjects about the processing of their personal data. This also applies to the development or/and use of different AI models. If the processing concerns automated decision-making, the data subject must also be provided with an explanation of how the decision was taken. For example, information about the logic and the consequences of the processing. This does not necessarily mean that the company must open the black box, but the company must provide as much information as is appropriate about how the AI model arrives at the decision if it is an automated decision-making that is individual. 

What breaches of the GDPR can lead to an administrative fine?

Exceptions to when individual automated decision-making may be permitted

Sensitive personal data according to GDPR

Performance of a contract

When it is necessary for either the conclusion of a contract or the performance of a contract; Please note that the contract must be entered into between the controller and the data subject.

What is the definition of anonymised data?

Legal obligation

Whether the use of automated decision-making is permitted under any legislation establishing appropriate safeguards.

Subjektivt integritetskänsliga personuppgifter

Explicit consent

Where the controller obtains explicit consent to the use of automated decision-making by the data subject.

Learn more about AI

Key data protection principles

Companies must comply with the seven (7) key principles of the GDPR when processing personal data. In the development and use of AI models, there are several principles that need to be taken into account in particular, as they have a major impact. For example, the principle of data minimisation, which requires companies not to process more personal data than necessary to achieve the purpose, which can be difficult to meet when developing AI models. In addition, it is important to ensure that the AI model is not discriminatory, as it is contrary to the principle of fairness. 

Want to learn more?

Read more
Scroll to Top