Beginner

GDPR & AI — Understanding Data Protection

⏱ ~30 Duration · 7 Module
Why this matters

AI processes vast amounts of data — often about people who are unaware of it. GDPR grants you rights as a data subject. As an operator, you have obligations. Knowing both is a fundamental prerequisite for the responsible use of AI.

What you will learn

You understand the 6 GDPR principles, know your rights as a data subject, and are aware of the data protection obligations that arise when deploying AI.

Lesen

GDPR and AI — the Basics

~15 Min

GDPR and AI — The Basics

What is Personal Data?

Personal Data = all information relating to an identifiable person.

Not just name and email. Also: IP address, location data, purchasing behavior, click patterns, device identifiers — and all combinations that can lead to identification.

AI systems almost always process personal data. The GDPR applies.

The 6 Principles — Concise

Principle What it Requires AI Relevance
Lawfulness Legal basis for each processing Explicitly establish consent, contract, or legitimate interest
Purpose Limitation Only for the specified purpose AI training ≠ right to use for other purposes
Data Minimization Minimum amount of data Feature engineering: only relevant variables
Accuracy Keep data up-to-date Outdated training data → outdated discrimination
Storage Limitation Not longer than necessary Retention policy for training data
Integrity & Confidentiality Protection against misuse Access controls, encryption

Your Rights as a Data Subject

Right Art. What You Can Request
Access 15 Which data? For what purpose? How long?
Rectification 16 Correct incorrect data
Erasure 17 "Right to be Forgotten"
Restriction 18 Temporarily stop processing
Objection 21 Object to processing
No Full Automation 22 Human review for significant decisions

Art. 22 is particularly relevant for AI: Automated decisions with significant impact on individuals (credit denial, job rejection, insurance pricing) must be contestable.

Special Categories of Data — Increased Protection

These data must generally not be processed — except with explicit consent:

  • Health data
  • Ethnic origin
  • Political opinions
  • Religious beliefs
  • Trade union membership
  • Biometric data
  • Sexual orientation

For AI Developers: If training data even implicitly allows conclusions about these categories — increased risk.

Next: Obligations for Operators →

Quiz

Quick Check

1. Which GDPR principle requires that only necessary data be collected?

2. What does GDPR Art. 22 mean?

Merke

GDPR at a Glance

  • 6 Grundsätze: Rechtmäßigkeit, Zweckbindung, Sparsamkeit, Richtigkeit, Begrenzung, Sicherheit
  • Art. 15: Du kannst fragen welche Daten gespeichert sind
  • Art. 16: Du kannst falsche Daten korrigieren lassen
  • Art. 17: Du kannst Löschung beantragen
  • Art. 22: Automatische Entscheidungen können angefochten werden
Lesen

GDPR in AI Deployment — Obligations for Operators

~15 Min

GDPR Obligations in AI Deployment

Before Launch: Three Obligations

1. Establish Legal Basis

No data processing without a basis. The most important for AI:

Basis When Suitable Caution
Consent (Art. 6 para. 1 a) Clearly voluntary, specific Must be revocable at any time
Contract (Art. 6 para. 1 b) AI necessary for contract fulfillment Only if truly required
Legitimate Interest (Art. 6 para. 1 f) Internal optimization Document the balancing of interests

Attention: “We want to improve the AI” is not a legitimate interest that automatically applies. A documented balancing of interests is required.

2. Check DPIA — When is it Mandatory?

A Data Protection Impact Assessment (DPIA) is mandatory under Art. 35 GDPR for:

  • Systematic profiling of individuals
  • Processing of special categories of data (→ Module 1)
  • Automated decisions with significant impact
  • AI-supported monitoring of employees

How extensive? The DPIA documents: What is processed? Why? What risks arise? What protective measures are in place?

3. Inform Affected Individuals

Before processing, affected individuals must know:

  1. Who processes the data (Name, Contact)
  2. Why (Purpose and Legal Basis)
  3. For how long
  4. To whom it is disclosed
  5. Whether automated decisions take place (Art. 13 para. 2 f)

During Operation: Two Critical Obligations

Report Data Breaches (Art. 33)

In case of data loss, theft, or unauthorized access:

  • 72 hours to report to the data protection supervisory authority
  • If high risk for individuals: also direct notification of the affected individuals (Art. 34)

No exception for AI systems. A data breach from an AI system triggers the same obligations.

Adhere to Retention Policies

AI training data is subject to the same deletion obligations as all other personal data. “We need the data for retraining” is not an unlimited retention reason.

Practical Case: The Learning Chatbot

A customer service chatbot logs all conversations “to improve”. Occasionally, health data is mentioned in conversations.

GDPR Violations:

  1. Missing consent for health data (Art. 9 — special category)
  2. Purpose limitation violated: Conversation for customer service ≠ Consent for AI training
  3. Affected individuals were not informed about AI usage

What to do:

  • Immediately remove health data from training data
  • Inform data protection authority (if significant risk)
  • Adjust process: Obtain consent before using for training

Summary: The GDPR Checklist for AI

Before Deployment:
  ☐ Legal basis documented
  ☐ DPIA checked (and conducted if necessary)
  ☐ Affected individuals informed
  ☐ Data categories checked (special categories?)

During Operation:
  ☐ Retention policy defined and implemented
  ☐ Access controls active
  ☐ Process for data breaches in place (72h deadline!)
  ☐ Process for data subject rights defined

Back: GDPR Basics | Start Assessment →

Praxisfall

Case Study: The Chatbot and Sensitive Data

Situation

A customer service chatbot collects conversation histories to "improve". A user complains that the chatbot knows his health data from a previous conversation — even though he never explicitly agreed to have this data stored.

What GDPR violations are present and what must the company do?
Lösung anzeigen

At least two GDPR violations:

  1. Lack of legal basis (Art. 6): For health data (Art. 9 — special category), explicit consent is required. "Collecting training data" is not a sufficient basis.
  2. Violation of purpose limitation (Art. 5): Data from a conversation may not be used for training without further consent.

What the company must do:

  • Immediately: Remove health data from training data
  • Inform affected individuals (Art. 34 if high risk)
  • Report to the data protection authority if the violation is significant (Art. 33, 72-hour deadline)
  • Adjust process: Obtain consent before using for training purposes
Häufige Fehler:
✗ Do nothing — the user has accepted the terms and conditions
Terms and conditions clauses that restrict GDPR rights are void. Explicit consent for sensitive data is mandatory.
Reflexion

Your Data

For which digital services do you feel that they know more about you than they should?

Beispiele:
  • Werbung die zu gut zu meinen Gesprächen passt
  • Empfehlungen die zeigen dass mein Verhalten beobachtet wird
  • Systeme die mich 'kennen' ohne dass ich mich erinnere Daten gegeben zu haben
Wird nur in deinem Browser gespeichert.
Merke

Here's what you take away

  • Als Betreiber: Rechtsgrundlage vor Datenverarbeitung klären
  • Zweckbindung: Daten nur für den angegebenen Zweck nutzen
  • DPIA: Bei Hochrisiko-Verarbeitung Datenschutz-Folgenabschätzung Pflicht
  • ⏰ Panne: 72 Stunden Zeit um Datenschutzbehörde zu informieren

Ready for the assessment?

Course completed! Start assessment.

Start assessment →