SITTIG LAW Law Firm Blog

Data protection and AI: what to look out for in practice

Artificial intelligence offers enormous opportunities, but requires strict data protection measures. The GDPR and EU AI Act set clear requirements for data processing, transparency and risk management. Companies must integrate data protection into AI development from the outset, check the legal basis and carry out regular data protection impact assessments in order to avoid fines and reputational risks.
Contents

The most important facts at a glance

Why data protection is particularly critical for AI applications

Artificial intelligence is increasingly penetrating all areas of business. From automated applicant selection and chatbots in customer service to predictive maintenance in production - AI systems promise efficiency gains and new business models. However, the very features that make AI so powerful create considerable data protection challenges.

AI systems require large amounts of data for training. They make independent decisions whose logic is often difficult to understand even for developers. They continuously learn from new inputs and can unintentionally reveal sensitive information or reproduce discriminatory patterns. These special features make the use of AI a high-wire act in terms of data protection.

The legal framework is evolving rapidly. In addition to the GDPR, the EU GDPR Regulation is gradually coming into force. Supervisory authorities such as the data protection conferences of the federal states are constantly publishing new guidance. Companies that use or want to use AI are faced with the task of translating these complex requirements into practicable processes.

Legal basis: interaction between the GDPR and the AI Regulation

The GDPR as a foundation

The General Data Protection Regulation forms the legal basis for the handling of personal data in AI systems. As soon as an AI application processes data relating to identified or identifiable natural persons, the provisions of the GDPR apply in full.

Art. 6 GDPR requires a legal basis for any processing of personal data. In the case of AI applications, the consent of the data subject, the fulfillment of a contract or processing to safeguard legitimate interests often come into consideration. The latter requires a balancing of interests in which the fundamental rights of the data subjects must not prevail.

Art. 22 GDPR grants data subjects the right not to be subject to a decision based solely on automated processing which produces legal effects concerning them or significantly affects them. This prohibition of automated individual decisions is central to many AI applications. Exceptions only apply under strict conditions, in particular if consent has been given or the decision is necessary for the conclusion of a contract.

The Art. 13 and 14 GDPR regulate the information obligations. They specify how and when companies and other organizations are obliged to inform the data subject about the processing of their personal data.

The EU AI Regulation (AI Act)

The EU AI Regulation supplements the GDPR with specific requirements for AI systems. It takes a risk-based approach and distinguishes between prohibited AI practices, high-risk AI systems, AI systems with transparency obligations and other AI applications.

Prohibited AI practices include social scoring by government agencies, real-time biometric remote identification in public spaces (with narrow exceptions) and AI systems that manipulate people's behavior in a way that can cause them or third parties harm. Violations can be punished with fines.

High-risk AI systems concern areas such as critical infrastructure, education and vocational training, employment, access to basic private and public services, law enforcement, migration and border controls. These systems are subject to extensive requirements in terms of risk management systems, data quality, technical documentation, logging, human oversight and robustness.

Transparency obligations meet AI systems that interact with people (such as chatbots), recognize emotions or perform biometric categorizations. Users must be informed that they are dealing with an AI system.

Typical use cases and their data protection pitfalls

Chatbots and virtual assistants

Chatbots are now used in many companies, whether in customer service, HR or for internal inquiries. From a data protection perspective, there are several aspects to consider. First of all, it must be clear what data the chatbot processes. Does it only log the questions asked or also the answers? Are conversation histories saved? Is there a link with other customer data?

Many companies underestimate that even the logging of chat histories constitutes comprehensive data processing that requires a legal basis. When using external chatbot services, data may also be transferred to third-party providers. Here, the agreement on order processing in accordance with Article 28 GDPR is mandatory.

Another critical point is transparency. Users must be able to recognize that they are communicating with a bot and not a human. They must also be informed about the scope of data processing.

Marketing and customer analysis

In marketing, companies use AI primarily for personalization and targeting. They analyze the behavior of their customers, make predictions about future purchases and segment their target groups. From a data protection perspective, profiling is particularly relevant here.

Video surveillance and facial recognition

AI-supported video surveillance and facial recognition are among the most sensitive areas of application in terms of data protection law. The processing of biometric data to uniquely identify natural persons falls under the special categories of personal data.

Companies that nevertheless wish to use facial recognition must not only provide evidence of a legal basis, but also carry out a data protection impact assessment and take comprehensive technical and organizational measures. Among other things, this includes ensuring that biometric data is stored in encrypted form and that the systems are configured in such a way that they only collect the required amount of data.

Practical tips for the data protection-compliant use of AI

Privacy by design and by default

The principle of data protection through technology design and data protection-friendly default settings from Article 25 GDPR is of central importance for AI systems. Privacy by design means that data protection must be taken into account during the development of the system, not just after the fact. For AI projects, this means that consideration must be given from the outset to what data is really needed, how it can be protected and what risks exist.

Privacy by default supplements this approach by only processing the data that is necessary for the respective purpose by default. For AI systems, this could mean that only aggregated data is used by default or that the storage duration of data is automatically limited.

Carry out a data protection impact assessment

Article 35 GDPR obliges controllers to carry out a data protection impact assessment if a form of processing is likely to result in a high risk to the rights and freedoms of natural persons. This is the case for most AI applications that process personal data.

The DPIA should document how the AI system works, what data is used, how training is carried out and what measures are taken to counter risks such as bias, discrimination or lack of transparency. It is advisable not to see the DPIA as a one-off compulsory exercise, but to update it regularly, especially if the AI system is further developed.

Training and sensitization of employees

The best technical solution is of little use if employees do not know how to use it. With AI systems in particular, it is important that everyone involved knows and understands the data protection requirements. This applies not only to the IT department, but also to the specialist departments that use the AI systems.

Training courses should convey:

  • Which data protection principles apply to the use of AI
  • How to deal with requests from affected persons
  • When a human review of automated decisions is required
  • How potential bias can be recognized
  • Who to contact if you have questions or problems

Checklist: Data protection-compliant AI implementation

Before implementation:

  • Is the purpose of the AI application clearly defined and documented?
  • Has it been checked which data is actually required (data minimization)?
  • Is there a valid legal basis for data processing?
  • Were those affected informed transparently about the use of AI?
  • Has a data protection impact assessment been carried out?
  • Are the technical and organizational measures documented?

When selecting service providers:

  • Has it been clarified whether there is order processing or joint responsibility?
  • Is there a GDPR-compliant contract?
  • Have you checked where the data is processed?
  • Are the service provider's security measures appropriate?

During operation:

  • Are processes in place to guarantee data subjects' rights?
  • Is there ongoing documentation of processing activities?
  • Are employees regularly trained in data protection requirements?
  • Is there a system for monitoring and incident management?

For automated decisions:

  • Is it ensured that human verification is possible?
  • Can those affected state their position and contest the decision?
  • Is the logic of the decision-making process documented and explainable?

Documentation:

  • Are all processing activities recorded in the register?
  • Is a current data protection impact assessment available?
  • Have the information obligations towards data subjects been fulfilled?
  • Do deletion concepts exist for training and operating data?

AI and data protection - a question of the right preparation

The use of artificial intelligence offers companies enormous opportunities, but also brings with it considerable data protection challenges. The GDPR and the AI Act set clear limits that should not be seen as barriers to innovation, but rather as guidelines for the responsible use of AI.

The key to success lies in dealing with the legal requirements at an early stage. Thinking about data protection at the planning and development stage of AI systems not only avoids legal risks, but also creates trust among customers and business partners. Experience shows: Data protection-compliant AI solutions are definitely possible, but require careful planning, clear processes and close cooperation between technology, legal and specialist departments.

As a law firm specializing in IT law and data protection, we support companies in the legally compliant implementation of AI systems. Contact us if you need support with the data protection assessment of your AI projects.

Frequently asked questions

Not every use of AI necessarily requires a DPIA, but in most cases it is necessary. The decisive factor is whether the processing is likely to entail a high risk to the rights and freedoms of data subjects. A DPIA is regularly required for automated decisions, extensive profiling or the processing of special categories of personal data. In case of doubt, a DPIA should be carried out, as it is a valuable tool for risk assessment even independently of the legal obligation.

No, this is problematic in terms of data protection law. Just because data is publicly accessible does not mean that it can be used for AI training without further ado. There needs to be a legal basis for the processing and the data subjects must always be informed. Copyright law may also stand in the way of use. Ideally, data for which there is a clear legal basis should be used for training AI models, for example because the data subjects have given their consent or because there is a legitimate interest after careful consideration.

Yes, transparency is a central principle of the GDPR. Data subjects have a right to know when they are interacting with an AI system, especially when automated decisions are being made. In the case of chatbots, it should be made clear at the beginning of the conversation that it is an automated communication. In the case of AI applications, the information obligations under Article 13 or 14 GDPR, which also include information on automated decision-making, must also be fulfilled.

The AI Act classifies AI systems according to risk classes. Strict requirements apply to high-risk systems - for example in the areas of employment, critical infrastructure or law enforcement. These include risk management, data quality standards, documentation requirements and human oversight. Minimal risk, on the other hand, means hardly any requirements. Companies must first assess which category their AI systems fall into and then implement the relevant requirements. The AI Act complements the GDPR, and both sets of regulations must be observed in parallel.

Yes, a separate legal basis is required for each processing activity. If you operate several AI systems, each of which processes different data for different purposes, you need a legal basis for each system. This can vary depending on the context. It is important that the legal basis is established and documented before processing begins.

The storage period is based on the principle of storage limitation in Article 5 GDPR. Data may only be stored for as long as is necessary for the purposes. A distinction must be made for AI training: The original training data can be deleted as soon as the model has been trained, provided no other purpose justifies further storage. It is advisable to develop a well thought-out deletion concept.

Non-compliance with the GDPR can lead to severe fines. There is also a risk of claims for damages from data subjects and reputational damage.

Hamburg location
Head office
Martinistrasse 11
20251 Hamburg
Phone: +49 (0) 40 808 125 550
Fax: +49 (0) 40 808 125 559
Kassel location
Branch office
Motzstrasse 1
34117 Kassel
Phone: +49 (0) 561 510 053 80
Fax: +49 (0) 561 510 053 99
Frankfurt location
Branch office
Oeder Weg 11
60318 Frankfurt am Main
Phone: +49 (0) 69 710 471 070
Fax: +49 (0) 69 710 471 079
SITTIG LAW
Lawyer.
Specialist lawyer for criminal law.
Specialist lawyer for IT law.

[email protected]
Hamburg location
Head office
Martinistr. 11
20251 Hamburg
Tel: +49 (0) 40 808 125 550
Fax: +49 (0) 40 808 125 559

Contact form