Artificial intelligence systems that process personal data are subject to GDPR in the same way as any other processing — they require a lawful basis, must comply with data minimisation, must respect data subject rights, and must implement appropriate security. But AI creates specific challenges that GDPR’s architects did not anticipate in full: the opacity of algorithmic decision-making, the use of large-scale personal data for model training, the generation of inferred personal data that the data subject did not provide, and the difficulty of meaningful transparency when the decision logic is complex or proprietary.
The EDPB’s guidelines on automated decision-making (WP251) and the GDPR’s Article 22 provisions provide the core framework. Overlaid on these is the EU AI Act, which entered into force in 2024 and creates a risk-based regulatory framework for AI systems that operates alongside GDPR with both complementary and additive obligations. Organisations deploying AI systems that process personal data must now navigate both frameworks simultaneously.
Article 22: Automated Decision-Making and Profiling
Article 22(1) provides that data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects concerning them. This is both a right and a prohibition — solely automated significant decisions cannot be made without one of the three Article 22(2) gateways: contract necessity, legal authorisation, or explicit consent.
ARTICLE 22 — SCOPE, GATEWAYS, AND SAFEGUARDS
| Element | Definition / Requirement | Examples |
|---|---|---|
| Solely automated | No meaningful human involvement in the decision; human review that is rubber-stamping without genuine assessment does not count as meaningful human involvement | AI credit scoring with automatic approval/rejection; automated recruitment screening that eliminates candidates without human review; automated insurance premium setting |
| Profiling | Any form of automated processing of personal data to evaluate personal aspects, particularly performance, economic situation, health, preferences, behaviour, location, or movements | Customer lifetime value scoring; churn prediction models; fraud risk scoring; behavioural segmentation; creditworthiness assessment |
| Legal or similarly significant effect | Effects that significantly affect an individual’s legal rights (credit refusal, job rejection) or produce effects similar in magnitude to legal effects (pricing discrimination, exclusion from services) | Credit application rejection; job application elimination; insurance refusal; loan pricing based on risk profile; targeted advertising based on sensitive category inference |
| Gateway (a): Contract necessity | Solely automated decision is necessary for entering into or performance of a contract with the data subject | Automated fraud check as part of payment processing; automated credit check required to offer a credit product |
| Gateway (b): Legal authorisation | Solely automated decision authorised by EU or member state law, with appropriate safeguards | Automated tax fraud detection; AML automated transaction blocking under regulatory authorisation |
| Gateway (c): Explicit consent | Data subject has given explicit consent to the solely automated decision | Individual explicitly opts into an automated investment advisory service; data subject consents to AI health risk assessment |
| Safeguards required for (a) and (c) | Right to human review of the decision; right to express point of view; right to contest the decision; right to explanation | Human reviewer with genuine authority to overturn the decision; clear explanation of the factors that led to the decision; contesting mechanism with defined response SLA |
Transparency and Explainability for AI
Articles 13(2)(f) and 14(2)(g) require controllers that use automated decision-making to provide meaningful information about the logic involved, the significance of the processing, and the envisaged consequences for the data subject. This is the GDPR’s explainability requirement — and it applies to any automated decision-making with significant effects, not only solely automated decisions under Article 22.
AI TRANSPARENCY REQUIREMENTS UNDER GDPR
| Transparency Obligation | What It Requires for AI | Implementation Challenge |
|---|---|---|
| Art. 13/14: ‘meaningful information about the logic’ | Explain the general approach of the algorithm; the key factors or inputs that influence the decision; what the output represents | Cannot be satisfied by publishing a model architecture; must be explained in plain language to a lay person; does not require full algorithmic disclosure but must be substantively informative |
| Art. 13/14: ‘significance of the processing’ | Explain what the automated decision-making is used for; what it determines; what the consequences are for the data subject | Many organisations describe automated processing in vague terms; must specifically state that AI is used to make or contribute to decisions affecting the individual |
| Art. 13/14: ‘envisaged consequences’ | Explain what outcomes the data subject may experience as a result of the automated processing | Explain the range of possible decisions; what triggers a favourable vs. unfavourable outcome; what the data subject can do if they receive an unfavourable outcome |
| Art. 22(3): Right to explanation of individual decision | Upon request for human review, the controller must explain the specific decision taken in the individual case | Requires ability to generate individual decision explanations; explainable AI (XAI) tooling recommended for high-volume decision systems; generic explanations are insufficient |
AI Model Training and Personal Data
Training AI models on personal data is a processing activity subject to GDPR. The lawful basis, data minimisation, and purpose limitation principles all apply to the training dataset. An organisation that trains a model on customer data collected for service provision must have a lawful basis for using that data to train a model — which may or may not be the same basis as the original collection.
AI TRAINING DATA — GDPR COMPLIANCE FRAMEWORK
| Issue | GDPR Requirement | Common Compliance Gap |
|---|---|---|
| Lawful basis for model training | Separate lawful basis for using personal data to train AI; original collection basis does not automatically extend to model training | Using customer data collected for service provision to train an AI model without assessing whether original basis covers this use; no LIA for model training purpose |
| Purpose limitation | Training purpose must be compatible with the original collection purpose; scientific research or legitimate interest may support compatibility | Broad AI improvement purposes added to privacy notice without assessing compatibility; data collected for one purpose used for unrelated model training |
| Data minimisation for training | Training data should be the minimum necessary for the model’s purpose; consider whether synthetic data or pseudonymised data can replace real personal data | Using full production dataset for training when a representative subset or synthetic data would achieve the same model quality; training data not deleted after model training is complete |
| Special category data in training sets | Training on special category data requires Art. 9(2) condition; high-risk if model infers or predicts special category characteristics | Demographic data used to train models that infer health status, political views, or other special category characteristics without Art. 9(2) basis or Art. 22 safeguards |
| Data subject rights for training data | Data subjects may exercise access, erasure, or objection rights in relation to personal data used for model training | No mechanism to identify which training records relate to a specific data subject; erasure of training data requires model retraining or machine unlearning procedure |
The EU AI Act and GDPR: Navigating Both Frameworks
The EU AI Act (Regulation 2024/1689) applies a risk-based framework to AI systems placed on the EU market or used in the EU, regardless of where the provider is established. It distinguishes between unacceptable risk AI (prohibited), high-risk AI (subject to stringent obligations before deployment), limited risk AI (transparency obligations), and minimal risk AI (no specific obligations beyond GDPR). For AI systems that process personal data, both GDPR and the AI Act apply simultaneously.
EU AI ACT — RISK CATEGORIES AND GDPR INTERACTION
| AI Act Risk Category | Examples Relevant to Personal Data | GDPR Interaction |
|---|---|---|
| Unacceptable risk (prohibited) | Social scoring systems; mass real-time biometric surveillance in public spaces (with narrow exceptions); subliminal manipulation; exploitation of vulnerabilities | GDPR would also prohibit most of these (no lawful basis for social scoring; biometric data without Art. 9 basis); AI Act adds explicit prohibition regardless of GDPR basis |
| High risk — education and employment | AI systems for CV screening, candidate ranking, interview analysis, exam proctoring, student assessment | GDPR Art. 22 applies if solely automated with significant effects; DPIA required; Art. 9 if health or other special category data inferred; AI Act adds conformity assessment, documentation, human oversight, and accuracy requirements |
| High risk — credit and financial | Credit scoring AI; insurance risk assessment; loan pricing algorithms | Art. 22 applies; explicit consent or contract gateway; explanation right on request; DPIA required; AI Act adds requirements for data governance, traceability, and transparency |
| High risk — law enforcement and border | AI crime prediction; biometric identification; border security screening | Art. 9 biometric data basis required; Art. 22 for law enforcement decisions; Art. 35 DPIA required; AI Act imposes additional law enforcement AI restrictions |
| Limited risk — chatbots and synthetic content | Customer service AI chatbots; AI-generated content | No Art. 22 unless significant decision effect; GDPR lawful basis for any personal data processed; AI Act requires disclosure that user is interacting with AI |
GDPR + AI ACT DPIA REQUIREMENTS FOR HIGH-RISK AI
| Requirement | GDPR (Art. 35) | EU AI Act | Unified Approach |
|---|---|---|---|
| Assessment required | DPIA required for high-risk processing including systematic automated profiling, large-scale special category data, systematic monitoring of public spaces | Fundamental rights impact assessment required for high-risk AI systems that process personal data | Combined DPIA and fundamental rights impact assessment; single document addressing both regulatory requirements |
| Timing | Before the processing begins | Before the high-risk AI system is deployed on the EU market or put into service | Before deployment; assessment feeds product development process |
| Content overlap | Processing description; necessity and proportionality assessment; risk to individuals; mitigation measures | Description of AI system; purpose; fundamental rights risks; measures to mitigate; human oversight mechanisms | Single assessment document covering GDPR and AI Act requirements; reduces duplication |
| Human oversight | Art. 22(3): human review mechanism for solely automated decisions | High-risk AI must include human oversight as a system requirement | Human oversight mechanism satisfies both Art. 22(3) and AI Act; must be meaningful, not nominal |
| BITLION INSIGHT | The convergence of GDPR and the EU AI Act creates the most complex personal data compliance landscape that technology organisations have ever faced. Organisations deploying AI systems that process personal data should treat GDPR compliance and AI Act compliance as a single design challenge rather than two separate regulatory workstreams. The DPIA is the natural integration point: a well-constructed DPIA for a high-risk AI system addresses the GDPR risk assessment, the AI Act’s fundamental rights impact assessment, the Article 22 safeguards design, and the explainability and transparency obligations simultaneously. Privacy engineers and AI ethics practitioners need to work from a shared framework. |