Artificial intelligence (AI) has become a ubiquitous technology, used in more and more fields, from marketing and healthcare to recruitment and financial services. However, the widespread use of AI raises numerous questions about privacy and personal data protection. The General Data Protection Regulation (GDPR), a globally recognized European standard, plays a crucial role in ensuring that the development and application of AI-based technologies respect the fundamental rights of data subjects.
In an era where algorithms can process vast amounts of information in record time, the main challenge is finding a balance between innovation and compliance with legal norms. How can companies use AI without violating GDPR? What rights do individuals whose data is processed have?
The processing of personal data through artificial intelligence (AI) must be based on a legal basis, in compliance with Article 6 of Regulation 679/2016, such as explicit consent, legitimate interest, or contract execution. For example, if an AI system is used to personalize marketing offers, the user must be clearly informed about how their data is used and must give explicit consent for this purpose.
Training AI models often involves using large volumes of personal data, raising privacy concerns. According to Article 9 of GDPR, using sensitive data (such as health information, ethnic origin, or political opinions) is prohibited without a valid legal basis. Additionally, data anonymization is essential to reduce risks. Specifically, if a company develops a facial recognition model and uses images from a public database that includes identifiable personal data, the company must anonymize the data or obtain individuals’ consent.
Thus, companies using AI are required to conduct Data Protection Impact Assessments (DPIA), as stipulated in Article 35 of GDPR, and implement appropriate security measures to protect personal data. Algorithm auditing is essential to identify potential errors that could lead to discriminatory outcomes.
AI also presents challenges related to respecting the rights of data subjects, as mentioned in Articles 15-21 of the Regulation. Data subjects must have access to clear information on how their data is processed and be able to request the deletion of their data from AI systems. Moreover, automated decisions with significant impacts, such as credit denial, require human intervention to ensure fairness.
Compliance with GDPR imposes additional costs for AI technology development, such as designing systems that minimize data collection (Privacy by Default) and integrating data protection from the design phase (Privacy by Design). Additionally, companies must document and demonstrate compliance. This challenge affects businesses developing AI-based applications, requiring them to design functionalities that collect only the strictly necessary data for their objectives.
In practice, many companies have faced penalties for the improper use of AI systems, such as using biometric data for facial recognition, classified as an unacceptable risk under the AI regulation. Real-time biometric monitoring systems in public spaces are prohibited as they can significantly impact individuals’ fundamental rights and freedoms. Evaluating citizens’ behavior to assign a social score that influences their access to various public or private services can also be problematic.
Thus, the “Artificial Intelligence Act” (AI Act) complements GDPR by establishing clear rules for AI use in the EU. The AI Act classifies AI applications based on risks and introduces strict requirements for “high-risk” systems, including facial recognition used by authorities, AI systems in healthcare, or automated recruitment systems, which must comply with both GDPR and AI Act requirements.
For further information or any additional inquiries, please do not hesitate to contact us:
➡ Phone: (+4) 031 426 0745
📧 Email: office@grecupartners.ro
We are here to assist and provide legal support for all your needs. We look forward to discussing with you.
Mihaela Murariu – Attorney at Law
