CLVPartners

CLV-02
Menu

AI

Artificial Intelligence and Data Protection in Corporate Practice

Artificial Intelligence, Data protection, News / / , , , , ,

Reading time:5 minutes

The use of artificial intelligence (hereinafter also referred to as AI) is no longer merely a technological issue but is increasingly also a data protection and compliance challenge. Whether it is the analysis of customer data, automated customer service chatbots, tools used to provide and develop a company’s services and improve operational efficiency, or even tools used to enhance the efficiency of HR processes, AI systems provide a significant competitive advantage. Due to the processing of personal data, the rules of the General Data Protection Regulation (GDPR) remain applicable, while the European Union’s Regulation on Artificial Intelligence (AI Act) also introduces additional obligations. In this article, we provide an overview of the main data protection and AI Act-related considerations that should be taken into account in corporate AI use in order to ensure compliance.

The legal relevance of automation

In practice, one of the most important questions is what exact role the given AI system plays in the data processing workflow. The functioning of the applied technology and the way data is used fundamentally determine the legal classification of the AI system, as well as the data protection and compliance obligations of the company. From a data protection perspective, there is a significant distinction between automated data processing, profiling, and automated decision-making:

Automated data processing:

This is a technical process; data processing is considered automated where the collection, organisation, and retrieval of data take place without human intervention, by software (for example, a system automatically sorting incoming applications in alphabetical order, or categorising incoming customer requests or documents).

Profiling:

Under the GDPR, profiling means that the system does not merely organise data, but draws conclusions about, evaluates, or ranks data subjects. If the system, based on personal data, scores or filters individuals in any form according to certain personal characteristics – such as their financial situation, preferences, interests, reliability, or even abilities or suitability – this may qualify as profiling.

Automated decision-making:

This occurs where the process is not only technically automated, but the AI system itself makes the final decision without human intervention, and this decision produces legal effects concerning the individual or similarly significantly affects them. A typical example is when the software automatically rejects (excludes) an applicant from a process without human approval based on certain criteria.

In practice, these categories are often not separate processes. Even a simple technical automation can easily evolve into a process that raises issues of profiling or automated decision-making. Therefore, each AI-based process must be assessed individually based on data usage and the actual functioning of the system.

Data protection considerations

Where a company integrates AI technology into its internal processes or services provided to customers, the nature of the system’s operation must be assessed from a data protection perspective in order to classify the type of data processing. During this assessment, it must be determined whether profiling or automated processing takes place, and whether there are circumstances requiring a data protection impact assessment (DPIA).

According to the guidance of the National Authority for Data Protection and Freedom of Information (NAIH), the use of new technologies may in itself carry a high level of risk. However, a DPIA is particularly necessary where the processing involves the evaluation, scoring, or prediction of personal characteristics of natural persons; where automated decision-making results in exclusion or rejection without human intervention (e.g. during recruitment filtering); or where the technology is used for systematic, software-based monitoring of employee performance or productivity.

In addition, an appropriate legal basis for processing must be ensured, and in certain cases the consent of the data subject may be required. Furthermore, in line with the transparency principles of the GDPR and the AI Act, data subjects must be clearly and comprehensibly informed about the use of AI, its purpose, the basic logic of its operation, and their rights, including the right of access, erasure, objection, and the important right to request human review of decisions made by the system.

Based on our experience, the following are the most commonly used AI software programs applied by companies that involve the processing of personal data, which is why it is necessary to review the data processing documentation:

ChatGPT

Microsoft 365 Copilot

Google Gemini

Perplexity

Claude

Conclusion

The introduction of artificial intelligence is not merely an IT issue, but a complex legal and data protection compliance task. Since AI-based systems almost always involve the processing of personal data, it is advisable to address these issues already before the deployment of such systems, in light of GDPR requirements and regulatory expectations. Establishing transparent, secure, and legally compliant operation from the design phase onwards not only reduces legal risks, but also forms a fundamental basis for long-term business success and trust. If a company plans to implement or has already implemented an AI solution, it is necessary to review it from a data protection perspective and update the data protection documentation accordingly.

Photo source: pexels.com, Egor Komarov

Artificial Intelligence and Data Protection in Corporate Practice Read More »

The EDPS 2025 Annual Report: A New Era in Corporate Data Protection and Technological Compliance

Data protection, News / / , , , , , ,

Reading time: 6 minutes

The European Data Protection Supervisor (EDPS) has published its 2025 Annual Report (hereinafter: the “Report“), providing a detailed account of its activities to protect personal data in a rapidly changing digital world. The Report clearly signals that the European data protection and digital regulatory environment has entered a new phase: the focus is no longer merely on formal GDPR policies, but on the actual operational controls of AI systems, cloud services, and international data transfers. The investigations typically center on tools and processes that most organizations use on a daily basis: Microsoft 365, cloud infrastructure, generative AI solutions, mobile applications, and HR systems. In this article, we present the main findings of the Report and outline the key aspects and recommendations necessary for compliance.

AI Governance: A new dimension of compliance

One of the most important messages of the Report is that corporate control over artificial intelligence (AI governance) will shortly develop into a standalone, high-priority compliance area. Artificial intelligence is no longer an experimental technology; it has become an integral part of daily operations within EU institutions and an increasing number of organizations. In preparation, the EDPS has already taken the first major steps:

Established a dedicated AI unit: It has strengthened its newly created AI unit to prepare for supervisory duties under the EU Artificial Intelligence Act.

Mapped generative AI usage: It assessed the current AI ecosystem regarding prohibited practices and high-risk systems, and published a report highlighting the dominant areas of AI use and enforcement priorities.

Launched an AI regulatory sandbox program: Within the framework of a pilot project, it created a safe regulatory testing environment for developing and testing innovative AI systems under supervisory oversight.

Issued a new AI risk management guide for identifying and mitigating technical risks associated with the development and deployment of AI systems.

Regulatory focus is intensifying particularly in the following specific areas:

the corporate use of generative AI tools;

the compliance of off-the-shelf AI solutions;

the strict control of high-risk AI systems;

the legal relationship between AI and personal data;

the technical risk management of AI systems.

In a corporate environment, this means that the use of AI is no longer exclusively an IT or innovation issue, but a key legal, compliance, and data protection risk area. Therefore, organizations must prepare now to introduce, document, supervise, and use AI solutions in their daily operations in accordance with the requirements of the GDPR and the EU Artificial Intelligence Act.

Microsoft 365 and enterprise IT systems

In 2025, the EDPS further strengthened its oversight over large IT systems, including cloud services similar to Microsoft 365. The lesson from previous investigations is that compliance is not solely a contractual matter but requires an assessment covering the entire lifecycle of data processing.

The investigations focused on issues that are also critical for large enterprises:

international data transfers to third countries;

the transparency of complex sub-processing chains;

the control of access to data;

the existence of appropriate technical and organizational guarantees.

A key message of the Report is that a service agreement or a “GDPR-compliant” label alone is no longer sufficient. Supervisory practice increasingly examines actual operational controls, technical measures, and documented risk assessments. For this reason, it is definitely recommended to conduct a limited review of supplier contracts from a data protection perspective – based on our recommendation, it is sufficient to do this once and then incorporate a control into the process that ensures compliance in the event of changes or that allows for periodic reviews and follow-up checks.

International data transfers

Data transfers to third countries remain a high-priority enforcement area. The EDPS emphasizes that appropriate contractual clauses are not sufficient on their own. In assessing compliance, an increasingly important role is played by the actual content of the Transfer Impact Assessment (TIA), the evaluation of the legal and practical environment of the third country, and the real-world operation of the applied technical and organizational measures. In modern cloud-based systems, according to data protection law, remote access also constitutes a data transfer. If a third-country IT engineer (e.g., from India or the United States) logs into a database stored in Europe for support or system maintenance purposes, the data legally leaves the EEA. These risks can only be meaningfully assessed by a TIA. This is particularly relevant in environments where global cloud infrastructures or centralized IT support operate. In practice, this means that companies should assess whether data transfers outside the EU occur due to the nature of the supplier’s operations or due to the processes required by the corporate group, and classify them accordingly.

The future of data protection will be technologically focused

Based on the EDPS Report, European data protection practice has definitively shifted in a technological direction. At the center of the supervisory focus stands the understandable and accountable operation of artificial intelligence, the continuous monitoring of cloud services, and the complete fusion of cybersecurity and data protection. Data protection compliance is thus no longer an isolated legal task, but a shared, daily responsibility of corporate management, procurement, digital transformation, and IT security.

Based on the EDPS Report, it is clearly visible: in the coming years, organizations that recognize this paradigm shift and build a real, auditable technological governance system – rather than just a formal, paper-based GDPR compliance – will hold a clear competitive advantage.

Photo source: pexels.com, Fotó: Jcmotive

The EDPS 2025 Annual Report: A New Era in Corporate Data Protection and Technological Compliance Read More »

CLVPartners
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.