CLVPartners

data processing

Artificial Intelligence and Data Protection in Corporate Practice

Reading time:5 minutes

The use of artificial intelligence (hereinafter also referred to as AI) is no longer merely a technological issue but is increasingly also a data protection and compliance challenge. Whether it is the analysis of customer data, automated customer service chatbots, tools used to provide and develop a company’s services and improve operational efficiency, or even tools used to enhance the efficiency of HR processes, AI systems provide a significant competitive advantage. Due to the processing of personal data, the rules of the General Data Protection Regulation (GDPR) remain applicable, while the European Union’s Regulation on Artificial Intelligence (AI Act) also introduces additional obligations. In this article, we provide an overview of the main data protection and AI Act-related considerations that should be taken into account in corporate AI use in order to ensure compliance.

The legal relevance of automation

In practice, one of the most important questions is what exact role the given AI system plays in the data processing workflow. The functioning of the applied technology and the way data is used fundamentally determine the legal classification of the AI system, as well as the data protection and compliance obligations of the company. From a data protection perspective, there is a significant distinction between automated data processing, profiling, and automated decision-making:

Automated data processing:

This is a technical process; data processing is considered automated where the collection, organisation, and retrieval of data take place without human intervention, by software (for example, a system automatically sorting incoming applications in alphabetical order, or categorising incoming customer requests or documents).

Profiling:

Under the GDPR, profiling means that the system does not merely organise data, but draws conclusions about, evaluates, or ranks data subjects. If the system, based on personal data, scores or filters individuals in any form according to certain personal characteristics – such as their financial situation, preferences, interests, reliability, or even abilities or suitability – this may qualify as profiling.

Automated decision-making:

This occurs where the process is not only technically automated, but the AI system itself makes the final decision without human intervention, and this decision produces legal effects concerning the individual or similarly significantly affects them. A typical example is when the software automatically rejects (excludes) an applicant from a process without human approval based on certain criteria.

In practice, these categories are often not separate processes. Even a simple technical automation can easily evolve into a process that raises issues of profiling or automated decision-making. Therefore, each AI-based process must be assessed individually based on data usage and the actual functioning of the system.

Data protection considerations

Where a company integrates AI technology into its internal processes or services provided to customers, the nature of the system’s operation must be assessed from a data protection perspective in order to classify the type of data processing. During this assessment, it must be determined whether profiling or automated processing takes place, and whether there are circumstances requiring a data protection impact assessment (DPIA).

According to the guidance of the National Authority for Data Protection and Freedom of Information (NAIH), the use of new technologies may in itself carry a high level of risk. However, a DPIA is particularly necessary where the processing involves the evaluation, scoring, or prediction of personal characteristics of natural persons; where automated decision-making results in exclusion or rejection without human intervention (e.g. during recruitment filtering); or where the technology is used for systematic, software-based monitoring of employee performance or productivity.

In addition, an appropriate legal basis for processing must be ensured, and in certain cases the consent of the data subject may be required. Furthermore, in line with the transparency principles of the GDPR and the AI Act, data subjects must be clearly and comprehensibly informed about the use of AI, its purpose, the basic logic of its operation, and their rights, including the right of access, erasure, objection, and the important right to request human review of decisions made by the system.

Based on our experience, the following are the most commonly used AI software programs applied by companies that involve the processing of personal data, which is why it is necessary to review the data processing documentation:

ChatGPT

Microsoft 365 Copilot

Google Gemini

Perplexity

Claude

Conclusion

The introduction of artificial intelligence is not merely an IT issue, but a complex legal and data protection compliance task. Since AI-based systems almost always involve the processing of personal data, it is advisable to address these issues already before the deployment of such systems, in light of GDPR requirements and regulatory expectations. Establishing transparent, secure, and legally compliant operation from the design phase onwards not only reduces legal risks, but also forms a fundamental basis for long-term business success and trust. If a company plans to implement or has already implemented an AI solution, it is necessary to review it from a data protection perspective and update the data protection documentation accordingly.

Photo source: pexels.com, Egor Komarov

Artificial Intelligence and Data Protection in Corporate Practice Read More »

Data protection considerations related to the development of AI models

Reading time: 5 minutes

Artificial intelligence (“AI“) is a rapidly evolving family of technologies that contributes to a wide range of economic, environmental, and social benefits across all sectors and social activities. By improving predictive accuracy, optimizing operational processes and the allocation of resources, and enabling the personalization of digital solutions available to individuals and organizations, the use of AI can confer a decisive competitive advantage on businesses while also delivering beneficial social and environmental outcomes.

The use of artificial intelligence, alongside its potential benefits, is also associated with certain risks. In order to mitigate these risks, Regulation (EU) 2024/1689 of the European Parliament and of the Council on artificial intelligence (“AI Act”) has been adopted, several provisions of which have already entered into force. At the same time, the development of many AI models involves the use of personal data, which raises the question of how the AI Act affects data processing activities related to AI systems.

The relationship between the AI Act and the GDPR

The AI Act makes it clear that it does not amend the application of existing EU rules on the processing of personal data, including the requirements set out in the GDPR. Accordingly, organizations falling within the scope of the AI Act must, in the course of their data processing activities, comply fully with the provisions of the GDPR.

Through the enforcement of the right to the protection of personal data, the GDPR also supports the effective exercise of other fundamental rights, including, inter alia, freedom of thought and expression, the right to information and education, and the freedom to conduct a business. On this basis, it can be concluded that the GDPR establishes a legal framework that facilitates responsible innovation, including the responsible development and deployment of AI-related technologies.

Data protection considerations in relation with the development of AI Models

In connection with the development of AI models, the European Data Protection Board (“EDPB”) adopted a standalone opinion on data protection aspects arising in relation to the processing of personal data in the context of artificial intelligence models (“Opinion”).

The Opinion examines how personal data may be used in the development of AI models and highlights the issues requiring particular attention when placing on the market AI systems developed using personal data.

Lifecycle of AI Models

The EDPB divides the lifecycle of AI models into two stages, emphasizing that data processing may occur in either of them. The first stage covers the processes preceding the deployment of the model (including e.g. its creation, development, the training, the fine-tuning). The second stage relates to the deployment phase, encompassing the use of the model following its development.

Existence of a legal basis for data processing by data controllers

One of the cornerstones of data protection regulation is that personal data may only be processed where a specific legal basis exists. The Opinion reiterates the general expectation that data controllers must determine the appropriate legal basis for their processing activities.

However, the EDPB found that, as a general rule, an AI model developer may rely on legitimate interest as a legal basis, provided that the existence of such legitimate interest is duly substantiated. For this purpose, a three-step test – already familiar to those with experience in data protection compliance practice – serves to properly assess whether a legitimate interest genuinely exists.

The EDPB emphasizes that the balancing test must take into account whether the data subjects can reasonably expect their personal data to be used. The Opinion is significant in this regard because it sets out several criteria intended to assist data protection authorities in assessing the “reasonably foreseeable” criteria

The Opinion also recalls that, where it appears that the interests, rights, and freedoms of data subjects override the legitimate interests of the data controller or of a third party, all is not lost. Namely, the data controller may consider the implementation of mitigating measures to limit such adverse effects. These may include, for example, pseudonymization, or measures aimed at masking personal data or replacing them with fictitious personal data within the training dataset. The introduction of appropriate data protection measures can make data processing lawful again.

Anonymity

The GDPR classifies as personal data any information relating to an identified or identifiable natural person, whether directly or indirectly. According to the position of the EU institution, in the context of AI model development, personal data may only be used where they are properly anonymized, such that even in the event of a potential reverse engineering of the model, the identification of data subjects is not possible. With regard to anonymization, the EDPB emphasizes that the competent data protection authorities must assess, on a case-by-case basis, whether the organization developing the AI model has complied with this requirement. The body also sets out several recommended technique that may be suitable for preserving anonymity (e.g. prevent or limit the extraction of personal data used for training purposes).

Summary

The EU body emphasizes in its Opinion that compliance with data protection requirements governing the processing of personal data must be ensured throughout both the development and deployment of AI models. It is evident that the expansion of AI and its potential risks are being treated and monitored as a priority in law enforcement, and therefore numerous regulatory guidelines from authorities can be expected in the near future.

Photo source: pexels.com, Tara Winstead

Data protection considerations related to the development of AI models Read More »

Statement of the EDPB on data processing during the coronavirus epidemic

The European Data Protection Board (“EDPB”) has issued a statement on its website on data processing during the coronavirus epidemic.Please find our summary of the statement below:
1. The conditions of processing health data, as special category of data shall be specified by the national law in accordance with the GDPR. In this regard, the GDPR requires that the lawmaker defines specific measures and the suitable safeguards of the rights of the data subjects.

2. As per the position of the Hungarian Data Protection Authority emphasized, in the event of medical examinations such as body temperature measurement, this safeguard is the presence of a healthcare professional, therefore it is still not possible to implement such measurement at the workplace without the presence of a professional.

3. According to the EDPB’s position, the employers should inform employees if a coronavirus infected person has been identified at the workplace (to take the necessary protective measures), without revealing the identity of said person. The concerned employees shall be informed in advance and their dignity and shall be protected. Information on the infection should be first and foremost disclosed to those entitled to process these data, such as authorities and treating physicians if requested.

As the GDPR allows for a wide range of derogations in national law, we can expect a more detailed regulation of the data processing in relation to the epidemic.

The content of this article is not exhaustive and does not constitute a legal advice. Should you have any specific questions regarding any issues investigated by our articles, please contact us and we will be happy to be at your disposal.

Statement of the EDPB on data processing during the coronavirus epidemic Read More »

ON THE DATA PROCESSING RELATED TO THE CORONAVIRUS EPIDEMIC

The Hungarian Data Protection Authority („HDPA”, „Authority”) has issued on its website a briefing regarding data processing related to the coronavirus epidemic, also including certain general legal obligations beyond data protection. We have summarized the most important details as follows:
1. It is not only a vital interest but also a legal obligation of employers to provide a healthy and safe workplace.

2. Prior to any data processing, employers may be expected to create an epidemic action plan (preventive measures, allowing alternative working conditions (“home office”), procedure to be followed if the infection appears, assignment of responsible personnel within the company, implementation of a reporting system).

3. As a preventive measure within the action plan, it is recommended to provide employees with all necessary details, especially on the most critical information on the coronavirus (rules of hygiene, symptoms, who to report to within the company). The document titled “Procedure regarding the novel coronavirus identified in the year 2020” published on the website of the National Public Health Center could provide helpful for employers when wording the information.

4. According to the Labour Code, the employees shall report to the employer if they have knowledge of a risk of infection, including the risk of their own illness. With regards to this, the reporting system shall be implemented in a way that allows for confidential processing of data.

5. In the event of a report or suspicion of infection the HDPA considers filling out a questionnaire appropriate. Particular attention shall be paid to data minimisation. Employers shall not process the data of the suspected employee related to the epidemic beyond the questionnaire. The Authority specifically notes that data related to medical history or medical documentation shall not be requested or processed by the employer!

6. It needs to be emphasized that the employer shall not begin contact investigation, this should be entrusted with the investigating authority having jurisdiction!

7. Also important to note, the employer shall not conduct medical examination (i.e. use of thermometer), however, the professional examination of employees may be initiated through the involvement of healthcare professionals (first and foremost the company doctor).

8. The legal ground for the above data processing is based on the employer’s legitimate interest, if the medical examination of employees becomes necessary, the exceptional purpose of processing shall be in the interest of providing a healthy workplace.

9. It is recommended for employers to favour measures that do not result in the processing of data (following basic hygiene, providing disinfectants, proper cleaning). We would also like to note that the legislation does not allow for employers to distribute vitamins, medicine or immune-boosting products, etc. among its employees, therefore these are not legally possible as a preventive measure.

ON THE DATA PROCESSING RELATED TO THE CORONAVIRUS EPIDEMIC Read More »

CLVPartners
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.