Loading…
Loading…
The General Data Protection Regulation (EU 2016/679) — the EU's core data privacy law. GDPR governs how organizations collect, process, store, and share personal data of EU residents. It requires a lawful basis for processing, data minimization, purpose limitation, and individuals' rights to access and erasure. AI systems that process personal data are subject to GDPR, including AI used for profiling, automated decision-making, or training on personal data. Article 22 specifically restricts purely automated decision-making that significantly affects individuals.
Why this matters for your team
GDPR applies to any AI system that processes data about EU residents — including analytics, profiling, and AI-generated content based on personal data. Start with a signed DPA for every AI vendor that touches EU personal data, and check whether Article 22 (automated decision-making) applies to any AI-driven decisions affecting users.
A company using an AI tool to analyze employee productivity data must comply with GDPR, including notifying employees, establishing a lawful basis for processing, and limiting data retention.