logo_klein
Data Protection and AI – Guidelines from the German Data Protection Conference
Data Protection and AI – Guidelines from the German Data Protection Conference

At the end of April, the Austrian Data Protection Authority (DSB) published FAQs on the subject of AI and data protection law. In Germany, the Conference of Independent Data Protection Authorities of the Federal and State Governments (DSK) also released guidelines on May 6, 2024, for the data protection-compliant use of AI applications. The paper includes detailed guidelines for the use of Artificial Intelligence (AI), particularly Large Language Models (LLMs). The DSK's guidelines cover both legal and practical aspects of data protection and AI.

Challenges from a Data Protection Perspective in Selecting AI Applications

The DSK identifies the following areas as presenting the greatest challenges:

  1. Defining Areas of Application: Those responsible must define clear, legally permissible objectives and areas of application that do not require unnecessary handling of personal data.
  2. Data Protection-Compliant Training: Verification that AI applications have been trained in compliance with data protection laws, particularly regarding whether personal data was used and if there is a legal basis for its use.
  3. Transparency and Choices: Ensuring that users are adequately informed about the use of their data and have options regarding the use of their data for training purposes or input history.
  4. Adherence to Legal Bases: Each processing step involving personal data requires a clear legal basis, especially for "sensitive" data.
  5. Avoidance of Automated Decisions: AI systems should not be configured to make legally binding decisions without human intervention.

Implementation of AI Applications

When implementing AI applications, the following points should be considered:

  1. Clearly Defining Responsibilities: Organizations must clearly establish who is responsible for data processing. When using external services, appropriate data processing agreements must be set up, and the requirements of Art 28 GDPR must be observed.
  2. Conducting Data Protection Impact Assessments: Before implementing AI systems, an assessment of data protection risks should be conducted.
  3. Creating Internal Policies: Clear guidelines and training for employees are essential to ensure that AI tools are used responsibly and in compliance with data protection laws.
  4. Ensuring Data Security: Measures must be taken to protect the security of data processed within AI systems.

Use of AI Applications

When using AI applications, special attention must be paid to the following points:

  1. Handling of Data Input and Output: Particular care is needed when personal data is inputted or generated by the AI.
  2. Checking for Discrimination: Results from AI applications should be examined for potentially discriminatory effects. This shall ensure that no unlawful processing of personal data occurs.

The guidelines on AI and data protection include many practical examples and provide interested parties with good guidance on various points.

Do You Have Further Questions on AI and Data Protection Law?

Do you have further questions on AI and data protection? If you need legal advice on similar legal issues concerning artificial intelligence or data protection, please feel free to check out our services. You can also contact us via email at office@geuer.at or by phone at +43-1-4380072. We look forward to your inquiry.

Source: DSK Guidelines on AI and Data Protection Law (German only)

Scroll to Top