Grin logo
de en es fr
Shop
GRIN Website
Publish your texts - enjoy our full service for authors
Go to shop › Computer Sciences - Artificial Intelligence

Processing Personal Data under the EU AI Act

Interaction and Conflict with the GDPR

Title: Processing Personal Data under the EU AI Act

Seminar Paper , 2026 , 4 Pages , Grade: 1,3

Autor:in: Marlon Müller (Author)

Computer Sciences - Artificial Intelligence
Excerpt & Details   Look inside the ebook
Summary Excerpt Details

The growing use of artificial intelligence increasingly relies on the processing of personal data, bringing the EU AI Act and the GDPR into direct interaction. This paper explores how both regulatory frameworks apply to providers and deployers of AI systems, identifies areas of overlap, conflict, and regulatory gaps, and examines the legal implications of the AI Act’s debiasing exception. The analysis shows that compliance with AI and data protection law requires a nuanced understanding of their complex relationship.

Excerpt


Table of Contents

Introduction

Two Frameworks, One Actor

Parallel Obligations

Transparency Obligations

Data Governance

Right to be Forgotten

The Debiasing Exception

Proxy characteristics

No debiasing without personal data

Conclusion

Objectives and Topics

This paper examines the complex regulatory intersection between the General Data Protection Regulation (GDPR) and the Artificial Intelligence Act (AIA), specifically focusing on how these frameworks affect providers of high-risk AI systems. It explores whether the relationship between these regulations is merely additive or characterized by structural tensions and legal gaps.

  • The role mapping between data controllers/processors and AI providers/deployers.
  • Comparative analysis of transparency obligations under GDPR and AIA.
  • Tensions between data governance requirements and the principle of data minimization.
  • Challenges regarding the "Right to be Forgotten" in the context of trained AI models.
  • The debiasing exception in Article 10(5) AIA and its reliance on processing special categories of personal data.

Excerpt from the Book

Two Frameworks, One Actor

In both regulations there are distinct roles that entities can take on and that have different legal obligations. The GDPR distinguishes between data controllers and data processors, while the AIA distinguishes between providers and deployers of AI systems. In practice the roles of the two frameworks do not map onto each other statically, even though they often overlap if personal data that falls under the GDPR is involved.

During the development and training of an AI system the provider can usually be considered to be the data controller, as it determines the purposes and means of the processing of personal data. Even though the provider can still give instructions to the deployer during the deployment phase on how to use the system and how to handle personal data, these constraints are merely technical and are not sufficient to make the provider a data processor during deployment. This role will be taken on by the deployer instead, as he keeps control over the purposes of the processing of personal data and, most crucially, can control who is a data subject, usually customers of the deployer, of that processing.

If the inference does not run on the deployer’s infrastucture and personal data flows to the server the AI system is hosted on, the natural or legal person that operates that server, which is either the provider, importer or distributor of the AI system, can be considered a data processor during inference. If the system is self-hosted by the deployer, the provider exits the processing chain entirely and is not subject to GDPR after deployment.

While the mapping of these roles is grounded in the legal definitions of the two frameworks and the practical realities of AI development and deployment, there may nevertheless be edge cases or legal and contractual constellations in which this mapping does not hold.

Summary of Chapters

Introduction: Outlines the regulatory overlap between the GDPR and the AIA regarding the processing of personal data in AI systems.

Two Frameworks, One Actor: Analyzes the mapping of roles between GDPR controllers/processors and AIA providers/deployers.

Parallel Obligations: Discusses the simultaneous application of both regulatory frameworks to high-risk AI systems.

Transparency Obligations: Compares the differing purposes and audiences of the transparency requirements in both frameworks.

Data Governance: Addresses the conflict between the need for large, representative datasets and the GDPR principle of data minimization.

Right to be Forgotten: Explores the technical and legal challenges of implementing deletion rights within encoded AI model parameters.

The Debiasing Exception: Examines Article 10(5) AIA as a mechanism that allows the processing of sensitive data for debiasing purposes.

Conclusion: Synthesizes the findings and emphasizes the need for a provision-by-provision compliance approach.

Keywords

Artificial Intelligence Act, AIA, General Data Protection Regulation, GDPR, Personal Data, Data Controller, Data Processor, Transparency, Data Minimization, Right to be Forgotten, Debiasing, Proxy characteristics, Compliance, High-risk AI, Regulatory overlap.

Frequently Asked Questions

What is the primary focus of this paper?

The paper focuses on the legal interaction and potential conflicts between the EU's Artificial Intelligence Act and the General Data Protection Regulation when applied to high-risk AI systems.

What are the central thematic fields covered?

The main themes include role distribution, transparency requirements, data governance, the right to deletion, and the specific exception provided for debiasing AI systems.

What is the central research question?

The research asks how the co-regulation of AI systems affects providers and whether the relationship between the two frameworks is strictly additive or fraught with structural contradictions.

What scientific methodology is applied?

The author performs a comparative legal analysis, mapping regulatory roles and examining specific articles from both the GDPR and the AIA to identify areas of synergy or conflict.

What does the main body address?

The main body examines the practical realities of training AI, the differences in transparency mandates, the tension between data quality and minimization, and the legal hurdles of "unlearning" data.

Which keywords characterize the work?

Key terms include AIA, GDPR, data processing, compliance, debiasing, and the right to be forgotten.

Why is the "Right to be Forgotten" particularly difficult in AI?

Because personal data used for training is encoded into model parameters rather than stored traditionally, making the identification and removal of specific data points technically complex.

What is the significance of the "debiasing exception"?

It represents a rare instance where the AIA creates a direct interaction with the GDPR, allowing the processing of special categories of sensitive personal data to ensure AI models are non-discriminatory.

Excerpt out of 4 pages  - scroll top

Details

Title
Processing Personal Data under the EU AI Act
Subtitle
Interaction and Conflict with the GDPR
College
Technical University of Munich  (School of Social Sciences and Technology)
Course
AI Regulation & Law
Grade
1,3
Author
Marlon Müller (Author)
Publication Year
2026
Pages
4
Catalog Number
V1736296
ISBN (PDF)
9783389195321
Language
English
Tags
GDPR AIA AI Act EU Datenschutz Datenschutzgrundverordnung DSGVO Personal Data
Product Safety
GRIN Publishing GmbH
Quote paper
Marlon Müller (Author), 2026, Processing Personal Data under the EU AI Act, Munich, GRIN Verlag, https://www.grin.com/document/1736296
Look inside the ebook
  • Depending on your browser, you might see this message in place of the failed image.
  • Depending on your browser, you might see this message in place of the failed image.
  • Depending on your browser, you might see this message in place of the failed image.
  • Depending on your browser, you might see this message in place of the failed image.
Excerpt from  4  pages
Grin logo
  • Grin.com
  • Shipping
  • Contact
  • Privacy
  • Terms
  • Imprint
  • Withdraw Contract