AI Systems: DPAs advice on GDPR Compliance

Since the introduction of the European Artificial Intelligence Act (“AI Act”) in March this year, guidance and recommendations by various Data Protection Authorities (“DPAs”) has been published. The most recent recommendations of the French Data Protection Authority (“CNIL”) are no different.


The recommendations published by the CNIL focus on General Data Protection Regulation (“GDPR”) compliance in the context of AI system development as designers and developments of AI systems have often reported to the CNIL that the application of the GDPR is challenging for them, particularly for the training of models.


The scope of the recommendations address the development of AI systems involving the processing of personal data, which regularly requires the use of large volumes of information on natural persons. This concerns systems based on machine learning, systems whose operational use is defined from the development phase and general purpose systems that can be used for various applications (“general purpose AI”) and systems for which the learning is done “once and for all” or continuously, e.g., using usage data for its improvement. What is also important to note is that the recommendations concern the development phase of AI systems, and not the development phase.

The 7 steps for AI Systems GDPR Compliance

The recommendations also indicate how the recommendations relate to the AI Act. 7 steps have been included, which are:


  • Step 1: Define an objective (purpose) for the AI system
  • Step 2: Determine your responsibilities
  • Step 3: Define the “legal basis” that allows you to process personal data
  • Step 4: Check if you can re-use certain personal data
  • Step 5: Minimize the personal data you use
  • Step 6: Set a retention period
  • Step 7: Carry out a Data Protection Impact Assessment (“DPIA”).

The CNIL has also indicated that soon it will publish new how-to sheets explaining how to design and train models in compliance with the GDPR: retrieval of data on the internet (web scraping) and the use of legitimate interest as a legal basis, exercise of the rights of access, rectification and erasure and whether or not to use open licences.

Stay up to date with GDPR Compliance and AI Systems

Furthermore, the German Data Protection Authority (“DSK”) and the United Kingdom’s Information Commissioner’s Office (“ICO”), to name but a few, have also published guidance and recommendations on AI. The European Data Protection Supervisor (“EDPS”) has also published guidelines on generative AI.


While it is expected that more DPAs will publish guidance and recommendations on AI in the coming months, it is imperative that any organization dealing with or using AI is aware of these developments. We, at DPO Consultancy, are monitoring these developments and will further developments will be communicated. If your organizations has any questions, please contact us, the Experts in Data Privacy at for assistance.