Artificial intelligence (AI) is revolutionizing business processes, from automated analyses to customer communication. However, the use of AI tools is accompanied by considerable data protection requirements. Entrepreneurs, creative professionals and companies are faced with the challenge of finding a balance between innovation and compliance. In this article, you will find out what you need to bear in mind when using AI from the perspective of the General Data Protection Regulation (GDPR) and the new EU AI Act – in a practical and easy-to-understand way.

Focus on the GDPR

The GDPR regulates the handling of personal data. As soon as AI processes personal data – be it through text analysis, image recognition or customer profiling – the GDPR applies. Important aspects:

• Legal basis: Companies require a valid legal basis for data processing, such as consent (Art. 6 GDPR).
• Transparency: Users must be informed which data is processed and for what purpose (Art. 13 GDPR).
• Data security: Technical and organizational measures (TOMs) are essential to protect data from misuse.

The AI Act: additional requirements for AI systems

With the AI Act, the EU is introducing specific requirements for AI systems. The regulation classifies AI into risk categories and establishes special rules for “high-risk AI”, such as

• Risk assessment: Companies must prove that their AI systems are safe and compliant.
• Documentation: Clear documentation of AI development and use is mandatory.
• Human-centered use: AI must not make decisions without human control if it has a significant impact on individuals.

Practical examples: Data protection problems and solutions

AI-supported customer analysis: An online store uses AI to analyze purchasing patterns. This involves processing data such as click behavior or preferences. It is important that customers are informed about this and give their consent to the analysis.

Applicant management via AI: An AI pre-filters applications. Strict data processing regulations apply here, as sensitive information (e.g. ethnic origin) may be involved. Companies should ensure that the AI works in a non-discriminatory manner and that applicants are informed about the data processing.

Chatbots in customer service: AI-based chatbots store customer data in order to provide personalized answers. Here, companies must ensure that no sensitive information remains unprotected. The deletion of data after use must also be guaranteed.

Steps towards data protection-compliant AI use

1. Inventory: What data does the AI process? Is it personal data?
2. Obtain consent: Ensure that users actively consent before their data is processed.
3. Data protection impact assessment (DPIA): Carry out a DPIA in the event of a potentially high risk (Art. 35 GDPR).
4. Documentation and evidence: Document all processes to prove compliance.
5. Continuous review: regularly evaluate and adapt data protection and AI use.

Our focus on the topic of “AI in the company”

The use of AI opens up exciting opportunities for companies, but also raises many legal questions. Our topic page “AI in the company” provides you with comprehensive information and practical tips on how to use AI safely and effectively.