1. Lawfulness: Have a legal basis for processing
2. Purpose limitation: Use data only for stated purposes
3. Data minimization: Collect only what you need
4. Accuracy: Keep data correct and up-to-date
5. Storage limitation: Don't keep data longer than needed
6. Security: Protect data appropriately
7. Accountability: Be able to demonstrate compliance

Direct identifiers:
- Names, emails, phone numbers
- Photos, voice recordings
- IP addresses, device IDs

Indirect identifiers:
- Purchase history + location → identifies person
- Writing style + metadata → could identify person

✓ Training AI on personal data
✓ User inputs containing personal data
✓ AI outputs that include personal data
✓ AI making decisions about individuals
✓ Any processing of EU residents' data

Common bases for AI:
- Consent: User explicitly agreed
- Contract: Necessary for service
- Legitimate interest: Balanced against user rights

⚠️ "We want to train AI" isn't automatically legitimate

If you collected data for "customer support":
❌ Cannot use it to train AI without new consent
❌ Cannot use it for profiling
✓ Can use it to answer that customer's query

❌ "Let's include everything in the prompt, just in case"
✓ "Include only the data needed for this specific task"

Practical: Filter PII before sending to AI APIs

❌ "The AI decided" (black box)
✓ "The decision was based on X, Y, Z factors"

Article 22: Right to not be subject to purely 
automated decisions with significant effects

- Access: What data do you have about me?
- Rectification: Fix incorrect data
- Erasure: Delete my data ("right to be forgotten")
- Portability: Give me my data in usable format
- Object: Stop processing my data

All apply to AI training/processing too

1. Review provider's DPA (Data Processing Agreement)
2. Check where data is processed (US = extra steps)
3. Consider EU-based alternatives if needed
4. Don't send PII if not necessary
5. Document your compliance measures

1. Privacy Impact Assessment before training
2. Document what personal data is in training data
3. Implement deletion mechanisms
4. Enable audit trails
5. Consider differential privacy

1. Inform users AI is processing their input
2. Don't store conversations longer than needed
3. Allow users to request conversation deletion
4. Don't use conversations to retrain without consent
5. Document data flows

❌ "We'll just use customer emails to train our AI"
✓ Obtain specific consent for AI training
✓ Or aggregate/anonymize the data

❌ Send unfiltered customer data to OpenAI
✓ Filter PII first
✓ Or use EU-based AI services
✓ Or have proper transfer mechanisms (DPA)

❌ Users don't know AI is involved
✓ Clear notice: "AI assists with responses"
✓ Explain how data is used

❌ "We can't remove you from our training data"
✓ Have mechanisms to handle deletion
✓ Or don't train on individual data

GDPR: Protects personal data
AI Act: Regulates AI systems themselves

Together:
- High-risk AI needs extensive documentation
- Transparency about AI decision-making
- Human oversight requirements
- Specific rules for generative AI

Unacceptable risk: Banned (social scoring, etc.)
High risk: Strict requirements (HR, credit, etc.)
Limited risk: Transparency requirements
Minimal risk: No special requirements

□ Data mapping: What personal data is involved?
□ Legal basis: Do you have lawful grounds?
□ DPA review: Is your AI provider compliant?
□ Privacy notice: Is AI processing disclosed?
□ DPIA: Is an impact assessment needed?

□ Access controls: Who can see AI outputs?
□ Retention limits: How long is data kept?
□ Subject rights: Can users exercise rights?
□ Monitoring: Are you tracking compliance?
□ Incident response: What if there's a breach?

□ Processing records: What AI processes what?
□ Consent records: When and how obtained?
□ Impact assessments: Risks identified and mitigated?
□ Training: Is staff GDPR-aware?
□ Audit trail: Can you demonstrate compliance?