GDPR and AI: What Automated Processing Means for Your Compliance Obligations
Using AI to process personal data creates specific GDPR obligations that many companies are still unaware of. Here's what you need to know before deploying automated systems.
The GDPR provisions that govern AI
GDPR's provisions on automated processing are found primarily in Articles 13–14 (transparency), Article 22 (automated decision-making and profiling), and Article 35 (Data Protection Impact Assessments for high-risk processing).
Many companies deploy AI systems that fall within these provisions without realising it — particularly Article 22, which creates specific rights for individuals when decisions affecting them are made solely by automated means.
Article 22: Automated decision-making and profiling
Article 22 gives individuals the right not to be subject to decisions based solely on automated processing where those decisions produce legal or similarly significant effects. This applies to:
• Credit scoring systems that automatically approve or reject applications • Insurance pricing models that determine premiums without human review • Recruitment AI that screens or ranks candidates without human oversight • Content moderation systems that automatically remove accounts or content
Where Article 22 applies, you must: provide meaningful information about the logic involved, implement human review upon request, and allow individuals to contest automated decisions.
Transparency obligations in AI systems
Articles 13–14 require that individuals are informed about the use of their personal data — including when that data is processed by AI systems. The transparency requirements are particularly challenging for complex AI models, where the decision logic is not easily explainable in plain language.
The GDPR standard for AI transparency is 'meaningful information about the logic involved' — not a full technical explanation, but enough that an average person understands how the system works and what factors influenced the decision.
Data Protection Impact Assessments
Article 35 requires a DPIA before deploying processing that is 'likely to result in a high risk to the rights and freedoms of natural persons'. Large-scale AI systems processing personal data at scale almost always qualify.
A DPIA for an AI system must assess: the purposes and necessity of the processing, the risks to individuals (including bias, discrimination, and inaccuracy), and the measures taken to mitigate those risks. It's not a rubber-stamp exercise — it requires genuine analysis of how the system could fail and what safeguards exist.
Practical steps for AI compliance
For companies deploying AI that processes personal data:
1. Map your AI systems: For each system, identify what personal data it processes and what decisions it makes or influences. 2. Assess Article 22 applicability: Does the system make decisions with significant effects, solely by automated means? 3. Conduct DPIAs for high-risk systems: Document the risk assessment and mitigation measures. 4. Update privacy notices: Inform individuals about automated processing in plain language. 5. Implement human review mechanisms: For systems that fall under Article 22, build a process for individual review requests.
BPO providers who handle AI processing on your behalf are data processors under GDPR — ensure your DPA covers the specific AI processing activities they perform.