More guidance on assessment of AI and data transfer from the perspective of data protection
On 20 May 2025, the Finnish Office of the Data Protection Ombudsman published guidance on assessing data protection risks in AI systems
If the use of an artificial intelligence system involves the processing of personal data, its development and deployment must comply with data protection legislation. The use of AI systems is also governed by the EU Artificial Intelligence Act, which entered into force in 2024.
Organizations must assess data protection risks associated with artificial intelligence (AI) systems before processing any personal data. This assessment should be conducted from the perspective of individuals whose data is being processed. To ensure lawful processing, a valid legal basis must always be established. The guidance provides detailed explanations on the applicability of different legal bases. Organizations must clearly define which personal data is necessary and for what purposes it will be used within the AI system. Individuals must be informed transparently and understandably about the processing of their personal data in AI systems. The guidance specifies what information must be provided and under what circumstances the obligation to inform may be waived.
Training on AI and Data Protection
The EDPB introduced two new training modules under its Support Pool of Experts (SPE) projects. These materials serve as a training resource aimed at helping professionals understand how to design and implement AI systems that comply with EU data protection laws, especially the GDPR. Materials are targeted at cybersecurity experts, AI developers, and data protection officers .
:
· Law & Compliance in AI Security and Data Protection
· Fundamentals of Secure AI Systems with Personal Data
Record-keeping obligation
The EDPB and the European Data Protection Supervisor (EDPS) are preparing a joint opinion on the European Commission’s proposal to simplify GDPR record-keeping obligations for SMEs and small mid-caps and organizations with less than 750 employees. This may lead to a targeted amendment of Article 30(5) GDPR, potentially reducing administrative burdens for smaller organizations.
Lexia is here to support you and your organization in ensuring compliance with the AI Act and data protection regulations. Please contact our experts if we can offer our expertise!
Counsel Erika Leinonen, email: [email protected], tel: +358 45 7820 0310
Senior Associate Marko Moilanen, email: [email protected], tel: +358 40 517 0002
Sources:
Office of The Data Protection Ombudsman, Article regarding AI guidelines
Office of The Data Protection Ombudsman, Guidelines for developing AI systems
European Data Protection Board, Guidelines on data transfers and SPE training matrials