Skip to main content
L
Lexara Advisory
GDPR · AI · Privacy Compliance

GDPR Risks in AI Systems: What Compliance Teams Should Know

GDPR Article 22 restricts automated decision-making with legal or significant effects. AI systems processing personal data must comply with GDPR transparency, data minimization, accuracy, and accountability principles. DPIAs are required for high-risk processing. Organizations mu

June 27, 2026 · By Constantin Razvan Gospodin, Legal AI Risk Manager

until EU AI Act high-risk obligations take effect

The General Data Protection Regulation (Regulation (EU) 2016/679) has been in force since May 2018, and its application to AI systems remains one of the most challenging areas for compliance teams. As organizations deploy machine learning models, natural language processing tools, and predictive analytics across their operations, the intersection of GDPR principles with AI-specific risks creates a complex compliance landscape that requires careful navigation. This article examines the key GDPR risks that compliance teams should understand when evaluating AI systems.

What This Means

AI systems process personal data at scale, often in ways that are opaque to both data subjects and the organizations deploying them. The GDPR was designed before the current wave of generative AI and large-scale machine learning, but its principles apply directly to AI processing. For compliance teams, the central challenge is that AI systems introduce new forms of risk — algorithmic bias, unpredictable outputs, and automated decision-making — that the GDPR anticipates but does not specifically name. The European Data Protection Board (EDPB) has consistently emphasized that AI does not receive a regulatory exemption from GDPR requirements. The lawfulness of processing (Article 6), purpose limitation (Article 5(1)(b)), data minimization (Article 5(1)(c)), accuracy (Article 5(1)(d)), and accountability (Article 5(2)) all apply to AI systems without modification. What changes is the practical difficulty of demonstrating compliance when the processing logic is embedded in a trained model rather than explicitly coded. The most significant GDPR risk for AI systems is the combination of automated decision-making under Article 22 with profiling under Article 4(4). When an AI system evaluates personal aspects relating to a natural person to analyze or predict their performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements, it constitutes profiling. If that profiling is used as the sole basis for a decision with legal or significant effects, Article 22 applies in full. Compliance teams must also recognize that the GDPR and the EU AI Act operate in parallel. The EU AI Act (Regulation (EU) 2024/1689) classifies certain AI systems as high-risk and imposes additional obligations. A system that is high-risk under Annex III of the EU AI Act may simultaneously process personal data in ways that trigger GDPR obligations. The two frameworks are complementary, not alternative, and compliance with one does not guarantee compliance with the other.

Key Requirements

Article 22 — Automated Decision-Making.

Article 22(1) grants data subjects the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. There are three limited exceptions: when the decision is necessary for a contract, authorized by Union or Member State law, or based on the data subject's explicit consent. Even when an exception applies, suitable safeguards must be in place, including the right to obtain human intervention.

Article 35 — Data Protection Impact Assessment.

When processing is likely to result in a high risk to the rights and freedoms of natural persons, a DPIA is mandatory before processing begins. The EDPB guidelines identify several criteria that commonly apply to AI systems: evaluation or scoring, systematic monitoring, sensitive data, data processed on a large scale, matching or combining datasets, data concerning vulnerable subjects, and innovative use or new technological or organizational solutions. Most AI systems used for recruitment, credit scoring, or health assessment will meet multiple criteria.

Articles 13 and 14 — Transparency Obligations.

Data controllers must provide information about the existence of automated decision-making, including meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. This is not merely a privacy notice requirement. Organizations must be able to explain, in plain language, how their AI system reaches decisions. For complex neural networks, this is a genuine technical and legal challenge.

Article 5 — Data Quality and Accuracy.

AI systems trained on biased or incomplete datasets produce biased or inaccurate outputs. Under Article 5(1)(d), personal data must be accurate and, where necessary, kept up to date. For AI systems, this means ongoing monitoring of training data quality, validation of model outputs, and processes for correcting data that feeds into automated decisions. Organizations cannot rely on the defense that "the algorithm did it" when outputs are demonstrably inaccurate.

Article 25 — Data Protection by Design and by Default.

Organizations must implement appropriate technical and organizational measures designed to implement data protection principles effectively. For AI systems, this includes privacy-preserving techniques such as differential privacy, federated learning, and data anonymization where appropriate. It also means building data subject rights — access, erasure, rectification — into the system architecture from the design phase.

Article 17 — Right to Erasure.

The right to erasure creates specific challenges for AI systems. When a data subject requests deletion of their personal data, organizations must consider whether the data has been used to train a model. Retraining models to remove the influence of specific data points is technically difficult and, in some cases, practically impossible. This does not eliminate the obligation, but it does require careful documentation of training data and, where feasible, the use of machine unlearning techniques.

Practical Steps

Conduct a GDPR-AI mapping exercise.

For each AI system, document: what personal data is processed, what the legal basis is under Article 6, whether the system makes automated decisions, whether profiling occurs, what the envisaged consequences are for data subjects, and whether a DPIA is required. This mapping should be reviewed whenever the system is modified or deployed for a new purpose.

Review your privacy notices.

Establish a human intervention protocol.

Where Article 22 applies, organizations must provide meaningful human intervention. This is not satisfied by having a human review a small sample of decisions or by allowing a data subject to appeal after the fact. The human must have the authority and competence to change the decision, must consider all relevant data, and must not simply rubber-stamp the AI output. Document this process and train the personnel involved.

Implement data governance for AI.

Document the provenance, quality, and representativeness of training data. Implement procedures for detecting and correcting bias. Maintain records of data preprocessing, feature engineering, and any assumptions made during model development. This documentation serves both GDPR accountability requirements and EU AI Act technical documentation obligations.

Assess the EU AI Act overlap.

If your AI system is high-risk under Annex III of the EU AI Act, you will need both GDPR compliance and EU AI Act compliance. The two frameworks share requirements on risk management, transparency, and human oversight, but they are not identical. Map the requirements of both frameworks to identify gaps and overlaps. A compliance gap in one framework is unlikely to be excused by compliance with the other.

Plan for data subject rights requests.

AI systems must be designed to respond to access, rectification, erasure, and portability requests. Test your procedures before deployment. If you cannot explain how an AI system reached a specific decision, you cannot comply with an Article 15 access request. If you cannot remove personal data from a trained model, you may have a compliance gap that requires mitigation.

Related Resources

GDPR and AI Compliance

GDPR Article 22 and EU AI Act Double Compliance

DPIA for AI Systems

Frequently Asked Questions

Does GDPR Article 22 apply to all AI systems?

No. Article 22 of Regulation (EU) 2016/679 applies only to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects on a data subject. AI systems that support human decision-making without replacing it, or that do not have legal or significant effects, may fall outside Article 22 but remain subject to other GDPR obligations such as lawfulness, transparency, and data minimization.

What is the overlap between GDPR and the EU AI Act?

The GDPR and EU AI Act regulate AI systems from different angles. GDPR focuses on data protection, lawfulness of processing, and individual rights. The EU AI Act focuses on risk classification, conformity, and market access. An AI system used for automated employment decisions, for example, may be high-risk under Annex III of the EU AI Act and simultaneously trigger Article 22 GDPR protections. Organizations must comply with both frameworks simultaneously.

Do I need a DPIA for every AI system?

Not necessarily. A Data Protection Impact Assessment is required under Article 35 GDPR when processing is likely to result in a high risk to the rights and freedoms of natural persons. The EDPB identified criteria including systematic and extensive profiling, large-scale processing of sensitive data, and monitoring of publicly accessible areas. Many AI systems meet these criteria, but each requires individual assessment.

What data subject rights apply to AI systems?

Data subjects retain all GDPR rights regarding AI systems: the right to access (Article 15), right to rectification (Article 16), right to erasure (Article 17), right to restriction (Article 18), right to data portability (Article 20), and right to object (Article 21). For AI systems, the right to access is particularly important because it includes the right to obtain meaningful information about the logic involved in automated decision-making.

What is the 'right to explanation' under GDPR?

The GDPR does not explicitly create a standalone 'right to explanation,' but Article 22(3) requires that data subjects have the right to obtain human intervention, express their point of view, and contest the decision. Recital 71 states that the data subject should have the right to obtain an explanation of the decision reached after assessment. Article 13 and 14 require transparency about the existence of automated decision-making and meaningful information about the logic involved.

Need help with AI compliance?

Take our free AI Regulatory Readiness Assessment to evaluate your exposure level and next steps.

Start the Free Assessment

Lexara Advisory LLC provides AI governance consulting and is not a law firm. This article reflects our understanding of applicable regulations as of the date of publication. It does not constitute legal advice. Organizations should consult qualified legal counsel for advice specific to their circumstances.