Skip to main content
L
Lexara Advisory
Service

GDPR Compliance for AI Systems

GDPR and AI: Double compliance, single governance system. Align automated decision-making, data protection, and AI governance under one operating model.

Article 22

GDPR Article 22 and Automated Decision-Making

Article 22 of the GDPR grants individuals the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or significantly affects them. When AI systems are involved in such decisions, organizations must assess whether Article 22 applies and what safeguards are required.

The analysis depends on the specific system architecture: does the AI make the final decision, or does it merely inform a human decision? Does the system use profiling that evaluates personal aspects of an individual? The answers determine which obligations apply under the GDPR and how they interact with the EU AI Act.

DPIA

DPIA Requirements for AI Systems

A Data Protection Impact Assessment (DPIA) is required when AI processing is likely to result in a high risk to the rights and freedoms of natural persons. National supervisory authorities may publish lists of processing activities that require a DPIA. AI systems typically fall within these lists when they involve systematic and extensive profiling, automated decision-making, or large-scale processing of sensitive data.

Lexara Advisory supports organizations in conducting DPIAs that address AI-specific risks, including the opacity of algorithmic systems, the potential for discriminatory outcomes, the challenges of data quality in training datasets, and the difficulty of obtaining meaningful consent in complex AI workflows.

Data Governance

Data Governance for AI Training and Inference

GDPR data protection principles apply throughout the AI lifecycle, from training data collection to inference and output. Organizations must ensure that personal data used to train or operate AI systems is processed lawfully, fairly, and transparently.

Key governance considerations include: purpose limitation for data collected for one purpose and repurposed for model training; data minimization in selecting features and training datasets; accuracy of data used to make decisions about individuals; and retention and deletion policies for data that feeds AI systems. The difficulty of explaining how individual data points influence model outputs creates additional governance complexity.

Transparency

Transparency and Explainability Obligations

Articles 13 and 14 of the GDPR require organizations to provide individuals with meaningful information about the logic involved in automated decision-making, as well as the significance and envisaged consequences. For AI systems, this means explaining what factors the system considers, how the system processes them, and what impact the decision may have.

Explainability requirements interact with the EU AI Act's transparency obligations for high-risk AI systems. Organizations should coordinate their GDPR and AI Act transparency documentation so that privacy notices and technical documentation remain consistent and do not contradict each other.

Rights

Rights of Data Subjects in AI Contexts

Data subjects have the right to access, rectification, erasure, data portability, and restriction of processing. In AI contexts, these rights can be difficult to operationalize. How does an individual exercise the right to erasure when their data has been used to train a model? How does data portability apply to AI-generated profiles?

Lexara Advisory helps organizations design governance systems that anticipate these questions and create practical workflows for handling data subject requests involving AI systems. This includes mapping where personal data exists in model training pipelines, inference logs, and decision records.

Overlap

Overlap with the EU AI Act

The GDPR and EU AI Act are separate legal instruments that operate in parallel. The GDPR protects personal data and privacy rights; the EU AI Act regulates AI systems based on risk levels. An AI system may be subject to both frameworks simultaneously.

For example, an AI system used for HR screening that processes personal data of EU residents may require both a GDPR DPIA and an EU AI Act Fundamental Rights Impact Assessment (FRIA). The human oversight requirements in both frameworks should be mapped to avoid conflicting or redundant processes. Lexara Advisory provides gap analysis that identifies these overlaps and helps organizations build integrated compliance evidence.

Common Questions

Frequently Asked Questions

Does GDPR Article 22 apply to AI systems?

Article 22 of the GDPR grants individuals the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or significantly affects them. AI systems that make or substantially contribute to such decisions may trigger Article 22 obligations. The analysis depends on the specific system, its role in the decision, and the nature of the impact on individuals.

When is a DPIA required for an AI system?

Under GDPR, a Data Protection Impact Assessment (DPIA) is required when processing is likely to result in a high risk to the rights and freedoms of natural persons. AI systems that involve systematic and extensive profiling, automated decision-making, or large-scale processing of sensitive data typically require a DPIA. National supervisory authorities may publish lists of processing activities that require a DPIA.

How does GDPR overlap with the EU AI Act?

The GDPR and the EU AI Act operate in parallel but address different risks. The GDPR protects personal data and privacy rights, including through Article 22 on automated decisions and DPIA requirements. The EU AI Act regulates AI systems based on risk levels, with specific obligations for high-risk AI. An AI system may be subject to both frameworks simultaneously, creating what Lexara calls double compliance obligations.

What transparency obligations apply to AI under GDPR?

Articles 13 and 14 of the GDPR require controllers to inform individuals about the existence of automated decision-making, including profiling, and provide meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing. For AI systems, this means explaining the role of the AI in a decision, the factors considered, and the potential impact on the individual.

What rights do data subjects have in relation to AI decisions?

Under GDPR Article 22, data subjects have the right not to be subject to solely automated decisions with legal or significant effects, unless specific conditions apply. They also have the right to obtain human intervention, to express their point of view, and to contest the decision. These rights apply in addition to standard data subject rights such as access, rectification, erasure, and data portability.

Legal caveat: Lexara Advisory LLC provides AI governance consulting and is not a law firm. The information on this page is for advisory purposes and does not constitute legal advice. GDPR obligations are fact-specific and depend on individual circumstances. Consult qualified legal counsel for matters specific to your organization.

Last Legally Reviewed: 2026-06-27. Lexara Advisory LLC provides AI governance consulting and is not a law firm.