AI PlaybookEU

Data Subject Rights in AI Systems

Overview of data subject rights under GDPR in the context of AI-assisted decision-making.

10 June 20252 min read
GDPRData Subject RightsTransparencyArt. 22

Overview

The GDPR grants data subjects comprehensive rights that also apply when AI systems are deployed. Particularly relevant is Art. 22 GDPR -- the right not to be subject to a decision based solely on automated processing.

Relevant Data Subject Rights

Right of Access (Art. 15)

Data subjects have the right to know:

  • Whether their data are being processed
  • Which data are being processed
  • For what purpose the processing takes place
  • Whether automated decision-making including profiling exists

Practical Tip

Prepare standardised responses that transparently explain the use of AI. This saves time and ensures consistent quality.

Right to Rectification (Art. 16)

When AI systems work with erroneous data, data subjects can request correction. This particularly concerns:

  • Input data: Incorrect base data leading to wrong results
  • Profile data: Wrong assignments or categorisations
  • Training data: Where demonstrably erroneous data have influenced the model

Automated Individual Decision-Making (Art. 22)

Particularly important when deploying AI:

  1. General prohibition of automated decisions with legal effect
  2. Exceptions only for contractual necessity, legal authorisation or explicit consent
  3. For permitted automated decisions: right to human review

Implementation in Practice

RightImplementation MeasureDeadline
AccessMaintain AI processing register1 month
RectificationImplement feedback processWithout delay
ErasureDeletion concept for AI data1 month
ObjectionProvide opt-out mechanismWithout delay
ExplanationDeploy explainable AI modelsOngoing

Fine Risk

Violations of data subject rights can be sanctioned with fines of up to EUR 20 million or 4% of annual global turnover (Art. 83(5) GDPR).

Recommendations

  • Implement explainability in your AI systems
  • Ensure that data subjects can easily object
  • Document the logic of automated decisions
  • Provide a human contact person for AI-related enquiries
  • Conduct regular bias checks to avoid discrimination

Implementing Data Subject Rights Technically?

From explainable AI models to opt-out mechanisms — Creativate AI Studio helps you implement the technical requirements of GDPR data subject rights in your AI systems.

Talk to an AI architectDiscuss AI strategy

Need legal clarity?

For specific legal questions on the AI Act and GDPR, specialized legal advice focusing on AI regulation, data protection and compliance structures is available.

Request legal adviceClarify AI Act & GDPR questions

Independent legal advice. No automated legal information. The platform ai-playbook.eu does not provide legal advice.

Related Articles

EU AI Act

Risk Classes of the EU AI Act

The four risk classes of the EU AI Act explained – from minimal risk to prohibited AI practices.

Read more

Responsible AI

Explainability of AI Systems (XAI)

Methods and approaches for explainable AI – why transparency matters and how to implement it.

Read more

GDPR & AI

Art. 13/14 GDPR – Information Obligations for AI Systems

What information obligations apply under Art. 13 and 14 GDPR when deploying AI systems? Transparency requirements, automated decisions, logic explanation and sample wording for AI privacy notices.

Read more