AI PlaybookEU

Art. 5 GDPR – Principles for Processing Personal Data

The seven data processing principles under Art. 5 GDPR – with AI-specific guidance on data minimisation, purpose limitation, accountability and automated systems.

11 February 20265 min read
GDPRArt. 5PrinciplesData MinimisationAccountabilityAI Compliance

Overview

Art. 5 GDPR contains the foundation of European data protection law. The seven principles enshrined therein apply to every processing of personal data -- regardless of whether traditional IT systems or modern AI systems are used.

In the context of artificial intelligence, these principles take on particular significance. Training data, model improvement, automated decisions and algorithmic assessments raise new questions about purpose limitation, data minimisation and accountability.

This article explains:

  • All seven principles in detail
  • Their practical significance in the AI context
  • Typical areas of tension (e.g. ML training vs. data minimisation)
  • Concrete implementation steps for organisations

The Seven Principles under Art. 5 GDPR

Art. 5(1) GDPR defines:

  1. Lawfulness, fairness and transparency
  2. Purpose limitation
  3. Data minimisation
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality
  7. Accountability (Art. 5(2))

Key Point

Art. 5 GDPR is not merely a guideline but directly applicable law with relevance for fines.

Lawfulness, Fairness and Transparency

Content

Personal data may only be processed:

  • on a valid legal basis (Art. 6 GDPR)
  • fairly and comprehensibly
  • transparently towards the data subject

AI-Specific Challenges

  • Opaque model architectures
  • Unclear data sources (e.g. web scraping)
  • Non-transparent decision logic

Transparency does not mean disclosure of source code, but rather:

  • understandable information about the purpose and functionality
  • comprehensible description of the decision logic

Purpose Limitation

Content

Data may only be:

  • collected for specified, explicit and legitimate purposes
  • and not further processed in a manner incompatible with those purposes

Tension in the AI Context

Machine learning thrives on:

  • Data aggregation
  • Subsequent change of purpose
  • Re-training

Example: Data is collected for contract performance -- later used for model training.

This raises the question:

  • Is the training covered by the original purpose?
  • Does a change of purpose exist?
  • Is a new legal basis required?

Common Mistake

Many organisations do not explicitly document the training purpose -- this can violate the purpose limitation principle.

Data Minimisation

Content

Only data that is:

  • adequate for the purpose
  • relevant
  • and limited to what is necessary

may be processed.

Conflict with Machine Learning

ML models often benefit from:

  • Large volumes of data
  • Broad data diversity
  • Long-term data storage

This creates a tension:

ML LogicData Protection Principle
More data = better modelsOnly process necessary data

Possible approaches:

  • Feature selection
  • Pseudonymisation
  • Federated Learning
  • Differential Privacy

Accuracy

Content

Data must be:

  • factually correct
  • up to date
  • rectified or erased where necessary

AI-Specific Issues

  • Training data contains errors
  • Models reproduce outdated information
  • Generative AI can produce incorrect content

Relevant questions:

  • How are training data validated?
  • How are erroneous data corrected?
  • How are model bias risks addressed?

Storage Limitation

Content

Data may only be stored for as long as is necessary for the purpose.

Challenge with AI

  • Training data is often stored long-term
  • Models contain implicit data representations

Open question: When does a model constitute "storage of personal data"?

A differentiated case-by-case assessment is required here.

Integrity and Confidentiality

Content

Appropriate technical and organisational measures (TOMs) are required to:

  • prevent unauthorised access
  • avoid data loss
  • prevent manipulation

Relevant in the AI context:

  • API security
  • Access controls
  • Model protection against prompt injection
  • Logging and monitoring

Accountability

Content

The controller must:

  • be able to demonstrate compliance with all principles

This is the central compliance mechanism of the GDPR.

Burden of Proof

It is not the authority that must prove the violation -- the organisation must be able to demonstrate compliance.

Accountability for AI Systems

Required measures include:

  • Records of processing activities
  • Documentation of the legal basis
  • Risk analysis
  • Data Protection Impact Assessment where applicable
  • Training data documentation
  • Governance processes

Here the GDPR overlaps with the EU AI Act.

Connection to the EU AI Act

GDPREU AI Act
Data protectionFundamental rights protection
AccountabilityRisk management
DPIAFundamental Rights Impact Assessment
TransparencyTransparency obligations

Both legal frameworks apply in parallel.

Practical Implementation for Organisations

Step 1 -- Data Inventory

  • Which personal data are being processed?
  • Where do they originate from?
  • For what purpose?

Step 2 -- Purpose Definition

  • Is the training purpose documented?
  • Is it compatible with the original collection purpose?

Step 3 -- Minimisation Strategy

  • Can data be reduced?
  • Is anonymisation or pseudonymisation possible?

Step 4 -- Governance

  • Are responsibilities clearly defined?
  • Are documentation obligations fulfilled?
  • Are accountable processes implemented?

Need help implementing?

Work with Creativate AI Studio to design, validate and implement AI systems — technically sound, compliant and production-ready.

Talk to an AI architectDiscuss AI strategy

Need legal clarity?

For specific legal questions on the AI Act and GDPR, specialized legal advice focusing on AI regulation, data protection and compliance structures is available.

Request legal adviceClarify AI Act & GDPR questions

Independent legal advice. No automated legal information. The platform ai-playbook.eu does not provide legal advice.

Next Steps

  1. Review your AI projects against the seven principles.
  2. Explicitly document purpose and legal basis.
  3. Assess data minimisation and storage strategies.
  4. Implement transparent governance structures.
  5. Conduct a DPIA where there is increased risk.

Need help implementing?

Work with Creativate AI Studio to design, validate and implement AI systems — technically sound, compliant and production-ready.

Talk to an AI architectDiscuss AI strategy

Need legal clarity?

For specific legal questions on the AI Act and GDPR, specialized legal advice focusing on AI regulation, data protection and compliance structures is available.

Request legal adviceClarify AI Act & GDPR questions

Independent legal advice. No automated legal information. The platform ai-playbook.eu does not provide legal advice.

Related Articles

GDPR & AI

Art. 6 GDPR – Lawfulness of Processing

The six legal bases under Art. 6 GDPR in detail – with particular focus on AI systems, consent, legitimate interest and purpose change for model training.

Read more

GDPR & AI

Art. 35 GDPR – Data Protection Impact Assessment (DPIA) for AI Systems

When is a Data Protection Impact Assessment required under Art. 35 GDPR for AI systems? Structure, process, AI-specific risks and connection to the EU AI Act.

Read more

EU AI Act

High-Risk AI Systems under Annex III EU AI Act

Which AI systems qualify as high-risk under the EU AI Act? Complete overview of Annex III areas, exceptions under Art. 6(3) and all compliance obligations for providers and deployers.

Read more