Overview
With the Guidelines 4/2024 on Artificial Intelligence and Data Protection, the European Data Protection Board (EDPB) specifies how the GDPR applies to AI systems. The aim is to establish uniform standards for supervisory authorities and organisations.
The guidelines are not legally binding but carry significant weight in the interpretation of the GDPR and in regulatory review procedures.
This article explains:
- Scope of the guidelines
- Key statements on legal bases for AI training
- Relationship between GDPR and EU AI Act
- Requirements for data subject rights
- Delineation of responsibilities (controller/processor)
- Practical implications for organisations
Objectives of the Guidelines
The guidelines specifically address:
- Training of AI models with personal data
- Deployment of generative AI
- Profiling and automated decisions
- Transparency and accountability obligations
Practical Relevance
EDPB guidelines serve as a reference benchmark for supervisory authorities and directly influence supervisory practice.
Legal Basis for AI Training
The EDPB clarifies:
- Each phase of AI development constitutes a separate processing operation
- Training, fine-tuning and inference must each be legally assessed
Key Statement
It is not sufficient to assume a blanket legal basis for "AI development".
Instead, the following must be examined:
- What data is being used?
- For what purpose?
- Is there a change of purpose?
Legitimate Interest in Model Training
The EDPB emphasises:
- A balancing of interests must be carried out with particular care
- High intensity of interference may argue against Art. 6(1)(f)
- Sensitive data increases the risk
Typical assessment factors:
- Reasonable expectations of the data subject
- Nature of the data
- Scope of the processing
- Safeguards in place
Relationship Between GDPR and EU AI Act
The guidelines emphasise:
- The EU AI Act does not replace the GDPR
- Both legal instruments apply cumulatively
Example: A high-risk AI system under the AI Act may simultaneously:
- Trigger a DPIA obligation
- Give rise to transparency obligations under Art. 13/14 GDPR
- Engage Art. 22 GDPR
Dual Assessment
Compliance with the AI Act does not automatically mean GDPR compliance.
Data Subject Rights in AI Systems
The EDPB specifies requirements for:
- Right of access (Art. 15 GDPR)
- Right to erasure (Art. 17 GDPR)
- Right to object (Art. 21 GDPR)
Particularly relevant:
Explanation of Logic
- Data subjects must be able to understand how decisions are made
- A general description of the main criteria is required
Erasure of Training Data
- Organisations must assess whether data can be removed from training datasets
- Technical impossibility does not automatically exempt from the obligation
Delineation of Responsibilities
The EDPB emphasises the precise distinction between:
| Role | Description |
|---|---|
| Controller | Determines purposes and means |
| Processor | Acts on behalf of the controller |
With AI systems, this can be complex:
- Who determines the training purpose?
- Who defines the parameters?
- Who controls the data sources?
Multi-Layered Constellations
AI ecosystems frequently consist of multiple controllers and processors.
Transparency in Generative AI
The EDPB highlights:
- Clear labelling of automated interactions
- Notice of possible errors
- Information about training data categories
Transparency must be:
- comprehensible
- precise
- and accessible
Data Protection by Design
The guidelines emphasise:
- Early integration of data protection
- Pseudonymisation
- Data minimisation
- Technical safeguards
This corresponds to Art. 25 GDPR.
AI-Specific Risks
The EDPB identifies in particular:
- Bias
- Discrimination
- Lack of traceability
- Training data transparency
- Changes of purpose
These risks must be documented within the accountability framework.
Practical Implications for Organisations
1. Raise Documentation Standards
- Document training processes
- Specify purpose definitions precisely
- Disclose data provenance
2. Define Roles Clearly
- Controller vs. processor
- Review contractual arrangements
3. Operationalise Data Subject Rights
- Define processes for erasure
- Establish access request mechanisms
- Implement objection review processes
4. Build a Governance Structure
- Appoint AI compliance officers
- Define the interface between GDPR and AI Act
Common Misconceptions
| Assumption | Reality According to EDPB |
|---|---|
| "Training is a one-off pre-processing step" | Each phase must be assessed independently |
| "Open source is not GDPR-relevant" | Commercial use remains regulated |
| "API usage = no responsibility" | Deployer obligations apply |
Strategic Significance
The guidelines make clear:
- AI is subject to strict data protection scrutiny
- Supervisory authorities are developing common standards
- Documentation becomes a central checkpoint
Organisations should therefore act proactively.
Need help implementing?
Work with Creativate AI Studio to design, validate and implement AI systems — technically sound, compliant and production-ready.
Need legal clarity?
For specific legal questions on the AI Act and GDPR, specialized legal advice focusing on AI regulation, data protection and compliance structures is available.
Independent legal advice. No automated legal information. The platform ai-playbook.eu does not provide legal advice.
Next Steps
- Review your AI projects against the EDPB guidelines.
- Document training and processing phases separately.
- Clarify role allocation and responsibilities.
- Implement transparent explanations of logic.
- Integrate GDPR and AI Act assessments into a unified governance system.
Need help implementing?
Work with Creativate AI Studio to design, validate and implement AI systems — technically sound, compliant and production-ready.
Need legal clarity?
For specific legal questions on the AI Act and GDPR, specialized legal advice focusing on AI regulation, data protection and compliance structures is available.
Independent legal advice. No automated legal information. The platform ai-playbook.eu does not provide legal advice.