Executive Summary: The Dual Compliance Imperative and Strategic Findings

Organisations that leverage advanced data processing, particularly those developing complex Artificial Intelligence (AI) systems, face a critical and often unrecognized strategic risk: the prolonged retention of training data. European Union (EU) law establishes conflicting imperatives regarding data lifecycle management, creating a fundamental compliance challenge. The General Data Protection Regulation (GDPR) mandates personal data erasure as soon as the data is no longer required for its established purpose, while the newly implemented EU AI Act demands lengthy archival of system documentation.

The Inescapable Regulatory Conflict: Delete Now vs. Document for a Decade

The core of the conflict lies in the tension between personal data protection and system accountability. The GDPR is clear: personal data must be erased once its specific processing purpose is fulfilled. This is enforced by the Storage Limitation Principle (Article 5(1)(e)). Retention beyond this defined necessity, even if the data might be useful for future research or system retraining, is deemed a direct violation unless a new, distinct, and lawful purpose is established.

Conversely, the EU AI Act introduces stringent requirements for system traceability, particularly for High-Risk AI Systems (HRAS). Providers of HRAS must maintain comprehensive technical documentation, quality management system records, and conformity declarations for up to 10 years after the system is placed on the market (Article 18, EU AI Act). This requirement applies to system records, ensuring long-term accountability, but does not override the fundamental protection afforded to individuals’ data under the GDPR.

The GDPR Foundation: The “Storage Limitation” Principle 

The entire framework of data retention under EU law rests on the GDPR’s Storage Limitation Principle (Article 5(1)(e)).This foundational rule dictates that personal data must be kept “for no longer than is necessary for the purposes for which the personal data are processed.” This is the core principle driving all retention decisions.

The GDPR does not set generic retention times, instead placing the full burden on the data controller to define, document, and justify a specific deletion timeline for every category of data. If personal data (which is defined broadly to include information beyond PII, like cookie IDs) is used to train a system, the retention clock starts ticking. Organisations leveraging advanced data processing face a critical strategic risk: retaining training data for too long. The GDPR is unambiguous; personal data must be erased once its specific processing purpose. Retention beyond that, even for potential future research, is a direct violation unless a new, distinct, and lawful purpose is established.

Defining the Critical Strategic Risk for GDPR non-compliance

The strategic risk is precisely defined by failing to establish, document, and legally justify a specific deletion timeline for every category of personal data used in the training process. The absence of generic retention times in the GDPR places the full burden of definition and justification squarely upon the data controller. 

This environment forces organizations to confront a critical trade-off: is the unproven, speculative future value of raw personal data worth the risk of fines and potential data breaches? The calculation strongly favors deletion. As, 

• Failing to define and document specific deletion timelines exposes organizations to GDPR violations.
• Retaining data for future retraining or academic purposes is legally indefensible once the initial training purpose is fulfilled.
• Financial penalties for non-compliance can exceed the cost of implementing compliant, minimal-data systems.

The EU AI Act Layer: Traceability and Documentation 

The EU AI Act introduces a layered approach to retention centered on system accountability rather than individual personal data. The rules are tied to the system’s risk profile, with High-Risk AI Systems (HRAS) (EU AI Act, Chapter 3) having the most stringent obligations.

Data Governance (Article 10) for HRAS requires that training, validation, and testing data sets be relevant, representative, and free of errors. While not a direct retention rule, this implicitly requires maintaining data sets for a period necessary for auditing and quality checks during the development phase.

The most critical requirement is Documentation Retention (Article 18): HRAS providers must keep key records (Technical Documentation, Quality Management System, etc.) for 10 years after the system is placed on the market. This 10-year rule applies to documentation and metadata, not the raw personal data itself, which must be deleted sooner under the GDPR. This 10-year period covers documentation, quality records, and conformity declarations. It is vital to understand that this does not override the GDPR’s Storage Limitation Principle (Article 5(1)(e)). 

Raw personal data used for training must still be deleted sooner. However, the requirement for Record-Keeping (Logging) (Article 12) means that systems must automatically record events and usage logs. While these logs should ideally be anonymised, their retention period must be “appropriate” extending the non-personal data record-keeping timeline. This mandates a long-term, non-personal data retention strategy that must be carefully integrated with the strict, short deletion cycles required by the GDPR for raw personal data.

Blending the GDPR and EU AI Act Requirements

The intersection of the GDPR and the EU AI Act necessitates a blended compliance strategy, particularly concerning purpose and identification. The GDPR’s Purpose Limitation principle (Article 5(1)(b)) demands that the purpose for processing, such as system training, be explicitly defined. This definition directly dictates the maximum legal retention period for personal data.

Implementing De-Identification in Your AI Data Retention Strategy under the GDPR and the EU AI Act

The best path for long-term data use is de-identification:

• Pseudonymisation only reduces identifiability; the data remains personal data under the GDPR and the Storage Limitation Principle still applies.
• Anonymisation is the only legal release valve. If the data is permanently and irreversibly stripped of identifiers; it is no longer considered personal data (GDPR Recital 26). Therefore, it can be retained indefinitely.

It’s critical to remember that while the raw personal data must be deleted, the trained system itself (the output) can be retained.

Reconciling the GDPR’s Right to Erasure with the EU AI Act Traceability

The most direct legal challenge is reconciling the GDPR’s Right to Erasure (Article 17) with the ongoing need for system traceability under the AI Act. If a system is trained on personal data, the controller must maintain the technical ability to honor an erasure request.

This is the Purpose Limitation Conflict: if the initial purpose (training) is complete, retaining the raw personal data is a violation of the GDPR. Developers must implement technical solutions like secure deletion protocols immediately after a system is finalised. Using robust, irreversible anonymisation is the only way to retain data sets without triggering the GDPR’s strict retention clock.

When facing overlapping regulations, the GDPR always acts as the primary constraint on personal data. Its Storage Limitation Principle sets the hard ceiling for raw personal data retention. This is regardless of the EU AI Act’s documentation rules.

The crucial legal distinction is that PII and other personal data used to create the system must be subject to rigorous deletion procedures the moment the training purpose ends. The technical documentation, metadata, and system logs (which should contain no personal data) are then subject to the EU AI Act’s extended 10-year retention rules. This hierarchy demands that the deletion process (the GDPR) must happen first, leaving only the audit trail (EU AI Act) behind.

Table: Comparison of differences 

The Financial & Operational Cost of AI Data

Compliance is not just a cost, but a powerful risk mitigator. Storing raw personal data beyond the necessary period is a direct violation of the GDPR’s Storage Limitation Principle. This exposes an organisation to fines of up to 4% of global annual turnover (GDPR Article 83).

Beyond the fines, excessive data retention creates massive operational liability. Longer storage times mean higher infrastructure costs and a larger surface area for security breaches. Every day the data is held, the probability of a costly Data Subject Request (DSR) increases, demanding expensive legal and technical personnel to fulfill. Compliant, timely deletion is ultimately the most financially responsible strategy.

Should you store raw personal data for training?

Organisations often retain raw data for perceived future utility, perhaps for retraining a system. The GDPR forces a hard strategic trade-off: is the speculative future value of that raw personal data worth the immediate, tangible risk of massive fines and data breaches?

The EU AI Act demands auditable records, but these should be built from fully anonymised data or non-personal data metadata. The cost calculation is simple: the threat of financial penalty for retaining personal data too is a much greater risk or potential cost than developing a compliant, data-minimal system. A mature data strategy prioritises de-identification and deletion over retention, significantly reducing the organisation’s regulatory and financial exposure.

Strategic Recommendations

The regulatory landscape governing AI development in the EU is defined by a critical tension:

1. the immediate obligation to protect individual privacy (GDPR) and
2. the extended obligation to ensure system safety and traceability (EU AI Act).

Compliant data management requires recognizing the GDPR’s Storage Limitation Principle as the absolute constraint on personal data retention. This is regardless of the EU AI Act’s documentation timelines. The solution is architectural separation, where raw personal data is subject to automated deletion, and the audit trail is constructed exclusively from non-personal, irreversibly anonymized assets.

TLDR;

• Under the GDPR, personal data must be deleted once its specific purpose is fulfilled. This limits how long raw training data can be stored.
• For AI developers, this means models cannot indefinitely rely on historical raw personal data. This can potentially impact retraining strategies and model evolution.

The post AI Data Retention Strategy under the GDPR and the EU AI Act: Reconciling the Regulatory Clock appeared first on TechGDPR.

The question is evident: how do businesses employ global AI systems and continue to comply with the GDPR cross-border data transfer principles? It is essential to understand the link between AI and personal data and its impact through the legal landscape governing cross-border transfers.

Understanding the AI and the GDPR Landscape

Artificial intelligence systems will typically need to use humongous amounts of data, of which may include personal data. This data is typically obtained from various jurisdictions and processed using cloud platforms, data centers, and development teams in various countries. The worldwide infrastructure complicates the fulfillment of the GDPR since it inhibits the transfer of personal data beyond the European Economic Area (EEA) and United Kingdom.

The GDPR is grounded in fundamental principles of lawfulness, fairness, transparency, limitation of purpose, and data minimization. It also requires accuracy, limitation of storage, integrity, confidentiality, and accountability. These principles should be adhered to by any AI system that involves personal data even when data is transported.

Cross-border data transfers happen when personal data is moved from the EEA to a third country. These are addressed by Chapter V of the GDPR, which dictates the legal frameworks organisations must obey. Since most AI systems are international data processing, virtually all of them are confronted with this regulatory challenge.

Focal Compliance Challenges in Cross-Border AI Projects

There are a few challenges that make it hard to regulate cross-border data in AI:

• Terabytes of information: AI systems read text, images, video, audio, and behavior data in volumes that older compliance procedures find difficult to keep up with. It’s no small challenge to collect, categorize, and safeguard these datasets across borders.
• Pseudonymization risks: So-called anonymized data can in fact facilitate re-identification, particularly when combined with additional datasets. It is important to understand the difference between pseudonymized and anonymized data. 
• Lack of transparency: Most AI systems, especially deep learning-based systems, are “black boxes.” This uninterpretability may hinder the ability of organizations to show compliance with the GDPR, especially purpose limitation and data minimization.
• Shifting rules: Regular updated guidance from national authorities and the European Data Protection Board (EDPB) on AI, transfers abroad, and the way the two interoperate. Just requirements mount with the arrival of legislation such as the EU AI Act.
• Third-party risk: Third-party data suppliers, cloud vendors, and outsourcing data processors are all more likely to be in the AI supply chain. Unless they are properly managed, they bring inherent third-party risk through non-compliance, data loss, or unauthorized transfers.

Legal Frameworks for GDPR-Compliant Cross-Border Transfers

The GDPR provides a range of legal frameworks for cross-border transfers of personal data beyond the EEA, depending on conditions and limitations.

• Adequacy decisions are among them. The European Commission will be in a position to determine that a non-EEA nation ensures “adequate” protection for personal data, and data can flow freely. These decisions have been granted to Japan and Switzerland, and the same has been granted to the United States under the new EU–U.S. Data Privacy Framework. Adequacy decisions are not absolute, however, and can be invalidated, as was the invalidation of Privacy Shield.
• For organizations in countries not issuing an adequacy decision, Standard Contractual Clauses (SCCs) are the most used. Contractual clauses maintain international data transferred from being reduced below EU levels. Organizations must perform Transfer Impact Assessments and introduce additional safeguards since the Schrems II judgment, in order to lawfully use SCCs.

• Binding Corporate Rules (BCRs) is a further possibility for multinationals. They are internal codes of conduct that have to be approved by a data protection authority and are legally enforceable against the corporate group. It is a scalable solution to implement for intragroup data transfers, but it may be time-consuming and costly to obtain the approval.
• The GDPR also has limited derogations for certain situations, including where the individual provides unambiguous consent or where a transfer must be conducted in order for a contract to be formed. Exceptions are few and not to be generalized or bulked.

Practical Steps to Remain Compliant

To effectively administer cross-border data transfers, follow these best practices:

• Map data flows: Determine where personal data comes from, is processed, and travels.
• Perform Data Protection Impact Assessments (DPIAs): DPIAs for riskier AI projects ensure assurance of risk identification in the areas of discrimination, bias, and data protection and transfer risk assessment.
• Improve data governance: Establish policies and roles that ensure accountability to operating, technical, and legal teams.This ensures consistency and accountability when dealing with personal data.
• Enforce security controls: There must also be organizational and technical controls. These include secure development of AI models, access controls, pseudonymization, and encryption. Security audits and penetration tests done on a regular basis can combat threats that can be used in performing cross-border transfers.
• Manage third parties: Secure good data processing terms and ensure all suppliers comply with the GDPR. Any AI supplier or cloud provider dealing with your personal data on your behalf must be subject to rigorous due diligence. This includes negotiating good DPAs and ensuring vendors apply GDPR-level controls.
• Train your staff: Make sure staff is educated about their part to play with regard to AI and international processing of data. A specific incident response plan also needs to be created to handle any AI system-related breaches.

Readiness and Regulation

Regulatory requirements are changing. The EU AI Act and industry-specific guidelines from the EDPB and others will keep transforming what looks like compliance with AI. Leading-edge businesses are already constructing governance structures in accordance with the GDPR and these new rules. Technologies such as data flow mapping automation, real-time risk management, and Transfer Impact Assessments run on a regular basis become typical. Legal, technical, and compliance staff need to interact so that AI ingenuity is converged into regulatory requirements.

Conclusion

Cross-border transmissions of AI data under the GDPR is not impossible, but difficult. With good understanding of the regulatory frameworks, operating on high-risk subjects, and adopting good mitigations, organizations can deploy effective AI technologies in immaculate compliance.

Creating AI responsibly involves creating it legally. Now is the time to audit your cross-border data transfer processes, enhance your governance structure, and embed compliance in all areas of your AI work.

The post GDPR Compliance for AI: Managing Cross-Border Data Transfers appeared first on TechGDPR.

Data subject rights (DSRs) are not optional check boxes. They are legally enforceable rights granted to individuals whose personal data is processed. Businesses must respect data subject rights throughout all stages of AI development, deployment, and ongoing system management. The GDPR grants individuals several rights over their personal data. Let us focus on four of these here:

1. Right to be informed: As with other data protection frameworks, transparency is key under the GDPR. This right takes the form of a duty to inform prior to the processing taking place. Businesses must include information on how they collect, use, store, and share data, the purpose of processing, the legal basis, data retention periods, and who may receive the data. Privacy notices are the typical repositories for this information. They must be concise, accessible, and written in plain language.
2. Right of access: Data subjects can request access to the exact personal data a business holds about them. Businesses must provide information about processing activities, data categories, and any third parties with whom they share the data.
3. Right to rectification: Data subjects can request organizations to correct incorrect or incomplete data without delay. Businesses must respond promptly and update the data across systems and third-party processors where necessary.
4. Right to object, right to be forgotten and right to revoke consent: It allows individuals to exercise control. The European Data Protection Board (EDPB)  published a case digest on right to object and erasure. Data subjects must be able to object to the use of their data and request its erasure when it is no longer necessary, when they withdraw consent, or for purposes like direct marketing.

Incorporating data minimization in AI Systems

One of the most effective ways businesses can respect data subject rights is by adhering to the data protection principle of data minimization. This GDPR principle requires businesses to collect and process only the minimum personal data necessary to achieve their specific purpose. Avoid over-collecting data, use anonymized or synthetic data for training, and regularly review AI outputs to remove unnecessary personal information.

Implement transparent data practices

Transparency is central to building trust and achieving legal compliance. Always define the purpose of processing, specifically the training of AI models. If businesses rely on legitimate interest, they must show that they gave data subjects the chance to object; otherwise, they invalidate their legal basis.

Clearly inform existing customers in advance when using their data to train AI models, and provide opt-out options before processing begins. Transparency is key. 

When there’s no direct relationship with the individual (such as when using publicly available data or from data brokers), the GDPR requires information to be provided within one month of its collection GDPR Articles 14.  

In 2023, the Italian DPA temporarily banned OpenAI’s ChatGPT, citing a lack of transparency around how it used personal data for training. The DPA later required the company to implement clear privacy notices and provide users with ways to exercise their rights.

Respect the right to access 

Can data owners request access to training data? 

This becomes complicated with large language models, but under the GDPR, individuals have the right to know if and how their data is being used.

How to exercise that right? 

Under the GDPR, individuals have the right to know if and how their personal data is used, including data processed by AI systems. While this is straightforward for users with an existing relationship (who can submit data subject access requests via account settings or customer support), it’s more complicated when there’s no direct connection.

In such cases, organizations must ensure proactive transparency by clearly informing people through privacy policies and AI transparency reports. Failure to uphold this right contributes to loss of trust and accountability in AI use and development.

Develop clear processes for data deletion and rectification 

Can data be corrected or deleted after it has been used to train an AI model? 

While difficult, companies must explore the use of data architectures that allow tracing of personal data contributions. The GDPR (Recital 26) considers even pseudonymous data, like randomly generated user IDs, as personal data since organizations can technically link it back to a person, directly or indirectly.

To reduce data subject risk while improving compliance, companies could implement the following measures:

• Data encryption: Businesses should ensure proper security implementation, especially when handling sensitive personal information.
• Anonymization and pseudonymization: Where possible, anonymize or pseudonymize data before using it in AI models. Anonymization and pseudonymization protect personal data by reducing breach risks and limiting the impact on individuals in case of a data exposure.
• Access control: Implement strict access controls and monitoring to ensure only authorized personnel can access personal data. This prevents unauthorized exposure of sensitive information.

By embedding these practices into AI development pipelines, organizations can take meaningful steps toward compliance, trust-building, and ethical AI deployment.

Ensure security and privacy by design

Organizations should build user trust and meet regulations by embedding privacy from the start, not treating it as an afterthought. This is the core of the privacy by design principle under the GDPR.

Key steps include:

• Promoting user choice and control: Provide clear opt-out options before processing data—whether in email campaigns, mobile app popups, or web trackers.). Empower users with privacy dashboards that let them view, manage, and delete their personal data at any time.
• Secure data handling: Businesses must encrypt personal data used in AI training while transmitting and at rest. Implement strict access control mechanisms to ensure that only authorized personnel can interact with sensitive data.

Embedding privacy and security into system architecture from the outset not only ensures compliance, trust-building, and ethical AI deployment.

Maintain ongoing communication and feedback loops

Transparency shouldn’t stop at data collection. When introducing AI processing, update your privacy notices to reflect new processing activities, as required by the GDPR. Use layered notices to highlight AI-specific practices like model training, profiling or automated decision-making. Importantly, inform users before processing, not after. True consent means giving people a real choice. Building feedback loops as user input is essential for improving fairness, spotting issues, and building trust in your AI systems.

Conclusion

As AI continues to shape modern business, respecting data subject rights is not just a legal obligation; it’s a foundation for responsible innovation. By embedding privacy by design, adopting transparent data practices, and enabling user control, organizations can align AI development with GDPR principles and foster long-term trust. Data protection isn’t a compliance checkbox, it’s a strategic imperative for ethical and sustainable AI.

Feel free to reach out to us for any clarification of AI compliance needs.

The post Respecting Data Subject Rights in AI: A Practical Guide for Businesses appeared first on TechGDPR.

Privacy by Design (PbD) is crucial here. We cannot shy away from saying it’s a good idea, but framing it as ‘critical’ is much closer to the mark. Dr. Ann Cavoukian’s developed framework is integral to embedding privacy in AI infrastructures. It is important to understand how AI developers can infuse PdD into reality alongside explaining the reasoning behind the importance of preserving user privacy.

Understanding PbD starts from the foundation of believing that privacy comes when the service is not looking for or pre-configured by users, but instead set as a default feature.

Understanding Privacy by Design: Principles at the Core

Privacy by Design is based upon the notion that privacy should be the natural default and not an optional feature one must find or switch on. Instead of responding to privacy violations, PbD has companies anticipate them and prevent them from occurring in the first place. Its seven design principles are not idealistic goals; they are pragmatic recommendations for integrating ethical data handling at every stage of the design process.

Picture Privacy by Design as building privacy into a cake rather than sprinkling privacy on top as sprinkles. PbD is an innovative approach to building privacy into systems in the first place.

Here are the seven main principles in more detail:

1. Proactive not reactive; preventive not remedial: Anticipate risks before they arise. Don’t wait for a breach to act.
2. Privacy as the default setting: Individuals shouldn’t have to request privacy. It should be automatic.
3. Privacy embedded into design: Build systems that make it impossible to forget privacy because it’s built in, not added later.
4. Full functionality by being positive-sum, not zero-sum: Achieve both privacy and innovation; one shouldn’t come at the expense of the other.
5. End-to-end security and lifecycle protection: Protect data from the moment it’s collected until it’s deleted.
6. Visibility and transparency: Systems must be open to inspection, review, and explanation.
7. Respect for user privacy: Keep the user at the center with simple controls and clear, honest communication.

The Unique Privacy Challenges in AI

AI is different from typical software. Its reliance on enormous collections of data and capacity to infer sensitive material from ostensibly harmless points of data make it highly invasive. Voice, text, image, or behavior-trained models can identify not only user tendencies but mood, political orientation, or state of health as well.

This poses a sequence of privacy threats:

• Over collection: AI is starved for data, and therefore developers overcollect.
• Inferred data: Models have the ability to make truly excellent predictions, often more than what users have expressed in so many words.
• Opacity: Most AI models are “black boxes,” where even the developers aren’t necessarily sure how the decisions are being made.

Ignoring privacy can result in:

• Fines and lawsuits under legislations such as the GDPR, the EU AI Act and the CCPA.
• Loss of customer and user trust.
• PR disasters that bury your brand.

Good privacy is not only good business, but good ethics as well.

Best Practices for Integrating PbD in AI Development

In order to design Privacy by Design properly for AI systems, developers need to be strategic as well as practical. Below are crucial steps to follow:

1. Begin with Privacy Impact Assessments (PIAs): Before creating anything, perform a PIA to discover privacy threats and analyze how your AI system processes information. This way, threats are identified and addressed upfront, instead of once it is deployed. Begin your AI project by questioning: 

• What information is required? 
• What are the threats? 
• How are users safeguarded? 

2. Adopt data minimization and purpose limitation: Collect data only if it’s needed to accomplish a precise, well-defined purpose. This minimizes risk and simplifies handling of privacy obligations. Refrain from the temptation to “collect now, decide later.”
3. Take advantage of privacy-enhancing technologies: Differential privacy adds noise to statistics, preventing data tracing back to individuals. Federated learning learns models on user devices, reducing central data aggregation. These technologies maintain utility while keeping user identities secure.
4. Encourage transparency and explainability: Transparency does not solely involve open-sourcing code but more importantly explaining in simple terms how the system functions, what information is used, and what the model is deciding. Interpretation of models and tools such as model cards can assist.
5. Ensure secure access and data encryption: Both in transit and at rest, data should be encrypted. Controls on access must be strong, restricting access to data by role and need. Regular audits should be performed to ensure compliance.
6. Build ethical oversight: Develop cross-disciplinary review boards consisting of technologists, legal specialists, ethicists, and community members. Such bodies can review projects for privacy, fairness, and unintended effects.
7. Design for user empowerment: Provide users with the ability to see, control, and remove their information. Provide privacy controls that are understandable and accessible. Opt-in is the norm, not sneaky default options or unclear text.

Lessons from the real world

Let’s see who’s doing it right and who didn’t:

• Apple has been a leader in on-device computing and differential privacy. Their health features, for instance, store personal data locally and anonymized.
• Google applies federated learning in its Gboard keyboard to allow for predictive text without ever transmitting what users are typing.
• But Clearview AI and Cambridge Analytica are cautionary tales. They were firms that did not respect user privacy and lost lawsuits, penalties, and long-term public distrust.
  • Clearview AI scraped billions of images without permission and was met with worldwide outrage.
  • Cambridge Analytica harvested Facebook data for political campaigns and sparked worldwide alarm about AI and privacy.

The Trade-Offs and Challenges Ahead

With the best of intentions, it’s hard to implement PbD for AI. There are compromises:

• Data minimization vs. performance: Data about people can restrict how much data you process, which can have an impact on model performance because lower numbers of data points can result in lower-performing models.
• Anonymity vs. fairness: Reducing bias relies on demographic information, which introduces new privacy issues. To be fair, there is often a requirement for data on race or gender, which is sensitive.
• Technical expertise: Federated learning or differential privacy is required to utilize these, which calls for expert know-how as well as computational resources.

These are challenges that are worthwhile overcoming. With privacy as a competitive advantage and a legal requirement, businesses embracing PbD will be far ahead of their competitors for long-term achievement.

What’s coming next?

Regulations are solidifying. The EU AI Act and other initiatives are establishing new norms. Meanwhile, technologies such as homomorphic encryption (so computation can be performed on encrypted information) and synthetic data (which simulates real data without revealing real users) are opening up new paths for privacy-led innovation. These technologies will help AI developers to prioritize how to create systems that safeguard people.

As AI reshapes society, privacy must not be treated as an afterthought. It’s a design choice that reflects an organization’s values, foresight, and respect for its users. Integrating Privacy by Design isn’t just about avoiding penalties; it’s about building systems that are ethical, resilient, and worthy of trust. If you’re building AI, you’re shaping the future. Make it one where people feel safe and respected. By using Privacy by Design, you’re not just avoiding trouble; you’re building trust, improving outcomes, and showing users you’ve got their back.

Every line of code and every product decision is an opportunity to do better. Start now. Make privacy the foundation, not the fix.

The post How to build trustworthy AI from the ground up with Privacy by Design? appeared first on TechGDPR.

But what are PETs exactly, and how can they help organizations meet GDPR standards? PETs are crucial to securing data and serve a critical role PETs in modern data privacy.

What Are Privacy Enhancing Technologies (PETs)?

Privacy Enhancing Technologies (PETs) are a set of tools and techniques designed to protect personal data throughout its lifecycle. PETs can help reduce the risk to individuals while enabling further analysis of personal data without a controller necessarily sharing it, or a processor having access to it. They aim to minimize the exposure of sensitive information while still enabling data processing. PETs can be categorized based on their primary function: minimization, confidentiality, and control.

Some of the key types of PETs are as follows:

• Anonymization: This technique removes or alters personal identifiers so data cannot be traced back to an individual. Under the GDPR, true anonymization is considered irreversible; allowing the data to be stored and used without further GDPR constraints.
• Pseudonymization: Unlike anonymization, pseudonymization replaces private identifiers with artificial labels. Although it is reversible under strict controls, it adds a layer of protection by decoupling personal identifiers from the dataset. It is very important to understand pseudonymized data is not the same as anonymized data. 
• Encryption: Encryption converts data into a coded format, accessible only with a specific decryption key. This ensures that even if the data is intercepted, it remains unreadable to unauthorized parties.
• Synthetic data: This allows organizations to create artificial data that mimics real data but preserves user privacy. Synthetic data is often used in AI and machine learning as well as software testing and development. 
• Differential privacy: This is a mathematical concept that adds randomness or noise to data analysis, making it more difficult to identify individuals. 

• Confidential computing: This form of data processing prevents unauthorized access to data during computation. It is often used in cloud computing and for healthcare and financial services. 
• Federated learning: This machine learning approach allows multiple organizations to train algorithms collaboratively without sharing raw data, enhancing both privacy and compliance.
• Trusted execution environments: Secure hardware or software environments within a system that provide an isolated area of execution of sensitive operations and protect code and data from external tampering. 

By using these technologies, organizations can significantly reduce the risk of data breaches and support GDPR’s core principles. PETs help to ensure that an individual’s data is better protected to avoid any potential data breaches or misuse of data. 

GDPR Principles Supported by PETs

The GDPR is built around principles that prioritize data protection at every stage of processing. PETs offer a practical path to compliance by reinforcing these key principles.

The key GDPR Principles can be reinforced through the usage of PETs:

• Data Minimization (Article 5): PETs like anonymization and pseudonymization ensure that only necessary personal data is processed, reducing exposure. Techniques like differential privacy also enable organizations to analyze data sets without exposing individual identities, aligning with GDPR’s minimization principle.
• Integrity and Confidentiality (Article 5): Technologies such as encryption protect data against unauthorized access, maintaining its confidentiality and integrity. Homomorphic encryption, for instance, allows for computations on encrypted data without revealing its contents, offering enhanced protection.
• Technical and Organizational Measures (Article 25): Implementing PETs as part of system design supports privacy by design, a core requirement of the GDPR. This includes pseudonymizing or encrypting data by default, ensuring that privacy safeguards are active even before processing begins.

Organizations can further strengthen their compliance by incorporating PETs into Data Protection Impact Assessments (DPIAs), identifying and addressing potential risks before processing begins. DPIAs help document how PETs mitigate risks by offering a transparent view of data processing activities.

PETs and International Data Transfers

Cross-border data transfers are a major concern under the GDPR, especially after the Schrems II ruling. PETs help address these challenges by adding layers of security to data during transit. Technologies like encryption and federated learning ensure that sensitive information remains protected even during international exchanges. PETs act as supplementary measures to meet the GDPR Chapter 5 (Art 44-50) requirements, reducing risks during cross-border transfers and maintaining compliance with European standards.

Some examples of how PETs can help mitigate this include federated learning that allows for machine learning models to be trained across multiple locations without sharing raw data. This reduces exposure and facilitates compliance with strict European data protection laws. Encryption helps to further ensure that even if data is intercepted during transfer, it remains unreadable without the right decryption keys.

Real-World Applications of PETs

PETs are already being used across various industries to maintain privacy and GDPR compliance.

Here are some of core examples of PET usage:

• Healthcare: Differential privacy allows hospitals to share patient data for research while protecting confidentiality.
• Technology: Companies like Google and Apple use federated learning to improve their services without centralizing user data. Apple also uses differential privacy. 
• Finance: Secure computation enables financial institutions to analyze sensitive data while maintaining strict confidentiality.

Implementing PETs requires careful planning and collaboration across IT, legal, and privacy teams. Legal ambiguities around anonymization, integration with legacy systems, and the complexity of deployment can pose challenges. However, conducting DPIAs, aligning strategies with GDPR Article 32, and ongoing training for staff help smooth the integration process. Regular audits and collaborative cross-functional efforts also contribute to effective implementation.

PETs as a Strategic Enabler for GDPR Compliance

Privacy Enhancing Technologies are not just compliance tools; they are strategic assets that enable secure, responsible data processing. For organizations striving to meet GDPR standards, PETs offer a practical path to data minimization, enhanced confidentiality, and secure international transfers.

Implementing PETs as part of your data privacy strategy not only reduces compliance risks but also fosters trust with clients and partners. By embracing these technologies, businesses can navigate the complexities of GDPR with confidence and accountability.

The post How Privacy Enhancing Technologies (PETs) Can Help Organizations Stay GDPR Compliant appeared first on TechGDPR.

E-commerce businesses process large amounts of personal data, including contact details, payment information, and browsing history, requiring data protection. By implementing strong data protection practices and security measures like encryption and access controls, businesses could reduce the risks of breaches and cyberattacks. 

GDPR compliance for e-commerce businesses demonstrates commitment to protecting customer privacy, and encouraging continued customer relationships, giving businesses a competitive advantage over those that are not GDPR-compliant.

Here are seven actionable steps that may help e-commerce businesses navigate GDPR compliance effectively.

Conduct a data audit 

When deciding to work towards GDPR compliance in e-commerce, it is important to start by conducting a comprehensive inventory of data collection processes. 

The steps to carry out the audit could include:

• Identify all personal data categories collected, such as contact details, payment details, and activity logs, and the granular purposes this collection serves. Determining the retention period is important, as the GDPR does not allow indefinite retention.
• Review how and where personal data is collected and stored, whether on cloud servers, local databases, or third-party platforms. Regularly review third parties and minimize retention periods, with clear specifications on when data will be securely deleted. Additionally, document the security measures implemented to protect the data.

Access consent management

Access to customer data can be limited to authorized employees, IT administrators, and secure third-party providers based on a need to know basis.

Consent for cookies can be effectively implemented through a cookie banner, allowing users to manage or withdraw consent anytime. Use clear opt-in mechanisms for newsletters, cookies, and marketing, avoiding pre-checked boxes. Maintain consent logs for audit compliance, ensuring each data use has separate, revocable consent without affecting core services.

Review and update privacy notice

A companies’ privacy notice should be clear, easily understood, and transparent to ensure GDPR compliance and build customers’ trust. The privacy notice should clearly state:

• What data you collect and why (e.g., personal details, payment information, browsing behaviour),
• How data is being used,
• Explain purposes of data collection and processing, and
• How customers can exercise their rights, such as requesting data deletion or correction.

It is important to regularly review and update one’s privacy notice in order to reflect any changes in data collection, processing, or legal regulations to maintain compliance.

Enhance security to protect customer information

With the rise of cyber attacks worldwide, protecting  personal data is an essential aspect of GDPR compliance for e-commerce businesses. Customers trust businesses with sensitive information, payment details, address, and browsing history. Implementing good data security measures will help reduce data breaches. Implementing strong data security measures reduces breaches, while a structured response plan ensures quick recovery and minimizes damage.

To minimize security risks, e-commerce businesses may implement:

• End-to-end encryption: Encrypting sensitive customer data both in transit at rest may prevent unauthorized  access. This ensures that unauthorized individuals cannot read the data, even if intercepted, without the correct encryption key. It could be a standard protocol for all online transactions.
• Multi-factor authentication (MFA): Access control may require additional verification steps, such as one-time passwords (OTP) or biometric authentication. This process will reduce unauthorized logins.
• Regular security audits: This could be conducted to identify vulnerabilities through routine system checks. These assessments may help prevent data leak and ensure GDPR compliance.
• Access control & monitoring: Role-based access control (RBAC) which restricts users based on predefined role, to ensure that only authorised personnel have access to sensitive personal data.

Investing in robust data security could create a security plan which protects customers and also ensures GDPR compliance in all operations.

Offer employees training

Employees are first in line of defence when talking about data protection. Regular comprehensive GDPR training is important for e-commerce businesses. Breaches occur due to human error, such as mishandling sensitive data or falling for phishing scams. The employer is responsible for ensuring that employees are well-trained on data protection and compliance requirements.

Businesses should provide ongoing training and workshops to regularly update the employees knowledge on data protection, evolving threats, and regulatory changes to raise awareness within the organization.

Establish data subject rights procedure

Under the GDPR, data subjects have rights, including access, erasure, rectification, and objection to control of their personal data.

E-commerce must have clear procedures on how to handle and respond to these requests efficiently. GDPR compliance requires a response within one month-delays or non compliance can lead to fines.

To ensure compliance, businesses may:

• Appoint a data protection officer (DPO) according to the European commission or an internal team with the guidance of a DPO to monitor compliance and data protection issues. “It is much easier and cost effective” to appoint an external DPO.
• Create a clear and accessible process for handling data subject requests, such as an email address or request form on the website.
• Implement automated tools to manage and track data subject requests within the required time frame.
• Keep records of all requests to demonstrate compliance if audited.

Review third-party agreements

E-commerce businesses sometimes utilize third-party vendors, such as payment processors, cloud storage providers, and marketing platforms, to handle customer data. Therefore, it’s crucial to ensure these vendors comply with data protection regulations to safeguard customer information and avoid potential risks.

Under the GDPR, having a data protection agreement with a third party vendor is required  to comply with data protection regulations if the vendor processes personal data on your behalf.

Here are steps that could be considered to manage risks associated with third-party vendors:

• Identify all third party vendors that process customer data and assess their data security measures.
• Ensure that all vendors handling personal data have existing supplier agreement, outlining responsibilities, security measures, and data processing activities.
• If a vendor transfers data outside the EU/EEA, ensure they follow GDPR requirements
• Regularly review vendor policies, conduct security audits, and ensure that the vendors comply with GDPR requirements.

Conclusion

By implementing these seven actionable steps, e-commerce can mitigate risk, protect customer data, avoid penalties, and build trust.

Hiring an external DPO officer in the absence of an internal data protection team or to advise and provide competent GDPR support to the internal DPO, will ensure  proper compliance in line with the GDPR, and gain a competitive advantage in the market.

The post Seven Actionable Steps to Achieve GDPR Compliance for E-Commerce Businesses appeared first on TechGDPR.

Prepare for the CIPP/E Certification Exam with Expert Training

TechGDPR offers comprehensive training designed to help you pass the CIPP/E exam. Our expert instructors have hands-on experience in the field and have earned the certification themselves. This training covers the full Body of Knowledge (BoK) and aligns with the official IAPP Exam Blueprint, ensuring you’re prepared for the certification exam.

Mapping to the CIPP/E Body of Knowledge (BoK)

Our training structure directly follows the CIPP/E Body of Knowledge (BoK). This ensures the course is current, relevant, and aligned with the official exam requirements. There are three key sections in this training:

1. Introduction to European Data Protection
   Gain a foundational overview of the historical, institutional, and legal roots of privacy in the EU.
2. European Data Protection Law and Regulation
   Dive deep into the GDPR’s core principles, including key definitions, rights, obligations, and enforcement.
3. Compliance with European Data Protection Law and Regulation
   Learn how to apply the GDPR in specific contexts, such as employment, marketing, and modern tech environments.

Introduction to European Data Protection

Our training begins with a look at the historical and legal framework that shaped data protection in Europe. Understanding the evolution of privacy regulation, from early directives to today’s robust legislation, gives context to the GDPR. We’ll explore the role of EU institutions in creating and enforcing data protection laws, which is especially useful for professionals without a legal background.

European Data Protection Law and Regulation

The majority of the course focuses on the GDPR itself, which forms the heart of the certification. You will explore key GDPR concepts, such as:

• Personal data, controllers, and processors
• Material and territorial scope of the Regulation
• Core principles like data minimization, purpose limitation, and accountability

The heart of the course lies in a thorough breakdown of the GDPR itself.

Focusing on the GDPR

Participants will first gain a solid understanding of key terms such as personal data, controller, and processor, and the material and territorial scope of the Regulation. From there, the course dives into the core principles of data processing. These principles include purpose limitation, data minimization, and accountability, what these mean and the requirements in practice.

The training will also explore the six legal bases for processing personal data. One will learn when and how to apply them. A special focus is placed on dispelling common misconceptions, particularly around consent. Consent is often misunderstood as the only valid justification for processing. On the other hand, the course will look in depth into how consent can be appropriately implemented through its numerous requirements. The course also looks into the exceptions. Together with legal bases, exceptions are required in order to process special categories of personal data. 

Some more key topics that will be looked into will be data subject rights, including access, rectification, erasure, and portability. It is not enough to just explain what these rights are, but how organizations can operationalize processes to meet their obligations efficiently. Additionally, we discuss security incidents and data breaches. This includes similarities and differences.  Based on this,  the training will also go in detail on how to appropriately respond in accordance with the GDPR, and setting up an appropriate incident response protocol to mitigate risks. Including those arising prior, during and after an incident, data breach, or both, have occurred. 

Last but certainly not least, the course also explores the controversial yet crucial topic of international transfers. Namely, how organisations can be empowered to transfer personal data securely outside of the EU. The training looks at addressing these with a compliance-focused approach that removes the hassle from catching up with regulations and gathering all required documentation at a later stage. This includes a section looking into the ongoing issue of transfers to the United States and how to effectively prepare for an ever-changing framework in this context.

Compliance with European Data Protection Law and Regulation

The final section of the course addresses how GDPR applies in specific real-world contexts. These include:

• Employee Data Handling: Lawfully processing and storing personal data, managing BYOD policies, and mitigating employee monitoring risks.
• Direct Marketing Campaigns: Telemarketing, online direct marketing, and online behavioral marketing requirements.
• Internet Technology and Communications: Understanding cloud computing, web cookies, social media platforms, and artificial intelligence.
• Surveillance and Biometrics: Public authority surveillance, telecommunications interception, CCTV in public spaces, and the use of biometrics like facial recognition.

This practical approach helps you not only understand the law but also confidently apply it in everyday business operations.

Beyond the CIPP/E Certification Exam: Practical Value for Professionals

Our CIPP/E training offers more than just exam preparation. It provides lasting value for professionals in legal, compliance, HR, IT, or marketing roles. You’ll gain practical insights into GDPR obligations specific to your role, empowering you to proactively engage with privacy considerations and confidently support compliance initiatives.

Whether you’re preparing for the CIPP/E certification exam or simply want to enhance your understanding of European data protection, our training offers a structured, practical approach to mastering GDPR.

The post What to Expect When Taking the CIPP/E Certification Exam appeared first on TechGDPR.

The 23andMe genetic company filed for bankruptcy in the US after struggling with weak demand for its ancestry testing kits and a 2023 data breach that damaged its reputation, Reuters reports. US officials had questioned what would happen to the genetic data collected by 23andMe, although the company’s privacy policies state that the data could be sold to other companies. 23andMe reassured customers that the bankruptcy process will not affect how it stores, manages, or protects customer data. 

Given the uncertainties about the future of the company, the amount of data it has, and the risks inherent in the use of these tests, the French CNIL presents the procedure to follow to have your data permanently deleted in your profile settings. Also, the purchase of a genetic test on the Internet by people residing in France is punishable by a fine of 3,750 euros. Similarly, carrying out a genetic test outside the medical and scientific fields is prohibited and punishable by a fine of 15,000 euros and one year in prison for people or companies offering these tests.

Digital spring cleaning in Germany

Digital documents and paper files containing personal data may only be retained for as long as necessary, reminds the Hamburg data protection authority. At least once a year, taking stock of what’s still stored and whether this data or files will be needed for longer is recommended. Professional data processors handle this automatically. Where no automated routines are in place, deletion must be done manually.

Plus, German companies and authorities should check whether their deletion routines already take into account the new statutory retention periods that will apply from 2025. Specifically, some retention periods have been lowered by federal lawmakers, which means that the impacted data must also be removed sooner. (The Fourth Act to Reduce Bureaucracy). Changes, among other things, have been made to the German Commercial Code and the German Fiscal Code. Accounting paperwork, the most significant case group in practice, must now be kept for eight years rather than the prior ten before being destroyed. You can find more business document retention periods here. 

BCRs approval

The procedure for approving Binding Corporate Rules for controllers and processors for intragroup transfers of EU personal data to non-EU countries is laid out by provisions in Art—47, 63, 64 and 65 of the GDPR. As a result, BCRs are to be approved by the competent supervisory authority in the relevant jurisdiction by the consistency mechanism, under which the EDPB will issue a non-binding opinion on the draft decision by the competent regulator. As the intracompany groups applying for the BCR approval may have entities in more than one Member State, this procedure will involve all the concerned supervisory authorities in those countries from where the data transfers are to take place. To that end, the EDPB has just revised its approval process to shorten the time it takes for a BCR to be approved. 

Privacy policy shortcomings

The Latvian data protection inspectorate DVI conducted a preventive inspection of the privacy policies published on the websites of thirty Latvian-registered merchants whose main activity is related to retail sales by mail order or in online stores. The content of the privacy policies was checked for compliance with the requirements of Art. 13 and 14 of the GDPR. At least some shortcomings were found in each inspected document.

The regulator assumes that it is initially more difficult to prepare such a document because there is not sufficient understanding of its necessity and content. At the same time, it reminds controllers that their responsibility for customers’ data is proven not by a written statement that it processes data appropriately but by clear implementation of the rules. Other shortcomings in the published policies were related to the failure to provide or incorrect provision of information, particularly the contact information of the supervisory authority, the rights of the data subject, information about processors and partners to whom the customer’s data has been transferred, but most often involving incorrectly specified purposes and lawful grounds for data processing. 

Data breach form

The Corporate Data Protection Association, (Switzerland), has published a data breach report template. Data security breaches can trigger various reporting obligations under the Swiss Data Protection Act, the EU’s GDPR, the new Swiss Information Security Act, and the EU NIS2 Directive. The template is intended to contribute to the practical implementation of digital regulatory requirements and can be used freely by companies. The template is initially available in German. An English version is currently being developed.

More from supervisory authorities

Online stores security: The Lithuanian regulator VDAI meanwhile monitored the security measures for personal data processed by online stores and provided some recommendations: a) ensure control over the management of access rights, b) develop and implement effective data deletion, c) use advanced encryption, (during transmission and storage), d) improve management change processes, (eg, implementation of new systems), e) regularly review and update your policies, (using both the latest legal requirements and best practices).

Connected cars: Modern cars act as “chatterboxes on wheels”, collecting information on everything from your daily routines to biometric data. How does this affect the protection of your data? The Danish Datatilsynet advises you to check the privacy settings on your automobile carefully and to be cautious about sharing personal information:

• Unclear consent (Many drivers are forced to accept terms of use that require the sharing of personal data to use the car’s features).
• Data abuse (Data about your driving and location may end up with third-party companies or there is a risk that hackers will gain access).
• Targeted marketing (Car manufacturers can share your data with companies without your full knowledge).
• Negative impact (Worse insurance terms, warranty termination, shutdown of services).

Multi-factor authentication (MFA): The French CNIL publishes recommendations to support users and providers of multi-factor authentication solutions, (in French). In particular, it explains: 

• the conditions under which the use of MFA is appropriate for security needs;
• on compliance with the principles of the GDPR, including a legal basis, data minimisation, the retention periods and the exercise of rights by the data subjects;
• on the determination of the qualification of the actors involved;
• on the choice of modalities, (authentication factors: knowledge, possession, inherence), and their GDPR compliance, etc.

Honda privacy fine

The California Privacy Protection Agency, (CPPA), has issued a decision that requires American Honda Motor Co. to change its business practices and pay a 632,500-dollar fine to resolve claims that the company violated the CCPA. The investigation arose from the Enforcement Division’s ongoing review of data privacy practices by connected vehicle manufacturers and related technologies. Honda violated Californians’ privacy rights by:

• requiring Californians to verify themselves and provide excessive personal information to exercise certain privacy rights, such as the right to opt-out of sale or sharing and the right to limit;
• using an online privacy management tool that failed to offer Californians their privacy choices in a symmetrical or equal way;
• making it difficult for Californians to authorise other individuals or organisations to exercise their privacy rights; and
• sharing consumers’ personal information with ad tech companies without producing contracts that contain the necessary terms to protect privacy.

Human research samples

Finland’s Data Protection Commissioner has requested information from the University of Helsinki on how it has implemented the transfer of data related to human research samples to a Chinese company. The regulator is investigating whether the university protected personal data in the manner required by data protection legislation when the data was transferred to China. According to the University of Helsinki, it has purchased genetic analysis services from the Chinese genetic technology company BGI Group.

No adequacy decision has been made for China, and the European Commission has not yet examined the level of data protection in China, (in connection with the Irish investigation into TikTok). At the moment, personal data can be transferred freely within the European Economic Area. Data can also be transferred directly to a country for which the Commission has made a so-called adequacy decision. These include the US, the UK, Japan and South Korea.

More enforcement decisions

Apple ATT sanction: The French Competition Authority fined Apple for abusing its dominant position due to the implementation of the App Tracking Transparency, (ATT), system. In its competitive analysis, the authority took into account the opinions issued by the data protection regulator CNIL. Since 2021, app publishers who want to track their users for advertising purposes across multiple apps or sites have been required to obtain explicit permission from the user through a partially standardized window designed by Apple. 

The competition authority received complaints from several online advertising trade associations against Apple. The implementation of the agreement appeared to be neither necessary nor proportionate to Apple’s stated objective of protecting personal data due to the constraints weighing on publishers and users. The CNIL had previously considered that the ATT system could be adapted in order to allow actors to obtain valid consent within the meaning of the GDPR and to avoid, in particular, double solicitations.

Software provider fine: The UK’s ICO has fined Advanced Computer Software Group Ltd, (Advanced), 3.07m pounds for security failings that put the personal information of 79,404 people at risk.  Advanced provides IT and software services to organisations, including the NHS and other healthcare providers, and processes people’s personal information on behalf of these organisations. The fine relates to a ransomware incident in August 2022. Hackers accessed certain systems of Advanced’s health and care subsidiary via a customer account that did not have multi-factor authentication. The cyber attack was widely reported at the time, with reports of disruption to critical services and access to patient records.  

Scientific research and data reuse

The EDPB has published a final study on the secondary use of personal data in the context of scientific research, which highlighted the lack of a uniform approach among Member States. The legislation analysed was not limited to the GDPR but included international agreements or documents containing data protection rules, (such as Council of Europe Convention 108+), and ethical standards, (such as the World Medical Association (WMA)’s Declaration of Helsinki, (DH), and EU sectoral legal frameworks, (e.g. on clinical trials, biobanks). 

AI cameras in shops

According to the CNIL, some tobacconists in France have deployed AI-based cameras to estimate the age of customers and avoid the sale of prohibited products to minors. In practice, these cameras scan the person’s face at the time of purchase to assess whether they are a minor or an adult and inform the merchant using a warning light (e.g. a green or red light). The use of these devices pursues a dual objective of public interest: protecting young people and the preservation of public health. However, the fact that this verification is carried out through algorithmic processing of automated image analysis is not trivial and may entail risks for the protection of personal data and the privacy of individuals.

In case you missed it 

US technology risks: The Netherlands’ House of Representatives approved a resolution on risk assessments and exit strategy for US tech corporations’ cloud services on March 18. According to the motion, all government cloud services that are now purchased from American suppliers must go through a risk assessment and, if required, have a written exit strategy that enables them to switch to Dutch or European providers. By the end of 2025, this procedure is expected to be finished.

Outdated IT systems and AI: According to the Guardian newspaper, the UK government’s goal to increase efficiency by integrating AI into every aspect of its operations runs the risk of being hampered by outdated technology, low-quality data, and a shortage of qualified personnel. The cross-party public accounts committee report revealed that over 20 government IT systems were classified as “legacy,” which means outdated and unsupported. A January official strategy for the technology, however, called for the government to “rapidly pilot” AI-powered services, claiming that doing so would boost productivity. 

The post Data protection digest 18 Mar – 2 Apr 2025: 23andMe bankruptcy case, digital spring cleaning appeared first on TechGDPR.

Understanding GDPR Data Retention Requirements

The GDPR does not specify a specific period of time for which personal data is allowed to be stored. Rather the GDPR, in Article 5: Principles relating the processing of personal data, states that 

This principle outlines that personal data should not be stored longer than necessary. There are some exceptions to this as listed in the Article 5(1)(e). These exceptions include anonymisation and taking into account other legal storage requirements. Since the GDPR actively requires companies to follow the principles of storage limitation, it is in best practice to delete the information when the retention period has run out. 

However, personal data could also be anonymized instead, as properly anonymized data can no longer be linked to a person. Otherwise, one could consider whether other applicable legislations apply. For instance, German finance law requires that companies maintain records of certain documents. This requirement is mostly related to maintaining tax records for 6 to 10 years. So even if the records contain personal data and are no longer necessary for the processing activity they were initially collected for, they are maintained with respect to other applicable legal requirements.

Determining Retention Periods 

The GDPR defines two main roles in the relationship to data: data controller and data processor. The data controller decides the purposes and the means of processing personal data. As a result, the data controller is also responsible for determining the time frame in relation to data retention. The Dutch Data Authority released guidance on applicable questions to ask when a company is determining the retention period of personal data. 

1. Do you have statutory retention periods that must be followed, such as those required by tax laws or the Public Records Act? Are there any ongoing legal proceedings? If so, you are also obligated to retain the personal data.
2. How long is the data necessary for its intended purpose? Consider your company policy when determining this. For instance, you may need certain data to track outstanding invoices.
3. The fundamental principle of the law is to keep personal data for the shortest possible duration. Can the retention period be reduced?
4. Are you a member of a sector organization? If so, they may provide guidance on standard retention periods in your industry, which might be outlined in a code of conduct.

Following the guidance above when considering the storage of personal data can help in determining the best retention period for your business needs. The key requirement to understand when choosing a retention period is that the chosen duration must be able to be justified and the decision must be documented. 

Best Actionable Practices for Retention Periods 

In examining, various DPA guidances here is a list of actionable best practices for data retention: 

• Conducting an audit to regularly assess what personal data your company collects, stores, and processes.
• Minimizing data collection by only gathering personal data that is strictly necessary for your specified purposes. Be sure to avoid excessive or irrelevant information.
• Implementing a data retention policy and reviewing retention periods regularly. This establishes clear retention schedules for different data types, ensuring compliance with industry standards and legal obligations.
• Justifying retention periods by basing them on business needs, legal obligations, and potential future claims, avoiding indefinite data retention without a valid reason. Documenting retention deviations by recording justifications whenever data is retained for longer or shorter periods than specified.
• Regularly reviewing data processing activities to assess current processes and update retention schedules as new data processing activities emerge.
• Following legal and regulatory requirements by retaining data in compliance with industry regulations, tax laws, and professional guidelines. Delete data as soon as it is no longer necessary.
• Responding to data subject requests by ensuring that unnecessary data is promptly deleted or anonymized when individuals request erasure.

• Training staff on retention policies to ensure they understand retention schedules, deletion procedures, and the risks of premature or improper data deletion.
• Archiving data properly by storing older data in clearly labeled, separate electronic folders or indexing paper records for easy identification and disposal.
• Ensuring secure disposal of data once retention periods expire, using confidential waste providers or cross-cut shredders for paper records. These practices ensure complete deletion or anonymization for electronic data.

How do you ensure compliance through effective data retention?

To effectively manage data retention under the GDPR requires a careful balance between compliance, business needs, and legal obligations. It is important to implement structured retention policies. Businesses can ensure they are not holding onto personal data longer than necessary while also meeting statutory requirements. Regular audits, clear documentation, and staff training are essential to maintaining compliance and mitigating risks. Adhering to the principle of storage limitation not only protects individuals’ data rights but also strengthens organizational data governance and security.

The post How does the GDPR govern retention periods for businesses? appeared first on TechGDPR.

Enforcement from authorities for violations of rights in relation to children

In recent years, several significant fines have been issued to tech giants over their mishandling of children’s data. Among these are:

2022

• The Dutch Supervisory authority fined TikTok in 2022 for €750,000,. The fine was for violations concerning children’s privacy. The specific concerns were due to the lack of transparency and information only being provided in English; and
• Meta was fined by the UK Information Commissioner Office (ICO) for €405 million in 2022 for setting profiles as public by default. This included children aged 13 to 17. It allowed the same age range to set up “business profiles.” A “business profile” makes their email address and phone number publicly available.

2023

• In 2023 was fined by both UK and Ireland commissioners for £12.7 million and €350 million respectively. The ICO found TikTok guilty of having a vast number of accounts tied to children under 13. Senior employees at TikTok were already aware of this. Additionally, the ICO considered that the measures in place to verify age and ask parental consent were not appropriate. The ICO claimed that information on the processing was not provided in a transparent manner. The Irish Data Protection Commissioner (DPC)’s concern mirrored the concern of the ICO for Meta. It found accounts from minors were publicly available;

• OpenAI also saw a fine in 2023, this time from the Italian authority. The fine was for €15 million, related to, amongst other issues, lack of age verification concerns; and
• In 2023, Meta was under fire again, subject to a €251 million fine from the Irish DPC. The fine followed a data breach that impacted approximately 29 million users including, amongst others, children and their data.

2025

• Most recently in March 2025, articles have come out suggesting a new investigation on TikTok’s practices, meaning that scrutiny over the platform’s handling of children’s data remains ongoing.

Despite these substantial penalties, being some of the highest since the GDPR has taken effect, the effectiveness of these authorities intervening remains questionable. This is due to the lack of visible active changes to the platforms. 

New AI Age Verification Measures: What’s Changing?

In some recent news, however, there have been pledges to make improvements in this sector starting 2025. Both Google, specifically for its Youtube service, and TikTok, suggest that they will be using machine learning in order to help estimate users’ age based on their interactions with the platforms. Meanwhile, Meta deems sufficient that Apple and Google app stores have implemented guardrails which prevent underage users from downloading apps scored above their age range. These proposed measures, whilst a potential improvement from no age assurance at all, still raise questions. One of the most pressing being as to whether this is really the most compliant way forward to avoid further fines related to the use of children’s data.

Flaws in Current Age Verification Methods

The current state of these platforms suggests that their approach to age verification remains flawed. Many still rely on basic verification methods, such as asking users to input their birth date instead of merely ticking a box confirming they are over 13. While this method may encourage slightly greater honesty from children, it remains easily bypassed without additional safeguards.

TikTok has taken a step toward since the fall of 2020 by applying more robust verification. This requires users who wish to go live to be over 18 and confirm their age. This is done through facial age estimation, ID photo submission, or bank account verification. While this is a move in the right direction and aligns with age assurance mechanisms endorsed by Ofcom, it is still limited in scope. It also does not seem to be used when it comes to verifying users’ age in case parental consent is needed.

Parental Controls vs. Platform Responsibility

App stores like Google Play and Apple’s App Store allow parents to set restrictions on their children’s devices. This prevents the download of age-restricted apps. However, this shifts the responsibility onto parents rather than the platforms themselves. Notably, many social media platforms, including Facebook, Instagram, TikTok, and YouTube, are rated as 12+, despite the GDPR’s Article 8 establishing the minimum age for parental consent at 13. This discrepancy allows children to still access these platforms without parental approval.

The Push for Stricter Age Verification Laws

Some countries, like France, are considering following Australia’s example by proposing a complete ban on social media usage for children under 13. However, enforcing such a ban remains a challenge. Without effective age verification mechanisms, prohibiting access becomes difficult. Moreover, some critics argue that such restrictions may be unconstitutional or infringe upon children’s rights.

Research conducted by Ofcom in the UK indicates a rising trend in social media usage among children compared to previous years. While comparable EU-wide statistics are less readily available, it is reasonable to assume that similar trends apply globally. This growing demographic highlights the urgency of implementing effective protections, however, the solutions that have been proposed seem to also come with further risk. Therefore, these promises can be argued to be less geared towards the protection of children’s data, and more so related to avoiding further enforcement actions. 

Is AI Really the Solution?

As mentioned earlier, TikTok and Youtube plan to use machine learning algorithms to infer users’ ages, specifically targeting those who may be under 13. While this approach seems promising, it also introduces compliance risks.

The European Data Protection Board (EDPB) has issued a statement, effective from February 2025. The statement outlines the need for age assurance mechanisms to be effective, secure, and compliant with the GDPR principles. Among the key considerations is the right to avoid automated decision-making. The use of machine learning for age verification must be assessed on a case-by-case basis. It must include appropriate redress mechanisms, including the ability to request human intervention.

Additionally, the statement emphasizes that platforms processing children’s data must fully adhere to GDPR principles. This includes conducting a Data Protection Impact Assessment (DPIA) to evaluate risks and mitigation measures. Given that machine learning is considered high-risk processing and children’s data is inherently more sensitive, platforms must take extra precautions. AI-driven age verification is not outright prohibited. It is crucial that companies deploying such technologies do so with full compliance in mind.

Yoti and Third-Party AI Age Verification Solutions

That is not to say that it is impossible to carry out age verification safely while using AI. One of the providers that has garnered attention by major platforms such as Meta, and OpenAI is UK-based Yoti Ltd.. Yoti is an age verification provider that also makes use of AI when carrying out selfie age-estimation. It provides guarantees that none of the data used for said verification is shared with their controller. Relying on a third party solution, especially one that is based in Europe and may be more aware of GDPR restrictions and subject to more stringent requirements, could help with mitigating some of the risks that have been mentioned so far. 

Meta has provided no news on the use of the provider since 2023, and the result of its use for OpenAI is yet to be seen. Meanwhile, the statements from YouTube and TikTok remain vague on what exactly they mean when they say they will use AI or machine learning. Considering the past violations of the companies proposing these AI-driven solutions, it is fair to question whether they will implement them in a genuinely GDPR-compliant manner. Given the history of non-compliance, skepticism remains warranted. These platforms are looking into compliance from the enforcement point of view, as opposed to focusing on the protection of data subjects. 

Conclusion

Failure to implement effective age assurance mechanisms in line with GDPR’s Article 8 has been a common issue. It has resulted in many of the largest GDPR fines issued to social media platforms over the past three years. Despite this, platforms continue to lag in their efforts to protect children’s data. This continues even as the number of young users continues to grow.

While some governments advocate for stricter bans, platform providers are making promises to implement improved verification methods. The improved verification methods include the use of AI to estimate users’ ages. This concept is not entirely new, TikTok already employs AI-driven age verification for its Live feature. Meta is currently also listed as a client of the UK-based age verification provider Yoti. Notably, Yoti has also been named as the provider required to verify the age of OpenAI’s users. This is a requirement resulting in response to a fine from the Italian DPA. As concerns surrounding AI, machine learning, and data privacy remain pressing, the methodology proposed by large social media platforms remains a cause of concern for the privacy of child users. 

The post AI Age Verification: Big Tech’s Risky Fix for GDPR Violations appeared first on TechGDPR.