Guidelines published on ensuring data protection in the development and use of AI systems
Personal data is often processed in systems using artificial intelligence (AI) for different purposes. We have collected information on our website on the data protection aspects organisations must consider when they develop or deploy AI systems.
If personal data is processed in the AI system, data protection legislation must be complied with in the development and use of the system. The use of AI systems is also regulated by the EU AI Act, which entered into force in 2024. The AI Act defines prohibited AI practices and lays down requirements for high-risk AI systems, among other matters.
Our guidelines explain how organisations can ensure that personal data is processed lawfully in AI systems. The guidelines are not exhaustive, and organisations must still always assess the requirements arising from legislation case by case.
The guidelines will be supplemented and updated when necessary. The guidelines are available in English, Finnish and Swedish.
Guidance for assessing the data protection risks of AI systems and compliance with data protection principles
Organisations must assess the data protection risks associated with AI systems before the personal data processing is started. Risks must be assessed from the perspective of the people whose data will be processed. The organisation must decide on the security measures required based on the risk assessment, for example. Among other matters, our website explains when personal data processing meets the criteria for high risk and when carrying out a data protection impact assessment is mandatory.
To ensure that personal data processing is lawful, a processing basis is always required. If an organisation develops or uses an AI system, it must choose a processing basis that fits the planned purpose. A processing basis is also required if an AI system is trained with data that includes personal data. The guidelines describe the application of different processing bases in more detail.
In addition, the guidelines include instructions for organisations on considering the data protection principles of the General Data Protection Regulation, such as data minimisation and purpose limitation. Organisations must always carefully determine what personal data is necessary and for what purposes the data will be used in the AI system. AI systems must also be designed and developed in such a way that they allow people to exercise their data protection rights.
Individuals must be informed clearly and plainly of the personal data processing in the AI system. The guidelines detail what information must be provided to individuals about the processing of their personal data and in what cases it is allowed to deviate from the obligation to inform.
More information: