AEPA: Guide to Adapt Products and Services Using AI to GDPR

The Spanish Agency for Data Protection (AEPA) published on February, 13th 2020 a first guide for the adequacy to regulation (EU) 2016/679 (on the protection of natural persons with regard to the processing of personal data and on the free movement of such data) of products and services that include and use artificial intelligence components. According to the guide:

“This document does not intend to carry out an exhaustive review of what is established in the GDPR, but does address the doubts raised in the framework of personal data protection and indicates the most relevant aspects in the AI-GDPR relationship that must be taken into account from the design and implementation of treatments that include AI[1]”.

The AEPA adopted a pedagogical method to explain clearly the issues at stake:

  • What is artificial intelligence ? 
  • How does it fit to products and services ? 
  • What is the role of the GDPR ? (The AEPA refers here to the most relevant articles related to the issue of artificial intelligence, the various definitions related to data protection and the obligations established by the GDPR in this area). 

In its guide, the AEPA developed in a detailed way the questions of compliance and risk management with regard to specific rights and freedoms, such as:

  • The right to access data
  • The right to delete data
  • The right to rectify data

Part of the report is dedicated to the issue of Data Protection Impact Assessments (DPIA) applicable in the AI field, the assessment of the impact on privacy and the evaluation of the proportionality and necessity for such treatment.

The guide is not as explicit concerning the issue of responsibility. The guide states that “in the different stages of the life cycle of an IA component, the natural, legal, public authority or other person who makes the decision to carry out the processing of personal data will be responsible for the processing of personal data[2]“. However, it only intends “to cover the most common cases and guide the new situations that may arise in the market[3]”, excluding more complex examples of responsibility in blockchain or big data cases.

Nevertheless, the guide presents itself as a tool under construction which can be used for possible new issues and cases. As the AEPA emphasized in its conclusion, “this document is intended as a mere introduction to the adequacy of treatments that include AI components and does not cover all the possibilities and risks that may arise from the use of AI solutions in personal data processing[4]”.

Source :


[1] Original contents in Spanish, translation made by myself 

[2] Original contents in Spanish, translation made by myself 

[3] Original contents in Spanish, translation made by myself

[4] Original contents in Spanish, translation made by myself

Like this article?
Share on Facebook
Share on Twitter
Share on Linkdin
Share by Email