Media Centre

Spanish Privacy Regulator Issues Guidance on AI-Based Data Processing

4 March 2020


Technology &  Regulation in the Spotlight

The Spanish Data Protection Authority (“AEPD“) issued guidance on the application of the General Data Protection Regulation (“GDPR“) on products and services that embed Artificial Intelligence (“AI“).

The guide addresses the concerns and risks that managers and developers must take into account when designing, training and deploying AI-based data processing applications. The guide is focusing on weak AI components, which, unlike true or general AI, is characterized by the capacity to develop solutions for specific, well-defined problems.

An AI system is going through different stages from its creation to its deployment such as designing, training and deploying (the AI life cycle). According to the AEPD, each stage of this AI life-cycle may involve the processing of personal data which shall be subject to the provisions laid down by the GDPR. To comply with the principles and provisions of the GDPR, developers shall take a privacy-by-design approach that will allow them to develop a technologically and regulatory mature AI solution. The main areas of focus within the guide include the legal basis for processing, information and transparency, data subject rights, automated decisions, privacy impact assessment, accuracy and data minimization.

The guide provides managers and developers with specific and unique implications of the GDPR on AI applications. Due to the prominent risk of bias when using AI for decision making, the guide focuses on the principles of transparency and accuracy which the AEPD considers as critical in the case of AI-based processing. According to the AEPD, both principles shall be taken into consideration during each and every step in the AI’s life cycle to ensure the development of reliable AIs.

Since some of the obligations under the GDPR may be triggered by the scale of processing of personal information, they might be affected by the implementation of AI. Since most AI solutions are dependent on large volumes of data for training, testing and deployment, issues like data minimization and the obligations to conduct a privacy impact assessment and to appoint a data protection officer shall be taken into consideration before implementing any AI-based data processing solutions.

In terms of risk assessment, due to the high risk entailed by the use of AI-based solutions, the AEPD requires managers to assess whether the objective of the processing may not be achieved by using other less risky solutions. According to the AEPD’s guide, the availability or novelty of the technology does not justify on itself the use of such technology. When such AI solutions are indeed needed, the development of AI solutions who follow the principles of the GDPR and meet its requirements will not only protect the privacy of the data subjects, but will also ensure more mature solutions and enhance the trust of users in AI-based products and services.

This step is part of a regulatory trend by which various jurisdictions and regulators are examining the regulatory implications of AI technologies. In our previous client update we have reported on the publication of the European Commission’s White Paper on regulating AI.

Please feel free to contact us if you have any question on the effects of the new regulatory developments on development and implementation of AI based tools.


Feel free to contact us with any further question or comments regarding the update and subjects detailed above.

Kind regards,

Ariel Yosefi, Partner

Co-Head | Technology & Regulation Department

Herzog Fox & Neeman

Search by +