On May 6, 2024, the German Data Protection Conference (DSK) published a Guidance on artificial intelligence and data protection (the Guidance). In particular, the Guidance focuses on Large Language Models (LLM), without excluding its possible application for other artificial intelligence (AI) applications.

The Guidance includes examples and is aimed at the deployers of AI applications, as well as indirectly at developers, manufacturers, and providers of AI systems.

Conception of the use and selection of AI applications

The Guidance outlines that deployers of AI applications must determine their field of application and the purposes for which they will serve. In particular, the deployers must consider whether:

• the field of application of the AI application is legal;
• personal data is processed;
• the training of the AI application was done in accordance with the data protection regulations;
• the legal basis for the processing, which can vary depending on whether the deployer is a public or non-public body and the field of application, such as human resources, healthcare, or processing in the area of a consumer or service contract;
• the AI application develops proposals that are used as a primary basis for decisions that have legal effects on individuals and thus lead to infringement of Article 22 of the General Data Protection Regulation (GDPR);
• the AI application is part of a closed or open system (i.e., restricted and technically closed environment or not);
• the transparency requirements under GDPR are fulfilled, including regarding input and output history, as well as the option to exclude the use of the data for training;
• the individuals are provided with data subject rights, in particular rights to rectification and erasure; and
• the involvement of the data protection officers (DPO) and employee representatives in the decisions regarding the AI application.

Implementation of AI applications

The Guidance states that deployers of the AI applications must:

• define responsibility and regulate it bindingly, including with external providers and joint controllers;
• issue and document internal regulations determining the conditions and specific purposes for the use of the AI applications;
• carry out a Data Protection Impact Assessment (DPIA) before processing personal data;
• provide devices and accounts for the professional use of AI applications by employees;
• take into account principles of data protection by design and by default when designing the AI system;
• in addition to the technical and organizational measures required by Articles 25 and 32 of the GDPR, also meet the requirements applicable to IT systems;
• raise awareness by providing training, guidelines, and discussions; and
• monitor future legal and technical developments.

Use of AI applications

The Guidance highlights that AI application deployers must take particular care when entering and outputting personal data, as well as with special categories of personal data. Furthermore, the deployers must check results for inaccuracies and discriminatory effects.

You can read the Guidance, only available in German, here.