All citations in this part are from http://
Definitions¶
Art. 4 (1): “‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly”.
Art. 4 (7): “‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”
Art. 4 (8): “‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”
Non-applicability¶
Recital 26: “Not Applicable to Anonymous Data”
“The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.”
Principles¶
Art. 5 (1) introduces the principles for personal data and its processing:
Lawfulness, fairness and transparency (process legally, treat people fairly, and explain clearly)
Purpose limitation (only for specific purposes)
Data minimization (use only the minimum amount of personal data necessary)
Accuracy (ensure personal data is correct and keep it updated)
Storage limitation (do not keep personal data longer than necessary)
Integrity and confidentiality (ensure appropriate security of the data to prevent loss, misuse, or unauthorised access using appropriate technical or organisational measures) Art. 5 (2) introduces the principle of responsibility of the controller for paragraph 5.
Accountability
Legal basis or lawfulness¶
Art. 6 (1) “Processing shall be lawful only if”:
Consent
Contract
Legal obligation
Protection of vital interests of a natural person
Public task done in public interests
Legitimate interest
The rights of individuals¶
Right to be informed: You can obtain information about the processing of your personal data.
Right of access: You can obtain access to the personal data held about you.
Right to rectification: You can ask for incorrect, inaccurate or incomplete personal data to be corrected.
Right to erasure: You can request that personal data be erased when it’s no longer needed or if processing it is unlawful.
Right to restriction of processing: You can request the restriction of the processing of your personal data in specific cases.
Right to data portability: You can receive your personal data in a machine-readable format and send it to another controller.
Right to object: You can object to the processing of your personal data for marketing purposes or on grounds relating to your particular situation.
Rights in relation to automated decision-making and profiling: You can request that decisions based on your personal data and that significantly affect you are made by natural persons, not only by computers.
Processing of special categories of personal data¶
Art. 9 (1): “Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.”
Art. 9 (2): A selected list of exceptions relevant in research context
Consent
Protection of vital interests of a natural person
Personal data which are manifestly made public by the data subject
Public interests
For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes¶
Art. 89 (1):
Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards […] for the rights and freedoms of the data subject.
Those safeguards shall ensure that technical and organisational measures are in place in particular in order to ensure respect for the principle of data minimisation.
Those measures may include pseudonymisation provided that those purposes can be fulfilled in that manner.
Security of processing¶
Art. 32 (1) “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”:
the pseudonymisation and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
More important excerpts for research¶
Art. 44-50: Personal data may only be transferred outside of the European Economic Area in compliance with the conditions for such transfers laid down in Chapter 5 of the GDPR. The main types of transfer tools include standard data protection clauses (SCCs), binding corporate rules (BCRs), codes of conduct, certification mechanisms, and ad hoc contractual clauses.
Recital 156: “The processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes should be subject to appropriate safeguards for the rights and freedoms of the data subject“
Data protection impact assessment (DPIA)¶
Art. 35 (1): “Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.”
The purpose of the DPIA is to identify, assess and mitigate any risks to the rights and freedoms of affected (natural) persons that may result from data processing (“The Data Protection Impact Assessment according to Article 35 GDPR. A Practitioner’s Manual.”, https://
publica -rest .fraunhofer .de /server /api /core /bitstreams /e6b91341 -71f4 -409b -8446 -03432231a0d0 /content)
What are risks as defined in the GDPR?¶
Recital 75: “The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage”
„Non-material damages may be of a social, personal, and legal nature“ (see „The Data Protection Impact Assessment according to Article 35 GDPR. A Practitioner’s Manual“):
Social disadvantages
Damage to privacy
Chilling effects (e.g., a state in which persons refrain from exercising their rights)
(Unjustified) interference with rights
GDPR and AI¶
GDPR applies to all stages of the AI lifecycle if personal data is processed (including data collection, filtering, and processing; model training, fine-tuning, augmentation, validation, and inference; inputs and outputs of an AI system; data & model archiving)
EDPB opinion on AI models¶
The European Data Protection Board (EDPB) issued opinion on AI models: „GDPR principles support responsible AI“ (https://
www .edpb .europa .eu /news /news /2024 /edpb -opinion -ai -models -gdpr -principles -support -responsible -ai _en) “The EDPB considers that, for an AI model to be considered anonymous, using reasonable means, both (i) the likelihood of direct (including probabilistic) extraction of personal data regarding individuals whose personal data were used to train the model; as well as (ii) the likelihood of obtaining, intentionally or not, such personal data from queries, should be insignificant for any data subject. By default, supervisory authorities should consider that AI models are likely to require a thorough evaluation of the likelihood of identification to reach a conclusion on their possible anonymous nature. This likelihood should be assessed taking into account ‘all the means reasonably likely to be used’ by the controller or another person, and should also consider unintended (re)use or disclosure of the model” (https://
www .edpb .europa .eu /system /files /2024 -12 /edpb _opinion _202428 _ai -models _en .pdf) “When an AI model was developed with unlawfully processed personal data, this could have an impact on the lawfulness of its deployment, unless the model has been duly anonymised.“ (https://
www .edpb .europa .eu /news /news /2024 /edpb -opinion -ai -models -gdpr -principles -support -responsible -ai _en)
Tools: Data anonymization at your laptop¶
Existing data anonymization tools often use named entity recognition pipelines in them
Alternatively, one could use locally-hosted open-weight model for anonymization. See example.
Data controls in ChatGPT¶
Data residency and inference residency in ChatGPT¶
Data residency (storage at rest) controls where customer content is stored when it is saved by the service (for example, chat history, files, and GPT configurations).
Inference residency (model execution) controls where model inference on customer content runs on GPUs (for example, generating responses, embedding documents), for supported regions.
Data residency for ChatGPT is currently available in the following regions: Australia, Canada, Europe (EEA + Switzerland), India, Japan, Singapore, South Korea, United Arab Emirates, United Kingdom, and United States
Who can use it? Eligible API customers and new ChatGPT Enterprise/Edu customers
02.12.2025 (https://
ChatGPT and GDPR-Compliance¶
The GDPR does not mandate data localization, but it outlines strict rules and requirements for processing data outside of the EEA, including adequacy decisions, standard contractual clauses, certifications, and binding corporate rules.
See https://