Data Subject Rights and AI

GDPR grants data subjects extensive rights — and these apply to AI systems too. Particularly relevant is Art. 22 GDPR: the right not to be subject to a decision based solely on automated processing.

Data Subject Rights in the AI Context

1. Right of Access (Art. 15)

Data subjects can ask: "What do you know about me?"

For AI systems, this includes:

What personal data is being processed?
For what purpose is it processed by AI?
To whom is data disclosed (including AI providers)?
How long is data stored?
Meaningful information about the logic involved (for automated decisions)

Challenge: How do you explain the "logic involved" in an LLM? The answer: You don't need to explain the algorithm, but make the decision process comprehensible.

2. Right to Rectification (Art. 16)

Data subjects can have incorrect data corrected.

AI-specific: When an AI system makes an incorrect classification (e.g., wrong credit rating), correction must occur not only in the output but also in the underlying data.

3. Right to Erasure (Art. 17)

The "right to be forgotten" — data subjects can request deletion of their data.

AI challenge: Can you "delete" data from a trained model? Practically hardly:

Prompt/response logs: Can and must be deleted
Training data: Deletion from the dataset is possible, retraining is costly
Model weights: Individual data points cannot be extracted
Solution: Document that data was removed from the training dataset and retrain when feasible

4. Right to Restriction (Art. 18)

Data subjects can request restriction of processing — e.g., while reviewing accuracy.

Practice: Flag affected records so they're excluded from AI processing.

5. Right to Data Portability (Art. 20)

Data subjects can receive their data in a machine-readable format.

AI context: Applies to data the subject provided — not to AI-generated outputs or inferences.

Art. 22: Automated Decision-Making

The most important article for AI — Art. 22 GDPR:

Principle: Data subjects have the right not to be subject to a decision based solely on automated processing which produces legal effects concerning them or significantly affects them.

What Does This Mean Concretely?

Permitted (no Art. 22)	Prohibited without exception (Art. 22)
AI recommendation, human decides	AI alone decides on credit approval
AI pre-screening, human makes final selection	AI automatically rejects application
AI score as decision aid	AI automatically terminates contract

Exceptions to Art. 22

Automated decisions are permitted when:

They are necessary for a contract
They are authorized by EU or national law
The data subject has given explicit consent

Additional safeguards apply for exceptions:

Right to human review
Right to express one's point of view
Right to contest the decision

Practical Implementation

Measure	Priority
Define process for access requests (including AI data)	High
Human-in-the-loop for AI decisions with legal effect	Critical
Create deletion concept for AI processing data	High
Review Art. 22 compliance for all automated decision processes	Critical

Remember: Art. 22 doesn't mean you can't use AI for decisions. It means a human must have the final say when the decision has legal effect or significantly affects the data subject.