Lesson 2 of 5·10 min read

Legal Bases for AI Processing

Every processing of personal data by an AI system needs a legal basis under Art. 6 GDPR. Without a valid legal basis, the processing is unlawful — no matter how useful the AI is.

The Most Relevant Legal Bases for AI

1. Consent (Art. 6(1)(a))

The data subject's consent is the most well-known legal basis:

Requirements:

  • Voluntary (no disadvantages if refused)
  • Informed (clear explanation of what happens with the data)
  • Specific (for the concrete AI purpose)
  • Unambiguous (active action, no pre-checked checkbox)
  • Revocable (at any time, as easily as granting it)

Suitable for: Newsletter personalization, optional AI features, research

Problematic for AI:

  • Hard to explain what exactly the model does with the data
  • Revocation can be difficult if data is already part of training
  • Power imbalance (e.g., employer-employee)

2. Legitimate Interest (Art. 6(1)(f))

Legitimate interest is in practice the most common legal basis for AI:

Three-Step Test:

  1. Identify legitimate interest: e.g., efficiency gains, fraud prevention, quality assurance
  2. Check necessity: Is AI the least intrusive measure achieving the goal?
  3. Balancing of interests: Does the company's interest outweigh the data subject's interests?

Suitable for: Spam filters, anomaly detection, process optimization, customer support AI

Documentation: The balancing test must be documented in writing (accountability).

3. Contract Performance (Art. 6(1)(b))

When AI processing is necessary for contract performance:

Requirements:

  • The data subject is a contracting party
  • AI processing is objectively necessary for contract performance
  • Not mere usefulness — but necessity

Suitable for: AI-based product recommendations as part of the service, automated contract analysis, personalized services

Not suitable for: "We use your data for AI training" as a contract term — that's not genuine contract performance.

Choosing a Legal Basis: Decision Tree

  1. Is AI processing contractually necessary? → Art. 6(1)(b)
  2. Is there a legal obligation to process? → Art. 6(1)(c)
  3. Does legitimate interest outweigh? → Art. 6(1)(f)
  4. Is voluntary consent realistic? → Art. 6(1)(a)
  5. No legal basis possible? → Processing not permitted

Legal Basis for AI Training

A special topic: May you use user data to train your AI model?

  • Consent: Possible, but revocation problematic (remove data from trained model?)
  • Legitimate interest: Possible with anonymization or pseudonymization
  • Contract performance: Generally not applicable

Practical Tip: Choose the legal basis before starting the AI project — not retroactively. Switching the legal basis is possible but risky and can make the supervisory authority suspicious.

Previous lessonNext lesson