IDPC delivers technical-focused seminar on data protection and AI to technical experts

09 June 2025

The Information and Data Protection Commissioner (IDPC), represented by legal counsel Dr Marco Fagnano, delivered a seminar to technical experts, held at the MDIA, focusing on the regulatory implications of AI from a data protection perspective, with a view to ensuring compliance with the GDPR in light of the AI Act.

He began by outlining how AI-related processing can fall under both the GDPR and the AI Act, clarifying their distinct scopes and identifying when each framework applies. He explained the overlapping and separate obligations, helping technical experts navigate compliance in complex scenarios.

A central part of the seminar addressed the presence of personal data within generative AI systems, particularly large language models (LLMs). Dr Marco Fagnano undertook this by addressing the individual stages of LLM development—being training, learning and data storage, and response generation—illustrated via a visual infographic. He highlighted how these processes often involve the processing of personal data, bringing them under the scope of the GDPR alongside the AI Act.

He further explained LLM architecture, including the use of vector-based datasets, to demonstrate how personal data may be qualified as being processed, throughout various AI lifecycle stages. Insights were drawn from a technical session at the European Court of Human Rights, which informed the IDPC’s understanding of data protection challenges posed by LLMs.

Dr Fagnano also examined different categories of AI systems—those considered high-risk, prohibited, or requiring heightened oversight—under the AI Act, and the corresponding data protection obligations under the GDPR. He emphasised that automated or autonomous decision-making tools must incorporate safeguards such as human oversight (“human-in-the-loop”) to comply with Article 22 of the GDPR.

He raised concerns about AI’s opacity, which can make it difficult for individuals to understand or contest decisions, posing risks to transparency and accountability. In closing, Dr Marco Fagnano underscored the importance of embedding compliance with both the GDPR and the AI Act by “design and default,” ensuring AI systems are legally sound from the outset and do not create downstream regulatory issues for developers or deployers.