CNIL Releases Guidance on Personal Data Integration into AI Models
August 5, 2025
By Olena Nechyporuk
The CNIL has published its first recommendations on the application of the GDPR to the development of artificial intelligence systems to help professionals reconcile innovation with respect for individual rights.
MYTH: the GDPR hinders innovation in artificial intelligence in Europe. This is false.
Training databases sometimes include ‘personal data’, the use of which poses risks to individuals, which must be taken into account in order to develop AI systems in a manner that respects individuals' right to privacy.
When personal data is used for the development of an AI system, both the GDPR and the AI regulation apply.
Step 1: Define an objective (purpose) for the AI system
Step 2: Determine your responsibilities
Step 3: Define the ‘legal basis’ that authorises you to process personal data
Step 3: Adapt the safeguards to data harvesting
Step 4: Check whether you can reuse certain personal data
Step 5: Minimise the personal data used
Step 6: Define a retention period
Step 7: Inform individuals
Step 8: Ensure the exercise of rights
Step 9: Secure your AI system
Step 10: Analyse the status of an AI model
Step 11: Comply with GDPR principles during the annotation phase
Focus: Conduct a data protection impact assessment (DPIA)
CNIL has recently released a series of guidelines and additional advice for AI developers, highlighting how they ought to integrate personal data correctly and in compliance with the GDPR.
One of the resources is a table outlining everything that AI developers should consider when processing personal data. See the table here.
See the French original
Note: translations are made with DeepL and may not be 100% accurate.
