AIGP Study Guide
Module 5: Existing Laws & AI · BoK III.A

Obligations on Data Controllers

Controllers decide what and how personal data is processed - whether a human or an AI does the processing, the GDPR still applies. Nine duty areas span processing principles and design, DPIAs, third-party processors, cross-border transfers, data subject rights, automated decisions, incident management, breach notification and record keeping.

Controllers decide what and how personal data is processed → whether a human or an AI does the processing, the GDPR still applies. Nine duty areas.

  1. Processing principles + design → processing must be lawful, fair, transparent; apply minimisation, purpose limitation, storage limitation, accuracy, integrity. Implement data protection by design and default, particularly minimisation.
  2. DPIAs → ask: notice and consent met? What personal data trains the model and where is it collected from? Is processing likely to change? What impact on individuals? Meet or exceed GDPR requirements.
  3. Third-party processors → verify processor AI systems comply with the GDPR · check externally sourced data can lawfully be used · ensure no onward sharing without appropriate consent.
  4. Cross-border transfers → exchanging data across borders to develop, train and deploy AI is a cross-border transfer; have appropriate agreements, respect data localisation commitments, check EU access or outbound sharing.
  5. Data subject rights → access, rectify, erase, restrict, plus the right to understand how AI decisions are made and to request human intervention.
  6. Automated decision-making → the Article 22 restriction and its three exceptions; remember automated recruitment = high-risk under the EU AI Act, human oversight required.
  7. Incident management → AI's "black box" nature makes it hard to determine an incident's extent and report accurately; counter with accurate records and regular testing, and if procuring AI, contractually require assistance with incident management.
  8. Breach notification → knowing who to notify is hard without documentation and testing; get clear vendor answers on how they will help respect data subject rights.
  9. Record keeping → keep accurate records of how the system is intended to operate, test regularly that it behaves as expected, and maintain a record of processing activities with at least the regulatory minimum of information.

Key terms - quick answers

What is “Data controller”?
The party that decides what and how personal data is processed; the GDPR applies whether a human or AI processes it.
What is “DPIA”?
Data Protection Impact Assessment - evaluates risk of high-risk or significant processing; must meet or exceed GDPR requirements.
What is “Record of processing activities”?
A controller record kept with at least the regulatory minimum information on how the system operates.