The House of Data Imperiali bulletins are extracts from the articles of the Legal Information Service (SIG) edited by Mr. Rosario Imperiali d’Afflitto.

The SIG is available by subscription only.

For further information, please email:

Artificial Intelligence in the GDPR

EU Data Strategy

The proposal for an Artificial Intelligence Regulation is part of the broader EU data strategy that has already produced a large number of regulations aimed at creating a single European data market:   

  • the Data Governance Act and the Data Act, which aim is to facilitate the free movement of data;   
  • the Digital Service Act and the Digital Market Act, which create the conditions for reliable online markets and services.

The NIS2, a proposal for a directive that modernizes the framework of rules on cybersecurity, and EIDAS, the regulation on digital identity, whose updating is being evaluated, complete the package.  

This regulatory framework is complemented by the one for the protection of the fundamental rights and freedoms of individuals in relation to the use of personal data and electronic communications, which has priority, as a direct application of the Charter of Rights and Article 16 of the Treaty on the Functioning of the EU.

GDPR and A.I.

As the President of the Italian data protection Authority pointed out in his hearing, the only legislation that currently regulates artificial intelligence is the GDPR and, even after the future Artificial Intelligence Act (“AIA”) comes into force, the “privacy” regulation is destined to remain the one that will need to be referred to in cases where algorithms use personal data or when they produce information referable to individuals.

GDPR Primacy

For this reason, the AIA cannot be the legal basis (i.e., the legal justification) for processing of personal data carried out using AI tools: such processing must always be screened «in accordance with the applicable requirements resulting from the Charter and from the applicable acts of secondary Union law (such as the GDPR) and national law »; with the sole exception of processing of personal data collected for other purposes, as for the development of certain artificial intelligence systems in the public interest “within the regulatory AI sandboxes“. “Regulatory AI sandboxes – the objective of which is to promote innovation in AI – are those «established by one or more Member States competent authorities or the European Data Protection Supervisor (which) provide a controlled environment that facilitates the development, testing and validation of innovative AI systems for a limited time before their placement on the market or putting into service pursuant to a specific plan.» [Recitals (41) and (72) and Articles 53-54, AIA].

Human-Centric approach

Recital (4) of the GDPR makes it clear that “[t]he processing of personal data should be designed to serve mankind.” Similarly, the framework regulating artificial intelligence systems is based on an anthropocentric philosophy (see, Commission document “Building Trust in Human-Centric Artificial Intelligence, COM(2019) 168 final).


According to the 2019 “Ethical Guidelines for Trustworthy AI” document from the High-level Expert Group on Artificial Intelligence, trustworthy AI is based on three components:  

  1. Lawfulness, i.e., complying with all applicable laws and regulations  
  1. Ethicality, ensuring adherence to ethical principles and values  
  1. Robustness, both from a technical and social perspective to avoid the risk of distorting effects and abuse.  

The three components are complementary. From an ethical standpoint, the document promotes adherence to the following principles:  

  • respect for human autonomy, i.e., humans do not delegate their responsibilities to machines  
  • recognizing risks and taking appropriate measures to mitigate them, preventing damages 
  • explicability of the underlying logical mechanisms  
  • attention to the most vulnerable groups.  

The GDPR, for its part, elevates transparency and fairness to general principles of lawfulness in the processing of personal data.