The GDPR allows individuals to request that their information be deleted in the following situations:[1]

  • Organizations must delete data upon request if the data was processed based solely on consent. The GDPR recognizes that organizations may process data based on six alternate lawful grounds.[2] One of these is where a person has given

The right of correction (sometimes called the “right of rectification”) refers to a person’s ability to request that an organization fix any inaccuracies in the personal data it holds about them.[1] Correction is sometimes referred to as an absolute right in the context of the GDPR, because unlike some other rights conferred by the

The right to access refers to a person’s ability to request that a controller confirms whether it has personal data about them and to receive information about the processing and a copy of that information. While the GDPR confers a right of access, this right predates the GDPR and can be found within other EU

Not necessarily. 

Under the GDPR, controllers are required to provide information relating to what personal data they process, and how that processing takes place. 

If the personal data the organization includes in AI prompts has been collected directly from individuals, those individuals should be provided with a copy of the organization’s privacy notice “at the

Under the GDPR, controllers are required to provide individuals with information relating to what personal data is processed, and how that processing takes place. Some supervisory authorities have specifically taken the position that organizations which use personal data to train an artificial intelligence (AI) must draft and publish a privacy notice that provides “data subjects

Data is typically needed to train and fine-tune modern artificial intelligence (AI) models. AI can use data—including personal information—to recognize patterns and predict results.

The GDPR permits controllers to process personal information if one (or more) of the following six lawful processing purposes applies:[1]

  1. Consent. A company may process personal information if it collects

Join Greenberg Traurig attorneys and in-house counsel Sept. 20, 2023, for a day of CLE panels and lectures focused on the latest risks companies should focus on. Each session will present practical guidance on cutting-edge issues to help counsel materially reduce risk right now, while discussing what’s next. This in-person summit will address a

When Implementing New Privacy Requirements, Don’t Forget User Perception

Recent events involving famous podcaster and comedian Joe Rogan and fitness device company Polar are a lesson in the delicate balancing act businesses face between privacy compliance and a positive user experience.

Joe Rogan screengrab of Polar Private Notice and Temporary Account Lock

A Backdrop of New Privacy Norms

Considering new and stringent privacy regulations, companies are

Most modern U.S. state data privacy laws exempt from their definition of personal information “publicly available information.” What constitutes publicly available information differs between state privacy laws and may not correlate to the lay definition understood by many businesses and individuals. For example, while some businesses may consider information that is available on the internet