Skip to content

Data typically is needed to train and fine-tune modern artificial intelligence models. AI can use data – including personal information – in order to recognize patterns and predict results.

The EU’s General Data Protection Regulation (GDPR) permits controllers to process personal information if one (or more) of the following six lawful processing purposes applies:[1]

  1. Consent. A company may process personal information if it collects the consent of the individual about whom the data relates. Note, however, that the GDPR has specific requirements for what constitutes sufficient consent to form the basis of processing. 
  2. Necessary to perform a contract. A company may process personal information if it collects personal information about a person as part of performing a contract with that person. For example, if an individual visits an eCommerce site and orders merchandise to be shipped to their house, the website is not required to ask the consumer for their consent to collect shipping information, transfer that information to a shipping company, or use that information to process an order.
  3. Necessary to comply with a legal obligation. A company may process personal information in order to comply with a European legal obligation that is imposed upon the company. So, for example, if a bank is required to report suspicious financial transactions to European government agencies charged with identifying money laundering, it is permitted to do so under the GDPR.
  4. Necessary to protect vital interests of a natural person. A company may process personal information in order to protect the “vital interests” of a person. So, for example, a company may collect the name of someone who has suffered an accident on their premises in order to assist them in getting medical care (e.g., has become unconscious due to an injury, and the company finds their name in a wallet).
  5. Processing is necessary for the performance of a task carried out in the public interest. A company may process personal information if the processing is necessary to perform a task that is in the “public interest.” As an example, a company may process personal information if it is retained by a European municipality in order to operate an emergency dispatch center.
  6. Processing is necessary for a legitimate interest pursued by a controller or a third party. A company may process personal information if the processing furthers a legitimate interest of the controller so long as the controller’s interest is not “overridden” by the interest or “fundamental rights and freedoms of the data subject which require protection of personal data.”[2] 

Some supervisory authorities have suggested that if a company uses publicly sourced data to train an AI (e.g., data scraped from the internet), the only plausible lawful purposes would be either (1) the consent of the individuals whose personal information is being provided or (2) the legitimate interest of the controller.[3] Where training data is obtained from other sources (e.g., consumers directly) it is possible that other lawful purposes might apply.

[1] GDPR, Article 6(1)(a)-(f).

[2] GDPR, Article 6(1)(f).

[3] Garante Per La Protezione Dei Dati Personali, Provision of April 11, 2023[9874702] (English translation).

Tags: Artificial Intelligence Big Data & Internet of Things, controller, EDPB, European Data Protection Board, European Union, GDPR, personal information, processors
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of David A. Zetoony David A. Zetoony

David Zetoony, Co-Chair of the firm’s U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he

David Zetoony, Co-Chair of the firm’s U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation.

Read more about David A. ZetoonyDavid A.'s Linkedin Profile
Show more Show less
Photo of Carsten A. Kociok Carsten A. Kociok

Carsten Kociok is a partner in the Technology, Financial Services and Data Privacy Practice in Berlin and Co-Head of Greenberg Traurig’s global Fintech Group. He advises national and international clients across all industries, including financial services, information technology, artificial intelligence, ecommerce, media, health

Carsten Kociok is a partner in the Technology, Financial Services and Data Privacy Practice in Berlin and Co-Head of Greenberg Traurig’s global Fintech Group. He advises national and international clients across all industries, including financial services, information technology, artificial intelligence, ecommerce, media, health care, telecoms, retail and real estate, on a wide variety of complex commercial and regulatory matters.

Carsten is a leading technology lawyer, ranked consistently in Band 1 for Fintech Legal in Germany since 2020. He has in-depth and wide-ranging experience in the areas of privacy and cybersecurity, payments law, financial services, e-money products, blockchain technology, and financial and banking regulation, as well as in artificial intelligence regulation – including compliance with the EU AI Act – and the integration of AI technologies into existing software systems.

Carsten regularly assists clients in licensing projects and audit proceedings with financial regulators and advises on the contractual and regulatory aspects of developing, implementing and operating financial technology products and transactions.

On the data privacy side, Carsten counsels clients on complex data-driven business models and regulatory matters, including on international data transfers, data privacy compliance, monetization of data, artificial intelligence, litigation, cybersecurity and data breach response.

Carsten regularly lectures and publishes on various FinTech and data privacy topics. Prior to joining the firm, Carsten worked at Olswang Germany for eight years and in the Capital Transaction Practice Group of an international law firm in New York.

Read more about Carsten A. KociokCarsten's Linkedin Profile
Show more Show less
Related Posts
EU-Flag
EU-U.S. Data Transfer Pact Upheld; Possible Appeal Awaits
September 4, 2025
GDPR AI
EDPB Release Pseudonymization Guidelines to Enhance GDPR Compliance
February 4, 2025
European Union Privacy Regulation
Developments in Data Protection Law – New EDPB Guidelines and Opinions
December 3, 2024

Data Privacy Dish

About Greenberg Traurig

Greenberg Traurig, LLP has more than 3,100 lawyers across 51 locations in the United States, Europe, the Middle East, Latin America, and Asia. The firm’s broad geographic and practice range enables the delivery of innovative and strategic legal services across borders and industries. Recognized as a 2025 BTI “Best of the Best Recommended Law Firm” by general counsel for trust and relationship management, Greenberg Traurig is consistently ranked among the top firms on the Am Law Global 100, NLJ 500, and Law360 400. Greenberg Traurig is also known for its philanthropic giving, culture, innovation, and pro bono work. Web: www.gtlaw.com.

Copyright © 2026, Greenberg Traurig, LLP. All Rights Reserved.
Law blog design & platform by LexBlog