Data is typically needed to train and fine-tune modern artificial intelligence (AI) models. AI can use data—including personal information—to recognize patterns and predict results.
The GDPR permits controllers to process personal information if one (or more) of the following six lawful processing purposes applies:
- Consent. A company may process personal information if it collects the consent of the individual about whom the data relates. Note, however, that the GDPR has specific requirements for what constitutes sufficient consent to form the basis of processing.
- Necessary to perform a contract. A company may process personal information if it collects the information about a person as part of performing a contract with that person. For example, if an individual visits an eCommerce site and orders merchandise to be shipped to their house, the website is not required to ask the consumer for their consent to collect shipping information, transfer that information to a shipping company, or use that information to process an order.
- Necessary to comply with a legal obligation. A company may process personal information to comply with a European legal obligation imposed upon the company. So, for example, if a bank is required to report suspicious financial transactions to European government agencies charged with identifying money laundering, it is permitted to do so under the GDPR.
- Necessary to protect vital interests of a natural person. A company may process personal information to protect the “vital interests” of a person. So, for example, a company may collect the name of someone who has suffered an accident on their premises in order to assist them in getting medical care (g., the person has become unconscious due to an injury, and the company finds their name in a wallet).
- Processing is necessary for the performance of a task carried out in the public interest. A company may process personal information if the processing is necessary to perform a task that is in the “public interest.” As an example, a company may process personal information if it is retained by a European municipality to operate an emergency dispatch center.
- Processing is necessary for a legitimate interest pursued by a controller or a third party. A company may process personal information if the processing furthers a legitimate interest of the controller or a third party so long as the controller’s interest, or the interest of the third party, is not “overridden” by the interest or “fundamental rights and freedoms of the data subject which require protection of personal data.”
Some supervisory authorities have suggested that if a company uses publicly sourced data to train an AI (e.g., data scraped from the internet), the only plausible lawful purposes would be either (1) the consent of the individuals whose personal information is being provided or (2) the legitimate interest of the controller. Where training data is obtained from other sources (e.g., consumers directly) it is possible that other lawful purposes might apply.
 GDPR, Article 6(1)(a)-(f).
 GDPR, Article 6(1)(f).
 Garante Per La Protezione Dei Dati Personali, Provision of April 11, 2023 (English translation).