The GDPR allows individuals to request that their information be deleted in the following situations:[1]
The right of correction (sometimes called the “right of rectification”) refers to a person’s ability to request that an organization fix any inaccuracies in the personal data it holds about them.[1] Correction is sometimes referred to as an absolute right in the context of the GDPR, because unlike some other rights conferred by the
The right to access refers to a person’s ability to request that a controller confirms whether it has personal data about them and to receive information about the processing and a copy of that information. While the GDPR confers a right of access, this right predates the GDPR and can be found within other EU
Greenberg Traurig Shareholders Reena Bajowala and David Zetoony, Co-Chair of the firm’s U.S. Data Privacy & Cybersecurity Practice, will present the MyLawCLE and Federal Bar Association webinar, “Artificial Intelligence and Data Privacy: The current (and often hidden) United States and European framework for regulating AI,” Wednesday, Oct. 4 at 11 a.m. CT.
Not necessarily.
Under the GDPR, controllers are required to provide information relating to what personal data they process, and how that processing takes place.
If the personal data the organization includes in AI prompts has been collected directly from individuals, those individuals should be provided with a copy of the organization’s privacy notice “at the
Under the GDPR, controllers are required to provide individuals with information relating to what personal data is processed, and how that processing takes place. Some supervisory authorities have specifically taken the position that organizations which use personal data to train an artificial intelligence (AI) must draft and publish a privacy notice that provides “data subjects
Data is typically needed to train and fine-tune modern artificial intelligence (AI) models. AI can use data—including personal information—to recognize patterns and predict results.
The GDPR permits controllers to process personal information if one (or more) of the following six lawful processing purposes applies:[1]
Probably not.
Under the European GDPR, if the personal information that an organization is going to use as part of training an AI has been collected directly from individuals, then those individuals should be provided with a copy of the organization’s privacy notice “at the time when personal data are obtained.”[1] If the personal
Attorneys familiar with the European GDPR are acquainted with the bifurcation of the world into controllers and processors. For purposes of European data privacy, a “controller” refers to a company that either jointly or alone “determines the purposes and means” of how personal data will be processed.[1] A “processor” refers to a company (or
The term “data minimization” generally refers to two requirements within the GDPR: (1) a company should only collect and process personal data that is “necessary” in relation to its purpose, and (2) a company should keep data for “no longer than is necessary for [that] purpose[].”[1] Put differently, a company should only collect what