Purpose: To ensure that AI systems respect individuals rights to privacy and data protection, consent is appropriately managed and that personal data is processed lawfully and securely.
| Organisational / Technical | Measure |
|---|---|
| A. Lawful, transparent, and informed data use | |
| ORG | The organisation clearly defines and documents the purposes for which personal data is processed |
| ORG | Individuals are informed in clear and accessible language about what data is collected and how it is used |
| ORG | Consent mechanisms are clearly separate to ensure appropriate meaningful engagement |
| ORG | Individuals can refuse or withdraw consent without unjustified negative consequences |
| B. Data minimisation and protection | |
| BOTH | Only data necessary for the stated purpose is collected and processed |
| TECH | Technical measures are in place to protect data from unauthorised access, loss or misuse |
| ORG | Data retention periods are defined, documented and enforced |
| ORG | Sensitive data is subject to additional safeguards appropriate to the associated risk level |
| C. Rights, access and accountability | |
| ORG | Clear processes exist for individuals to exercise their data protection rights (e.g., access, correction, deletion) |
| BOTH | Responsibility for handling data protection issues and incidents |
| ORG | Data processing activities are documented to support accountability and auditing review |
| ORG | Data protection practices are reviewed following incidents, complaints or regulatory changes |
Source: AIOLIA deliverable 3.1