The legality of processing personal data in the AI solution
In order for the processing of personal data to be lawful, the controller must always have a legal basis for such processing.
Article 6(1)(a–f) of the GDPR contains an exhaustive list of six alternative legal bases for the lawful processing of personal data.
Assessments of the legality of the processing of personal data in Ruter's AI solution are not part of this sandbox project. The discussions in the report therefore assume that Ruter has a legal basis for the appurtenant processing activities.
However, the legal basis that Ruter selects will still influence what information they are obligated to provide.
Ruter plans to use consent (Article 6 (1)(a)) as the legal basis. This applies both to the use of personal data to train the AI model, and to the use of the AI model on personal data during the usage phase.
One of the conditions for consent to be valid is that the consent is informed. It is therefore natural to further examine this requirement when we consider what information Ruter has to provide to customers who choose to consent to the processing of their personal data.
In addition to being informed, there are several other conditions that need to be met for consent to be valid. In this sandbox project, we have only taken a closer look at the requirements for informed consent.
Consent as a legal basis
The personal data can be lawfully processed based on consent when such consent is:
- freely given
- given by a clear affirmative act
- able to be documented
- possible to withdraw as easily as it was given
The duration of the consent will depend on what one has been asked to consent to. To avoid any doubt, the intended duration of the consent should be specified when such consent is requested. The data subjects should also be reminded at regular intervals that they have given consent and that this can be withdrawn.
Consent for special categories of personal data
Special categories of personal data are often referred to as sensitive personal data. This is data that requires extra protection, such as data relating to ethnic origin, religion, medical information, sexual orientation, etc. In principle, the processing of special categories of personal data is prohibited.
Exceptions to the prohibition can be made through explicit consent. Read more about what makes consent explicit in section 4 of the European Data Protection Board (EDPB) guidelines relating to consent.
However, an exception cannot be made in instances in which it stipulated by law or regulation that the data subject cannot lift the prohibition.