Explore how artificial intelligence is transforming the fashion and luxury industry, from generative design and personalized shopping to compliance with the EU AI Act and Italian AI Law. Learn about key applications, legal challenges, and strategies for responsible AI adoption.
4. The relationship between AI and personal data protection
The development and use of AI technologies is deeply connected with the processing of personal data, making it essential to coordinate the provisions of the AI Act and the national AI Law with those of Regulation (EU) 2016/679, the General Data Protection Regulation (GDPR), and national legislation on personal data protection. The AI Act itself, in Recital 9, emphasises the “relationship of complementarity” between the AI Act and the GDPR, referring to its concepts and definitions on several occasions.
Any processing of personal data in any way connected to an AI system must comply with the principles of lawfulness, fairness, transparency, data minimisation, accuracy, storage limitation, integrity and confidentiality set out in Article 5 GDPR.
Article 4 of the AI Law likewise underlines that the use of AI systems must ensure the lawful, fair and transparent processing of personal data, and that information relating to such processing must be clear and simple, so as to guarantee awareness of the risks and the right to object.
Attribution of privacy roles may be particularly complex, namely the identification of the entities acting as data controller (that is, according to Article 4(7) GDPR, the entity which “determines the purposes and means of the processing”) and data processor (that is, according to Article 4(8) GDPR, the entity which “processes personal data on behalf of the controller”) and the allocation of related responsibilities among the various actors identified by the AI Act. This assessment can only be carried out with reference to the specific AI system.
The GDPR requires that any personal data processing carried out by means of AI systems be based on one of the lawful grounds provided, including the freely given, specific, informed and revocable consent of data subjects, the performance of a contract, compliance with a legal obligation or the legitimate interest of the controller, provided this is balanced against individuals’ fundamental rights. Transparency plays a key role in the relationship between the company and the data subject: clear and easily accessible information must be provided explaining the nature of the processing, its purposes, the parties involved and the rights that can be exercised, as well as the way in which the AI system operates, especially where it affects user profiling.
Profiling, which is typical of many AI applications in marketing and customer experience, entails specific risks and requires particular caution: where processing may give rise to legal effects or similarly significantly affect individuals (for example, in decisions relating to personalised offers or VIP client management), the company must ensure the possibility of human intervention and the right to challenge automated decisions. Article 22 GDPR indeed establishes the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects the person, save for clearly defined exceptions and subject to the adoption of appropriate safeguards.
