🟨 GDPR Flashcards

What does Article 22 of the GDPR protect against?

Decisions made solely by automated processing that significantly affect individuals.

➡ Article 22 gives individuals the right not to be subject to decisions made without human involvement when these decisions have legal or serious consequences, such as credit approval or hiring. It also grants the right to human review, explanation, and challenge of such decisions.

What are the conditions for valid consent under GDPR?

Freely given, specific, informed, and unambiguous.

➡ Valid consent must be actively and clearly given by the user, with full understanding of how their data will be used. This is crucial in AI systems that process sensitive or biometric data, especially in emotion recognition or profiling.

What is a Data Protection Impact Assessment (DPIA)?

A risk assessment required for high-risk data processing, such as in AI.

➡ DPIAs are mandatory when AI systems involve profiling, surveillance, or decisions affecting rights. They help organizations identify and reduce data protection risks before deploying technology.

List three rights of data subjects under the GDPR.

Right to access, rectification, and erasure.

➡ Individuals also have the right to data portability, restriction of processing, and objection to processing. These rights give people control over how their personal data is collected, stored, and used — particularly in automated systems.

Where does the GDPR apply?

In all EU/EEA countries and to any entity processing EU citizens’ personal data.

➡ The GDPR applies regardless of where the company is based — so long as they handle EU data (e.g. Meta, OpenAI, TikTok). It governs how personal data is processed, including by AI.

What is the main goal of the GDPR?

To protect personal data and privacy rights of individuals.

➡ It ensures that people have control over their data, sets strict rules for processing, and gives enforcement powers to data protection authorities.