Skip to main content
Course overview
Skip to - Close

2.2 Data protection

2.2 Data protection

Completion requirements
View

Data protection law in the context of AI

Across four thematic sections, you will gain an overview of the key fundamentals of data protection law – particularly in the context of the use of Artificial Intelligence (AI) at higher education institutions. You will learn why data protection plays a central role, which general principles apply, how systems can be designed to comply with data protection regulations, and in which cases a data processing agreement is required.

 

Specific data protection challenges in AI

Artificial Intelligence (AI) often processes large amounts of data – including a significant amount of personal information. In the following, you will be given a concise overview of the key data protection requirements relating to AI systems and learn how these can be implemented in practice.

 

 

 

  

Challenges for higher education institutions

  • Processing of sensitive data: Higher education institutions often process sensitive data (e.g. health data, religious or philosophical affiliation) in the context of research projects or in the human resources department.
  • Learning analytics: The analysis of learning data to improve learning outcomes raises data protection issues, particularly regarding transparency and student consent.
  • AI-based monitoring systems: The use of AI to monitor students or staff (e.g. plagiarism detection, behavioural analysis) is particularly critical from a data protection perspective.
  • International data transfers: When collaborating with international partners, the rules governing the transfer of personal data to third countries must be observed.

 

Recommendations for higher education institutions

  • Inventory: Conducting a comprehensive inventory of all AI systems that process personal data
  • Legal review: Assessing the lawfulness of data processing for each AI system
  • Data Protection Impact Assessment (DPIA): Conducting a DPIA for AI systems that pose a high risk to the rights and freedoms of natural persons (Art. 35 GDPR)
  • Data protection policies: Development and implementation of data protection policies for the use of AI
  • Transparency information: Preparation of clear and comprehensible transparency information for data subjects
  • Consent: Obtaining consent where data processing is based on consent
  • Data processing agreements: Conclusion of data processing agreements with all service providers who process personal data on behalf of the institution (Art. 28 GDPR)
  • Data security measures: Implementation of appropriate technical and organisational measures for data security (e.g. encryption, access controls, data security policy)
  • Training: Conducting regular training for staff on data protection law
  • Data Protection Officer: Appointment of a Data Protection Officer (Art. 37 GDPR)
  • Additional note on the AI Regulation in a research context: The research exemption (Art. 2(6) and (8) AI Regulation) does not exempt organisations from compliance with data protection law.

 

💡 Learning Summary Chapter 2.2: Data protection

  • Data protection is central to the use of AI: AI systems frequently process personal or sensitive data. Higher education institutions must therefore consistently implement data protection principles such as data minimisation, purpose limitation, transparency and security.
  • Obligations under the GDPR: A data protection impact assessment (DPIA) is mandatory where high risks exist (e.g. in learning analytics or surveillance systems). Furthermore, consent, clear information obligations and contracts for data processing are legally required.
  • Institutional responsibility: Universities should develop data protection guidelines for AI, offer training and involve data protection officers. The research exemption in the AI Regulation does not exempt organisations from compliance with the GDPR.

 

Resources