Director and EDPB Vice-Chair Vukić at the Privacy Symposium, 12 May 2025

Zdravko Vukić, Director of the Croatian Personal Data Protection Agency and Vice-Chair of the European Data Protection Board (EDPB), participated in a professional panel discussion at the Privacy Symposium in Venice, where he addressed one of the most critical issues in the development and use of artificial intelligence—how to ensure the lawful processing of personal data throughout the entire lifecycle of AI systems.

He emphasized that, regardless of whether it is during the design, development, or deployment phase of AI, it is essential to identify a lawful basis for the processing of personal data. The principles laid down in Article 5 of the General Data Protection Regulation (GDPR)—including lawfulness, fairness, purpose limitation, and data minimization—fully apply to the processing of personal data in AI systems.

In his presentation, he specifically highlighted that data controllers wishing to rely on legitimate interest as a legal basis must conduct a structured three-part test to justify that interest.

This means controllers must demonstrate:

That the interest is lawful, specific, and real, not speculative;
That the processing of personal data is strictly necessary for achieving that interest;
That the interest is not overridden by the fundamental rights and freedoms of data subjects.

In line with the principle of data minimization, during the development and deployment of AI models, personal data used must be adequate, relevant, and limited to what is necessary in relation to the purposes of processing. This may include the processing of personal data to reduce the risk of potential bias and errors, provided the purpose is clearly and precisely defined and the use of personal data is necessary to achieve it—e.g., where this cannot be effectively achieved by using other types of data, including synthetic or anonymised data.

The Agency strongly encourages the use of privacy-enhancing technologies (PETs), such as synthetic data, federated learning, and differential privacy. These tools are key mechanisms for reducing risks and ensuring compliance with data protection principles.

When assessing whether a purpose is legitimate, specific, and explicit—and whether the processing complies with the principle of data minimization—it is particularly important to consider that different stages within the AI development and deployment lifecycle may constitute the same or different processing activities, and may involve successive or joint controllers.

In some cases, the purpose of processing during deployment can already be defined in the early development phase. Even when this is not the case, the specific context of future use must be at least partially known, and that context should shape the development purpose.

When reviewing the purpose of processing at a certain development stage, the Agency will expect controllers to provide information on the type of AI model being developed, its expected functionalities, and all other relevant circumstances known at that stage.

The application context may include, for instance, whether the model is being developed for internal use, whether the controller plans to sell or distribute the model to third parties, and whether the model is intended primarily for research or commercial purposes.

Director Vukić concluded by stressing that lawful use of personal data in AI systems is crucial not only for safeguarding the right to privacy and personal data protection, but also for the protection of other fundamental rights. Unlawful processing can lead to violations of other fundamental rights, including the right to non-discrimination, freedom of expression, the right to a fair trial, and even the right to life.

The aim of data protection rules is not to hinder innovation, but to protect the rights and freedoms of all individuals, especially vulnerable groups and children, in a rapidly evolving digital environment.

Panel diskusija Privacy Symposium "GDPR and Generative AI After the EDPB Opinion and First Enforcement Actions"
Panel diskusija Privacy Symposium "GDPR and Generative AI After the EDPB Opinion and First Enforcement Actions"
Panel diskusija Privacy Symposium "GDPR and Generative AI After the EDPB Opinion and First Enforcement Actions"
Zdravko Vukić, Panel diskusija Privacy Symposium "GDPR and Generative AI After the EDPB Opinion and First Enforcement Actions"
Zdravko Vukić, Panel diskusija Privacy Symposium "GDPR and Generative AI After the EDPB Opinion and First Enforcement Actions"

A

EDPB publishes final version of guidelines on data transfers to third country authorities and SPE training material on AI and data protection

Brussels, 05 June - During its latest plenary, the European Data Protection Board (EDPB) adopted the final version of its guidelines on Art.48 GDPR about data transfers to third country authorities, after public consultation. In addition, the Board presented two new...

Workshop on the Fundamental Rights Impact Assessment under Article 27 of the AI Act

On 13 June 2025, the Croatian Personal Data Protection Agency is organizing a free workshop on the Fundamental Rights Impact Assessments (FRIA) under Article 27 of the Artificial Intelligence Act. ALL WORKSHOP PLACES HAVE BEEN FILLED. ONLY PARTICIPANTS WHO HAVE...

Director and EDPB Vice-Chair Vukić at the Privacy Symposium, 12 May 2025

Related

EDPB publishes final version of guidelines on data transfers to third country authorities and SPE training material on AI and data protection

Workshop on the Fundamental Rights Impact Assessment under Article 27 of the AI Act