GDPR Compliance for AI Systems: Complete Guide | QuizBy Eyal Doron / December 6, 2025 / 1 minute of reading GDPR Compliance for AI Systems: Complete Guide | Quiz 1 / 7 1. Why does web scraping public data not eliminate GDPR obligations? 1. Public availability does not establish lawful basis for processing personal data 2. Only commercial scraping requires GDPR compliance 3. Web scraping is exempt from GDPR under the research exception 4. Public data automatically becomes anonymized data Correct! WHY: Public availability does not mean unrestricted use – GDPR still requires lawful basis for processing personal data regardless of how it was obtained. CONTEXT: The Clearview AI enforcement cases demonstrate that scraping publicly available images still violated GDPR. REMEMBER: Public does not mean free to use. 2 / 7 2. Which phase of the AI lifecycle requires conducting Data Protection Impact Assessments for high-risk processing? 1. Phase 3 – Deployment 2. Phase 4 – Ongoing Operations 3. Phase 2 – Model Development 4. Phase 1 – Training Data Correct! WHY: DPIAs must be conducted before model training begins when processing involves high-risk activities – which most AI on personal data qualifies as. CONTEXT: Phase 1 training data is where lawful basis must be documented and risk assessments completed. REMEMBER: Assess risks before you train. 3 / 7 3. What is the best approach when your organization claims their AI model is too complex to explain under GDPR? 1. Apply for a GDPR exemption based on technical limitations 2. Document that the model is too complex and proceed with automated decisions 3. Provide technical documentation to satisfy the explanation requirement 4. Implement explainability techniques or use more interpretable models for high-stakes decisions Correct! WHY: Model complexity is not a valid GDPR defense – if decisions cannot be explained then automated decision-making may not be permitted. CONTEXT: Organizations may need to implement explainability techniques or choose more interpretable model architectures for high-stakes decisions. REMEMBER: If you cannot explain it – you may not be permitted to automate it. 4 / 7 4. Why is the right to erasure particularly challenging for AI systems? 1. GDPR exempts AI models from erasure requirements 2. Erasure only requires removing data from the training dataset 3. Personal data becomes embedded in model weights making extraction technically difficult 4. AI systems automatically comply with erasure requests through built-in features Correct! WHY: Once personal data is mixed into model training – extracting one persons contribution is technically difficult – often requiring full model retraining. CONTEXT: This is called the blended smoothie problem – data becomes embedded in model weights rather than stored in deletable records. REMEMBER: Deleting from database does not equal deleting from model. 5 / 7 5. What rights do individuals have under GDPR Article 22 when subject to solely automated decisions with legal or significant effects? 1. Right to human intervention – right to contest – and right to explanation 2. Right to automatic compensation if the decision is wrong 3. Only the right to be informed that AI made the decision 4. Right to see the source code of the algorithm Correct! WHY: Article 22 grants individuals the right to human intervention – the ability to contest decisions – and meaningful explanations of the decision logic. CONTEXT: These protections apply to consequential automated decisions like credit scoring – hiring decisions – and insurance pricing. REMEMBER: Human oversight is mandatory for high-stakes AI decisions. 6 / 7 6. Under GDPR Article 5 – what does the purpose limitation principle require for AI training data? 1. Training data is exempt from purpose limitation if anonymized 2. Purpose limitation only applies to data stored longer than 30 days 3. Data collected for one purpose cannot be repurposed for AI training without additional justification 4. Any data can be used for training as long as it improves the model Correct! WHY: Purpose limitation means data collected for one purpose cannot be repurposed for AI training without additional legal justification. CONTEXT: Customer data collected for service delivery does not automatically authorize using that data to train machine learning models. REMEMBER: Original consent does not equal training consent. 7 / 7 7. What does GDPR define as personal data in the context of AI systems? 1. Any information relating to an identified or identifiable person including behavioral patterns and inferences 2. Data that has been anonymized through any method 3. Technical data like IP addresses but not behavioral patterns 4. Only names and email addresses stored in databases Correct! WHY: GDPR defines personal data broadly to include any information relating to an identifiable person – including behavioral patterns and inferred traits. CONTEXT: This broad definition means AI systems that make inferences about individuals are likely processing personal data even without obvious identifiers. REMEMBER: If AI can identify or make inferences about someone – it is personal data. Your score isThe average score is 0% Restart quiz Download PDF Please leave this field empty🔐 The AI Security Manager's Newsletter Weekly insights on AI risk management, EU AI Act compliance, and practical security strategies. We don’t spam! Read our privacy policy for more info. Thank you! Please check your inbox to confirm your subscription.