GDPR Compliance for AI Systems: Complete Guide | QuizBy Eyal Doron / December 6, 2025 / 1 minute of reading GDPR Compliance for AI Systems: Complete Guide | Quiz 1 / 7 1. When does GDPR apply to a US company with no EU offices? 1. Only when they have a data processing agreement with an EU company 2. Only when they have servers physically located in the EU 3. Never – GDPR only applies to EU-based companies 4. When they process personal data of EU residents Correct! WHY: GDPRs territorial scope extends to any organization processing data of EU residents regardless of where the company is located. CONTEXT: A US company training models on European customer data must comply with GDPR even without physical EU presence. REMEMBER: Processing EU data triggers GDPR – not your location. 2 / 7 2. Which of the following is a valid approach to machine unlearning when an erasure request arrives? 1. Full retraining without deleted data – machine unlearning techniques – or influence function approximations 2. Waiting for automated model decay to remove the data influence 3. Simply deleting the users record from the database 4. Informing the user that erasure is not technically possible Correct! WHY: Full retraining without the deleted data is effective but expensive – machine unlearning techniques approximate removal – and influence functions estimate contribution for removal. CONTEXT: All approaches have tradeoffs – organizations must decide their methodology before requests arrive. REMEMBER: Plan your unlearning approach before you need it. 3 / 7 3. Your AI model has been shown to reproduce verbatim text from training data. Which GDPR challenge does this represent? 1. Model memorization creating privacy leakage risks 2. Automated decision-making restriction 3. Data minimization failure 4. Purpose limitation violation Correct! WHY: Model memorization occurs when AI models store and can reproduce specific training examples – creating privacy leakage risks. CONTEXT: Large language models and image models have been demonstrated to reproduce training data – violating confidentiality even after source data is deleted. REMEMBER: Models can memorize and leak training data. 4 / 7 4. What percentage of significant GDPR fines stem from inadequate documentation according to enforcement analysis? 1. 92 percent 2. 45 percent 3. 67 percent 4. 78 percent Correct! WHY: Analysis of GDPR enforcement actions shows that 92 percent of significant fines stem from inadequate documentation – making audit trails the primary defense. CONTEXT: Documentation requirements span training data sources – processing activities – model decisions – and compliance procedures. REMEMBER: Document everything – your records are your defense. 5 / 7 5. A financial services company uses AI to automatically approve or deny loan applications. Which GDPR article most likely applies? 1. Article 25 – Privacy by Design 2. Article 17 – Right to Erasure 3. Article 22 – Automated Decision-Making 4. Article 5 – Data Processing Principles Correct! WHY: Article 22 restricts solely automated decisions with legal or significant effects – and loan decisions clearly have significant financial and legal effects on individuals. CONTEXT: Credit decisions are explicitly mentioned in GDPR guidance as triggering Article 22 protections. REMEMBER: High-stakes decisions need human oversight options. 6 / 7 6. What does meaningful information about the logic involved require under GDPR transparency obligations? 1. Providing complete source code and model architecture 2. A statement that AI was involved in the decision 3. Understandable explanations of how decisions are made and what factors matter 4. Technical documentation of the neural network structure Correct! WHY: Meaningful information means providing understandable explanations of how AI decisions are made and what factors matter – not technical implementation details. CONTEXT: A loan applicant needs to understand why they were rejected – not review model architecture or source code. REMEMBER: Explain the why – not the how of the code. 7 / 7 7. What rights do individuals have under GDPR Article 22 when subject to solely automated decisions with legal or significant effects? 1. Right to see the source code of the algorithm 2. Right to automatic compensation if the decision is wrong 3. Right to human intervention – right to contest – and right to explanation 4. Only the right to be informed that AI made the decision Correct! WHY: Article 22 grants individuals the right to human intervention – the ability to contest decisions – and meaningful explanations of the decision logic. CONTEXT: These protections apply to consequential automated decisions like credit scoring – hiring decisions – and insurance pricing. REMEMBER: Human oversight is mandatory for high-stakes AI decisions. Your score isThe average score is 0% Restart quiz Download PDF Please leave this field empty🔐 The AI Security Manager's Newsletter Weekly insights on AI risk management, EU AI Act compliance, and practical security strategies. We don’t spam! Read our privacy policy for more info. Thank you! Please check your inbox to confirm your subscription.
