Add: EDPB Opinion 28/2024 on AI Models and GDPR#21
Merged
carloshvp merged 1 commit intoMay 18, 2026
Conversation
Member
|
Thanks for the contribution @2digitsleft. This is a high-quality official source and the placement under Data Protection Authorities makes sense. CI is green, so I’m merging this now. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds EDPB Opinion 28/2024 on data protection aspects of AI models, and creates a new "Data Protection Authorities" subsection under "Standards & Frameworks" to house it.
What it is: Opinion 28/2024, adopted 17 December 2024 by the European Data Protection Board at the request of the Irish Data Protection Commission. Covers three core questions: (1) when an AI model trained on personal data can be considered anonymous, (2) when legitimate interest can serve as a legal basis for training or deploying AI models, and (3) consequences of training a model on unlawfully processed personal data. The most authoritative EU-wide position on the AI Act / GDPR intersection to date.
Why it belongs: The list's "Related EU Regulations" section already flags GDPR as intersecting with the AI Act (Article 10 data governance), but no actual DPA guidance is currently included anywhere. Opinion 28/2024 is the most-cited document at this intersection — referenced in virtually every major law-firm guide on the list. The AI Act's data governance obligations cannot be operationalised without DPA guidance, so the gap is real.
On the new subsection: I propose
### Data Protection Authoritiesunder## Standards & Frameworks(between ENISA Cybersecurity and OECD & International). DPA guidance is functionally a parallel governance layer to the standards bodies already in this section. If you'd prefer a different home — e.g., folding it into an existing subsection or placing it elsewhere entirely — happy to revise. One follow-up PR is planned for this subsection (the EDPB AI topic page as a living index), so two entries to start.Checklist: