Last review date: 17 December 2024
Yes.
The restrictions or requirements are as follows:
- qualified right not to be subject to a decision based solely on automated decision making, including profiling – for example, only applicable if the decision produces legal effects concerning them or similarly significantly affects them
- right to information / transparency requirement
- right to request human review of the automated decision making
- other
Decision of the Court of Justice of the European Union dated 7 December 2023 (C‑634/21) ruling that "Article 22(1) of the GDPR must be interpreted as meaning that the automated establishment, by a credit information agency, of a probability value based on personal data relating to a person and concerning his or her ability to meet payment commitments in the future constitutes ‘automated individual decision-making’ within the meaning of that provision, where a third party, to which that probability value is transmitted, draws strongly on that probability value to establish, implement or terminate a contractual relationship with that person".
Last review date: 17 December 2024
Yes.
The exceptions are as follows:
If the decision:
- is necessary for entering into, or performance of, a contract between the data subject and a data controller
- is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, or
- is based on the data subject's explicit consent
Pursuant to Sec. 37 of the Federal Data Protection Act, if the decision is made in the context of providing services pursuant to an insurance contract and:
- the request of the data subject was fulfilled; or
- the decision is based on the application of binding rules of remuneration for therapeutic treatment and the controller takes suitable measures, in the event that the request is not granted in full, to safeguard the data subject's legitimate interest, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision; the controller shall inform the data subject of these rights no later than the notification indicating that the data subject's request will not be granted in full.
The decisions pursuant to Sec. 37 of the Federal Data Protection Act may be based on the processing of health data as referred to in Art. 4 No. 15 GDPR.
Last review date: 17 December 2024
Please refer to the EU Chapter for detailed information regarding EU-wide legislation.
Yes
For example (all in German only):
- Data Protection Authority of Baden-Württemberg, discussion paper on legal bases in data protection for the use of artificial intelligence (November 2023, updated October 2024)
- German data protection authorities (DSK), guidance on artificial intelligence and data protection (May 6, 2024 20240506_DSK_Orientierungshilfe_KI_und_Datenschutz.pdf)
- Bavarian Data Protection Authority, checklist AI with criteria pursuant to the GDPR (https://www.lda.bayern.de/media/ki_checkliste.pdf)
- Data Protection Authority of Hamburg, checklist for the use of LLM-based chatbots (on November 13, 2023 https://datenschutz-hamburg.de/news/checkliste-zum-einsatz-llm-basierter-chatbots) and discussion paper: large language models and personal data (July 15, 2024)
- DSK position paper on recommended technical and organizational measures in development and operation of AI systems (November 2019)
- Hambacher Declaration on Artificial Intelligence (April 2019)
- Data Protection Authority of Hamburg, impact of the Schufa ruling on AI applications (December 2023)
Last review date: 17 December 2024
- Enforcement activity against AI developer(s)
- Enforcement activity against AI user(s)/deployer(s)
- Enforcement activity under existing privacy law
Last review date: 17 December 2024
Please refer to the EU Chapter for detailed information regarding EU-wide legislation.
Yes, laws in force, although not specifically focusing on artificial intelligence