Any lawyers/experts on data processing laws, GDPR and EU AI Act?

[Carl-Richard]

I have a business question (or several) I would like some input on. Say "yes" and I'll dump it either in here or in PM maybe depending on if several people answer. Or I'll write it out in full in this post soon.

[Joseph Maynor]

I'm not a lawyer, but can you specify further the legal questions you want to explore.

[Carl-Richard]

1 hour ago, Joseph Maynor said:

I'm not a lawyer, but can you specify further the legal questions you want to explore.

I have coded a website where you can test your personality using AI (I have not made it public yet). You can choose between entering a social media profile or forum name / URL as a data source or typing or pasting your own text which the AI will use as a data source for determining your personality (and there are multiple test types you can choose from). You can then save the test results to a profile where you can view statistics like average test scores or test scores over time. You can then use saved tests as a data source for a meta-analysis test, where the AI can take multiple tests (across multiple test types) and deduce an overall pattern and new personality categories.

I've always intuited that there could be problems with this with respect to data processing laws, but I was still curious to see what it would look like even if I couldn't make it public for those reasons. But after learning about especially the EU AI Act that was passed in 2025, it looks like (to my cursory look) it's actually impossible to use AI in any fashion to deduce personality traits based on any form of personal data. Additionally, GDPR laws regarding profiling (again, according to my cursory look) would put the function of selecting existing data in jeopardy if that data is about someone who did not provide consent (which is highly doable in the current configuration).

So then the question is how much of the current functions do I have to strip before I can make it public (i.e. before it's GDPR and EU AI Act compliant)? Here are some suggested steps I would like feedback on:

• Removing the social media / forum / web search function for acquiring data, keeping the typing or pasting your own text function -> Adds a layer of protection against profiling people who have not provided consent.
• Making the typing or pasting function "type-only", such that you cannot paste text that you did not write yourself -> Adds yet another layer of protection against profiling people who have not provided consent.
• Removing all AI functionalities on the website, replacing AI testing with multiple-choice tests, releasing new tests every week to allow for refining test results over time -> Seems to address EU AI Act issue of no AI for personality analyses and further reduces possibility of non-consensual profiling. Can still use AI to generate new tests, as analysis of test results is done through non-AI site software.
• Adding back in meta-analyses; if the current interpretation of the EU AI Act does not apply, performing AI-powered meta-analyses on aggregated multiple-choice test does not meaningfully impact non-consenting individuals and would thus be GDPR compliant with respect to that profiling law.

So I'm wondering whether I'm interpreting the laws correctly and whether I have identified a possible solution. If I wrote nothing comprehensible it's because I have caught some kind of COVID virus👍👌

Edited 4 hours ago by Carl-Richard