Any lawyers/experts on data processing laws, GDPR and EU AI Act?

[Carl-Richard]

I have a business question (or several) I would like some input on. Say "yes" and I'll dump it either in here or in PM maybe depending on if several people answer. Or I'll write it out in full in this post soon.

[Joseph Maynor]

I'm not a lawyer, but can you specify further the legal questions you want to explore.

[Carl-Richard]

23 hours ago, Joseph Maynor said:

I'm not a lawyer, but can you specify further the legal questions you want to explore.

I have coded a website where you can test your personality using AI (I have not made it public yet). You can choose between entering a social media profile or forum name / URL as a data source or typing or pasting your own text which the AI will use as a data source for determining your personality (and there are multiple test types you can choose from). You can then save the test results to a profile where you can view statistics like average test scores or test scores over time. You can then use saved tests as a data source for a meta-analysis test, where the AI can take multiple tests (across multiple test types) and deduce an overall pattern and new personality categories.

I've always intuited that there could be problems with this with respect to data processing laws, but I was still curious to see what it would look like even if I couldn't make it public for those reasons. But after learning about especially the EU AI Act that was passed in 2025, it looks like (to my cursory look) it's actually impossible to use AI in any fashion to deduce personality traits based on any form of personal data. Additionally, GDPR laws regarding profiling (again, according to my cursory look) would put the function of selecting existing data in jeopardy if that data is about someone who did not provide consent (which is highly doable in the current configuration).

So then the question is how much of the current functions do I have to strip before I can make it public (i.e. before it's GDPR and EU AI Act compliant)? Here are some suggested steps I would like feedback on:

• Removing the social media / forum / web search function for acquiring data, keeping the typing or pasting your own text function -> Adds a layer of protection against profiling people who have not provided consent.
• Making the typing or pasting function "type-only", such that you cannot paste text that you did not write yourself -> Adds yet another layer of protection against profiling people who have not provided consent.
• Removing all AI functionalities on the website, replacing AI testing with multiple-choice tests, releasing new tests every week to allow for refining test results over time -> Seems to address EU AI Act issue of no AI for personality analyses and further reduces possibility of non-consentual profiling. Can still use AI to generate new tests, as analysis of test results is done through non-AI site software.
• Adding back in meta-analyses; if the current interpretation of the EU AI Act does not apply, performing AI-powered meta-analyses on aggregated multiple-choice tests does not meaningfully impact non-consenting individuals and would thus be GDPR compliant with respect to that profiling law.

So I'm wondering whether I'm interpreting the laws correctly and whether I have identified a possible solution. If I wrote nothing comprehensible it's because I have caught some kind of COVID virus👍👌

Edited 2 hours ago by Carl-Richard

[Joseph Maynor]

Have you ran some of this thru AI?  

[Carl-Richard]

29 minutes ago, Joseph Maynor said:

Have you ran some of this thru AI?  

Yes but it doesn't give definitive answers, and to the extent that it does, I don't trust it (because I've asked it similar questions before and it seemly didn't even know about the EU AI Act, which is maybe understandable since it's new).

Edited 4 hours ago by Carl-Richard

[Joseph Maynor]

5 minutes ago, Carl-Richard said:

Yes but it doesn't give definitive answers, and to the extent that it does, I don't trust it (because I've asked it similar questions before and it seemly didn't even know about the EU AI Act, which is maybe understandable since it's new).

Which AI do you use?

[Carl-Richard]

22 minutes ago, Joseph Maynor said:

Which AI do you use?

ChatGPT (Plus membership)  Always longer answers.

[zurew]

15 minutes ago, Carl-Richard said:

ChatGPT (Plus membership)  Always longer answers.

Here is what Claude Sonnet 4.6 on max effort had to say (after it double checked everything)

Spoiler

Quote

Good. Let me look at things I haven't checked yet or checked insufficiently — specifically the AI Act's transparency obligations, whether your app could qualify as high-risk under Annex III, the DPIA requirement, and the provider vs. deployer distinction which I haven't analyzed at all.Good — I've now read three things I hadn't properly checked before: the full Annex III high-risk list directly from the EU Commission's AI Act Service Desk; Article 50 (transparency obligations) in full from the same source; and GDPR Article 35 (DPIA) from gdpr-info.eu. These reveal genuine gaps in my previous two answers. Here is a complete, corrected account.

What's New: Three Things I Missed Entirely

1. Article 50 — Transparency Obligations (completely overlooked)

This is the most important omission from my previous answers. In both my first and second responses, I didn't mention Article 50 at all, despite it being directly applicable to your app.

Article 50(1) states: "Providers shall ensure that AI systems intended to interact directly with natural persons are designed and developed in such a way that the natural persons concerned are informed that they are interacting with an AI system, unless this is obvious from the point of view of a natural person who is reasonably well-informed, observant and circumspect."

Article 50(2) additionally requires that providers of AI systems generating synthetic text content ensure that the outputs are marked in a machine-readable format and detectable as artificially generated. The information must be provided to the natural persons concerned in a clear and distinguishable manner at the latest at the time of the first interaction or exposure.

Your personality test app has an AI system that interacts with users and generates text output (the personality analysis). Both obligations apply. The Article 50(1) disclosure — telling the user they're interacting with AI — may seem trivial for an AI personality test (it's presumably obvious), but the Article 50(2) machine-readable labelling of AI-generated text is a technical requirement you need to implement, not just a disclosure notice.

Timing note: Article 50 sits in Chapter IV of the AI Act, which unlike the Article 5 prohibitions (which became applicable February 2025), became fully applicable from August 2, 2026. Since you haven't launched yet, you have the obligation to implement this from day one of going public, but you're not retroactively in violation.

2. Provider vs. Deployer — A Distinction I Never Analyzed

This is important and I skipped over it in both previous answers. Under the AI Act, there is a meaningful difference between a provider (who develops an AI system and places it on the market) and a deployer (who uses an AI system under their authority for professional purposes).

If your app uses standard AI APIs — say, you integrate Claude via API to generate personality analyses — Google/Anthropic is the provider of that underlying model, and you are the deployer of that model. However, you are simultaneously the provider of your own AI-powered personality testing system, which you are placing on the market.

This matters because provider and deployer obligations are different. As a deployer of Claude or another underlying AI, you cannot outsource your regulatory responsibilities to the AI vendor. The AI Act explicitly places obligations on both providers and deployers. As the provider of your own system built on top of that model, you carry the heavier compliance obligations — including the Article 50 transparency requirements described above, and responsibility for ensuring your system does not result in a prohibited practice. As the deployer of the underlying AI model, you are responsible for using it within its intended purpose and in a lawful way.

In practice: you are wearing both hats simultaneously, and need to comply with both sets of obligations.

3. GDPR Article 35 — Data Protection Impact Assessment (DPIA)

Also completely absent from my previous answers. Article 35(1) requires that where a type of processing, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out a DPIA.

A DPIA is specifically required in the case of: (a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling; (b) processing on a large scale of special categories of data referred to in Article 9(1).

Your app does automated profiling of personal aspects (personality traits) using new technology (AI), at potentially large scale. If any of your tests produce outputs that touch on Article 9 special categories — health (e.g. mental health indicators), political opinions, religious beliefs — a DPIA is not optional, it's mandatory before you go public. Even for ordinary personality traits, the combination of new technology, systematic automated evaluation, and a public-facing product puts you squarely in the zone where supervisory authorities typically require a DPIA. This must be done before you launch.

What My Previous Answers Got Right (Confirmed from Primary Sources)

Annex III (high-risk AI systems): I said in my first answer that you should check this, but didn't verify it. Having now read the actual Annex III text, a pure voluntary consumer self-assessment personality app does not fall under any of the eight listed categories — biometrics, critical infrastructure, education admissions, employment decisions, essential services (credit, insurance), law enforcement, migration, or justice. The closest categories would be education (3a-3d) and employment (4a-4b), but those explicitly require the AI system to be intended to determine access, assign people to institutions, make hiring decisions, or evaluate work performance. A self-facing consumer personality quiz doesn't meet that bar, as long as the intended purpose is self-knowledge and not employment screening or educational assessment. If you market it in a way that suggests it could be used for those purposes, the analysis changes.

Article 5(1)(c) social scoring: Confirmed from the official Commission Guidelines. The three cumulative conditions are required simultaneously, and the detriment condition still protects a voluntary self-facing tool from the prohibition — but the temporal condition (data collected "over a period of time") is genuinely engaged by your saved-tests and meta-analysis feature. This is a live consideration, not a dead one.

Article 5(1)(f) emotion recognition and 5(1)(g) biometric categorization: Confirmed not applicable. Text analysis does not use biometric data.

Social media scraping must go: Confirmed. No lawful GDPR basis for processing third parties' data without their consent.

GDPR Article 22: Confirmed — not triggered by a voluntary self-facing personality quiz with no legally significant downstream decision.

GDPR Article 9 (special category data): Confirmed — explicit consent required if tests could infer health, political opinions, or other Article 9 categories.

"Type-only" UI restriction: Confirmed as legally meaningless as a compliance mechanism.

The Complete Picture Now

Putting all three rounds of checking together, here is the full map:

AI Act obligations for your app (assuming you use an AI API and deploy it publicly to EU users):

As provider of the personality testing system: Article 50(1) — disclose to users they're interacting with AI at first interaction. Article 50(2) — ensure AI-generated text outputs are marked in machine-readable format as artificially generated. Neither of these is very onerous in practice — a clear disclosure banner and technical metadata tagging — but they are legally required from launch.

Article 5 prohibited practices: Your app as described (voluntary, self-facing, no downstream detriment) does not trigger any prohibition, provided: you remove social media scraping; the intended purpose is explicitly self-knowledge only (not employment or education screening); and you don't market it in ways that invite the social scoring temporal-and-detriment analysis.

Not high-risk under Annex III: Confirmed — for a pure consumer self-assessment tool with no employment, education, or essential-services purpose.

 

GDPR obligations you must handle before launch:

A DPIA is required under Article 35 before you go public, given automated profiling using new technologies. This needs to document what data you process, what risks exist, and what mitigations are in place. Most national supervisory authorities publish lists of processing operations that require DPIAs, and AI-powered personality profiling is on most of them.

Lawful basis under Article 6: For a consent-based service where users voluntarily submit their own text, consent (Article 6(1)(a)) is your most natural lawful basis. You need a proper consent mechanism — not a buried terms-of-service click, but a specific, informed, granular consent that describes what the AI will do with the text.

Article 9 explicit consent: Separately required for any processing that may infer or reveal special category data. This needs to be a distinct, specific consent, separate from general terms of service.

Data subject rights infrastructure: Right of access, right to erasure, right to rectification — all apply to saved test results and profiles. Users must be able to request deletion of their entire profile and test history.

Article 13 privacy notice: Required at point of data collection — what data is processed, for what purpose, retained for how long, with whom shared (including the AI model provider), and what rights the user has.

In short: your app is not as legally impossible as you initially feared, but it requires real infrastructure — a DPIA, a proper privacy notice, granular consent flows, Article 50 AI disclosures, and data subject rights mechanisms — before it can legally go public. The removal of social media scraping remains the only straightforwardly non-negotiable content change. Everything else is solvable with proper legal scaffolding and, ideally, a consultation with a GDPR/AI Act-experienced data protection lawyer before launch.

 

 

Edited 3 hours ago by zurew

[Carl-Richard]

55 minutes ago, zurew said:

Here is what Claude Sonnet 4.6 on max effort had to say (after it double checked everything)

  Reveal hidden contents

 

 

Does the AI consider that even if you remove social media scraping but keep the text field function, you can paste text from an online profile of a non-consenting person and thus perform a non-consenting profiling of that person?

Thanks for running it by the way.