Any lawyers/experts on data processing laws, GDPR and EU AI Act?

[Carl-Richard]

I have a business question (or several) I would like some input on. Say "yes" and I'll dump it either in here or in PM maybe depending on if several people answer. Or I'll write it out in full in this post soon.

[Joseph Maynor]

I'm not a lawyer, but can you specify further the legal questions you want to explore.

[Carl-Richard]

23 hours ago, Joseph Maynor said:

I'm not a lawyer, but can you specify further the legal questions you want to explore.

I have coded a website where you can test your personality using AI (I have not made it public yet). You can choose between entering a social media profile or forum name / URL as a data source or typing or pasting your own text which the AI will use as a data source for determining your personality (and there are multiple test types you can choose from). You can then save the test results to a profile where you can view statistics like average test scores or test scores over time. You can then use saved tests as a data source for a meta-analysis test, where the AI can take multiple tests (across multiple test types) and deduce an overall pattern and new personality categories.

I've always intuited that there could be problems with this with respect to data processing laws, but I was still curious to see what it would look like even if I couldn't make it public for those reasons. But after learning about especially the EU AI Act that was passed in 2025, it looks like (to my cursory look) it's actually impossible to use AI in any fashion to deduce personality traits based on any form of personal data. Additionally, GDPR laws regarding profiling (again, according to my cursory look) would put the function of selecting existing data in jeopardy if that data is about someone who did not provide consent (which is highly doable in the current configuration).

So then the question is how much of the current functions do I have to strip before I can make it public (i.e. before it's GDPR and EU AI Act compliant)? Here are some suggested steps I would like feedback on:

• Removing the social media / forum / web search function for acquiring data, keeping the typing or pasting your own text function -> Adds a layer of protection against profiling people who have not provided consent.
• Making the typing or pasting function "type-only", such that you cannot paste text that you did not write yourself -> Adds yet another layer of protection against profiling people who have not provided consent.
• Removing all AI functionalities on the website, replacing AI testing with multiple-choice tests, releasing new tests every week to allow for refining test results over time -> Seems to address EU AI Act issue of no AI for personality analyses and further reduces possibility of non-consentual profiling. Can still use AI to generate new tests, as analysis of test results is done through non-AI site software.
• Adding back in meta-analyses; if the current interpretation of the EU AI Act does not apply, performing AI-powered meta-analyses on aggregated multiple-choice tests does not meaningfully impact non-consenting individuals and would thus be GDPR compliant with respect to that profiling law.

So I'm wondering whether I'm interpreting the laws correctly and whether I have identified a possible solution. If I wrote nothing comprehensible it's because I have caught some kind of COVID virus👍👌

Edited 17 hours ago by Carl-Richard

[Joseph Maynor]

Have you ran some of this thru AI?  

[Carl-Richard]

29 minutes ago, Joseph Maynor said:

Have you ran some of this thru AI?  

Yes but it doesn't give definitive answers, and to the extent that it does, I don't trust it (because I've asked it similar questions before and it seemly didn't even know about the EU AI Act, which is maybe understandable since it's new).

Edited 19 hours ago by Carl-Richard

[Joseph Maynor]

5 minutes ago, Carl-Richard said:

Yes but it doesn't give definitive answers, and to the extent that it does, I don't trust it (because I've asked it similar questions before and it seemly didn't even know about the EU AI Act, which is maybe understandable since it's new).

Which AI do you use?

[Carl-Richard]

22 minutes ago, Joseph Maynor said:

Which AI do you use?

ChatGPT (Plus membership)  Always longer answers.

[zurew]

15 minutes ago, Carl-Richard said:

ChatGPT (Plus membership)  Always longer answers.

Here is what Claude Sonnet 4.6 on max effort had to say (after it double checked everything)

Spoiler

Quote

Good. Let me look at things I haven't checked yet or checked insufficiently — specifically the AI Act's transparency obligations, whether your app could qualify as high-risk under Annex III, the DPIA requirement, and the provider vs. deployer distinction which I haven't analyzed at all.Good — I've now read three things I hadn't properly checked before: the full Annex III high-risk list directly from the EU Commission's AI Act Service Desk; Article 50 (transparency obligations) in full from the same source; and GDPR Article 35 (DPIA) from gdpr-info.eu. These reveal genuine gaps in my previous two answers. Here is a complete, corrected account.

What's New: Three Things I Missed Entirely

1. Article 50 — Transparency Obligations (completely overlooked)

This is the most important omission from my previous answers. In both my first and second responses, I didn't mention Article 50 at all, despite it being directly applicable to your app.

Article 50(1) states: "Providers shall ensure that AI systems intended to interact directly with natural persons are designed and developed in such a way that the natural persons concerned are informed that they are interacting with an AI system, unless this is obvious from the point of view of a natural person who is reasonably well-informed, observant and circumspect."

Article 50(2) additionally requires that providers of AI systems generating synthetic text content ensure that the outputs are marked in a machine-readable format and detectable as artificially generated. The information must be provided to the natural persons concerned in a clear and distinguishable manner at the latest at the time of the first interaction or exposure.

Your personality test app has an AI system that interacts with users and generates text output (the personality analysis). Both obligations apply. The Article 50(1) disclosure — telling the user they're interacting with AI — may seem trivial for an AI personality test (it's presumably obvious), but the Article 50(2) machine-readable labelling of AI-generated text is a technical requirement you need to implement, not just a disclosure notice.

Timing note: Article 50 sits in Chapter IV of the AI Act, which unlike the Article 5 prohibitions (which became applicable February 2025), became fully applicable from August 2, 2026. Since you haven't launched yet, you have the obligation to implement this from day one of going public, but you're not retroactively in violation.

2. Provider vs. Deployer — A Distinction I Never Analyzed

This is important and I skipped over it in both previous answers. Under the AI Act, there is a meaningful difference between a provider (who develops an AI system and places it on the market) and a deployer (who uses an AI system under their authority for professional purposes).

If your app uses standard AI APIs — say, you integrate Claude via API to generate personality analyses — Google/Anthropic is the provider of that underlying model, and you are the deployer of that model. However, you are simultaneously the provider of your own AI-powered personality testing system, which you are placing on the market.

This matters because provider and deployer obligations are different. As a deployer of Claude or another underlying AI, you cannot outsource your regulatory responsibilities to the AI vendor. The AI Act explicitly places obligations on both providers and deployers. As the provider of your own system built on top of that model, you carry the heavier compliance obligations — including the Article 50 transparency requirements described above, and responsibility for ensuring your system does not result in a prohibited practice. As the deployer of the underlying AI model, you are responsible for using it within its intended purpose and in a lawful way.

In practice: you are wearing both hats simultaneously, and need to comply with both sets of obligations.

3. GDPR Article 35 — Data Protection Impact Assessment (DPIA)

Also completely absent from my previous answers. Article 35(1) requires that where a type of processing, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out a DPIA.

A DPIA is specifically required in the case of: (a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling; (b) processing on a large scale of special categories of data referred to in Article 9(1).

Your app does automated profiling of personal aspects (personality traits) using new technology (AI), at potentially large scale. If any of your tests produce outputs that touch on Article 9 special categories — health (e.g. mental health indicators), political opinions, religious beliefs — a DPIA is not optional, it's mandatory before you go public. Even for ordinary personality traits, the combination of new technology, systematic automated evaluation, and a public-facing product puts you squarely in the zone where supervisory authorities typically require a DPIA. This must be done before you launch.

What My Previous Answers Got Right (Confirmed from Primary Sources)

Annex III (high-risk AI systems): I said in my first answer that you should check this, but didn't verify it. Having now read the actual Annex III text, a pure voluntary consumer self-assessment personality app does not fall under any of the eight listed categories — biometrics, critical infrastructure, education admissions, employment decisions, essential services (credit, insurance), law enforcement, migration, or justice. The closest categories would be education (3a-3d) and employment (4a-4b), but those explicitly require the AI system to be intended to determine access, assign people to institutions, make hiring decisions, or evaluate work performance. A self-facing consumer personality quiz doesn't meet that bar, as long as the intended purpose is self-knowledge and not employment screening or educational assessment. If you market it in a way that suggests it could be used for those purposes, the analysis changes.

Article 5(1)(c) social scoring: Confirmed from the official Commission Guidelines. The three cumulative conditions are required simultaneously, and the detriment condition still protects a voluntary self-facing tool from the prohibition — but the temporal condition (data collected "over a period of time") is genuinely engaged by your saved-tests and meta-analysis feature. This is a live consideration, not a dead one.

Article 5(1)(f) emotion recognition and 5(1)(g) biometric categorization: Confirmed not applicable. Text analysis does not use biometric data.

Social media scraping must go: Confirmed. No lawful GDPR basis for processing third parties' data without their consent.

GDPR Article 22: Confirmed — not triggered by a voluntary self-facing personality quiz with no legally significant downstream decision.

GDPR Article 9 (special category data): Confirmed — explicit consent required if tests could infer health, political opinions, or other Article 9 categories.

"Type-only" UI restriction: Confirmed as legally meaningless as a compliance mechanism.

The Complete Picture Now

Putting all three rounds of checking together, here is the full map:

AI Act obligations for your app (assuming you use an AI API and deploy it publicly to EU users):

As provider of the personality testing system: Article 50(1) — disclose to users they're interacting with AI at first interaction. Article 50(2) — ensure AI-generated text outputs are marked in machine-readable format as artificially generated. Neither of these is very onerous in practice — a clear disclosure banner and technical metadata tagging — but they are legally required from launch.

Article 5 prohibited practices: Your app as described (voluntary, self-facing, no downstream detriment) does not trigger any prohibition, provided: you remove social media scraping; the intended purpose is explicitly self-knowledge only (not employment or education screening); and you don't market it in ways that invite the social scoring temporal-and-detriment analysis.

Not high-risk under Annex III: Confirmed — for a pure consumer self-assessment tool with no employment, education, or essential-services purpose.

 

GDPR obligations you must handle before launch:

A DPIA is required under Article 35 before you go public, given automated profiling using new technologies. This needs to document what data you process, what risks exist, and what mitigations are in place. Most national supervisory authorities publish lists of processing operations that require DPIAs, and AI-powered personality profiling is on most of them.

Lawful basis under Article 6: For a consent-based service where users voluntarily submit their own text, consent (Article 6(1)(a)) is your most natural lawful basis. You need a proper consent mechanism — not a buried terms-of-service click, but a specific, informed, granular consent that describes what the AI will do with the text.

Article 9 explicit consent: Separately required for any processing that may infer or reveal special category data. This needs to be a distinct, specific consent, separate from general terms of service.

Data subject rights infrastructure: Right of access, right to erasure, right to rectification — all apply to saved test results and profiles. Users must be able to request deletion of their entire profile and test history.

Article 13 privacy notice: Required at point of data collection — what data is processed, for what purpose, retained for how long, with whom shared (including the AI model provider), and what rights the user has.

In short: your app is not as legally impossible as you initially feared, but it requires real infrastructure — a DPIA, a proper privacy notice, granular consent flows, Article 50 AI disclosures, and data subject rights mechanisms — before it can legally go public. The removal of social media scraping remains the only straightforwardly non-negotiable content change. Everything else is solvable with proper legal scaffolding and, ideally, a consultation with a GDPR/AI Act-experienced data protection lawyer before launch.

 

 

Edited 18 hours ago by zurew

[Carl-Richard]

55 minutes ago, zurew said:

Here is what Claude Sonnet 4.6 on max effort had to say (after it double checked everything)

  Reveal hidden contents

 

 

Does the AI consider that even if you remove social media scraping but keep the text field function, you can paste text from an online profile of a non-consenting person and thus perform a non-consenting profiling of that person?

Thanks for running it by the way.

[zurew]

9 hours ago, Carl-Richard said:

Does the AI consider that even if you remove social media scraping but keep the text field function, you can paste text from an online profile of a non-consenting person and thus perform a non-consenting profiling of that person?

Thanks for running it by the way.

Spoiler

Here is the complete synthesis, integrating and correcting everything across all four rounds of analysis. Think of this as the single document that supersedes all previous answers.

Complete Synthesis: Your Personality Testing App Under EU AI Act and GDPR

First: What My Previous Answers Got Wrong

Before presenting the definitive picture, intellectual honesty requires identifying where the previous answers were wrong or incomplete, because some of those errors fed into subsequent analysis.

Wrong specific legal ground for the DPIA. In my third answer I said a DPIA was mandatory under Article 35(3)(a). That provision requires systematic evaluation of personal aspects based on automated processing on which decisions are based that produce legal effects or similarly significantly affect the natural person. A voluntary self-facing personality quiz that produces no binding decision and has no legally significant effect on the user's life doesn't clearly satisfy this condition. The DPIA is still very likely required — but under the general Article 35(1) standard (new technology + likely high risk to rights) and the EDPB's published criteria, not the more specific Article 35(3)(a) threshold. I cited the wrong provision for a conclusion that is probably still correct. Future of Privacy Forum

Three obligations entirely absent from all previous answers. Article 28 (Data Processing Agreement with Anthropic), Article 30 (Records of Processing Activities), and GDPR Chapter V (international data transfers if user data flows to Anthropic's US servers) were never mentioned in any of the first three answers. These are not optional or minor.

Article 50 timing was imprecise. Article 50 transparency obligations for AI systems fall under Chapter IV of the AI Act, which applies from August 2, 2026 — approximately seven weeks from now. This makes it imminent for launch purposes, not already in force.

The structural text field problem. The most important single error across the first three answers is that I framed the third-party profiling problem as solvable through removing the automated scraping tool, adding a "type-only" restriction, or including a ToS disclaimer. None of those are solutions. You identified the correct framing in the last exchange: the free-text input field is structurally incapable of preventing non-consensual profiling of third parties, regardless of UI restrictions or contract terms. This is the central insight of the entire conversation, and it took until the fourth exchange to reach it.

The Definitive Legal Position

EU AI Act

Article 5 prohibited practices — not triggered for your app as designed.

The social scoring prohibition at Article 5(1)(c) requires three cumulative conditions to be met simultaneously: the AI system is placed on the market or put into service; it evaluates or classifies individuals over a period of time based on social behaviour or personality characteristics; and the resulting score leads to detrimental or unfavourable treatment either in unrelated social contexts or treatment that is unjustified or disproportionate. A voluntary self-facing personality test where results are shown only to the user who produced them, with no downstream consequence for that person, does not meet the detriment condition. All three conditions must be met simultaneously, and the absence of any one means the prohibition does not apply.

Article 5(1)(f) (emotion recognition) is not triggered because text-based analysis is not biometric-based emotion inference. Article 5(1)(g) (biometric categorisation) is not triggered because text is not biometric data. Article 5(1)(d) (criminal risk prediction) has no application here.

Annex III high-risk classification — not triggered for pure consumer self-assessment, but with an important caveat.

Reviewing the full Annex III list, none of its eight categories cover a voluntary consumer self-assessment personality tool whose purpose is the user's own self-knowledge. However, if the app were used — or marketed as usable — for employment screening or educational assessment, it would fall under Annex III categories 4(a) and 3(a)-(d) respectively, triggering a full suite of high-risk obligations including conformity assessments, technical documentation, human oversight requirements, and registration in the EU database. This means the app's intended purpose and how it is marketed matter significantly for Annex III purposes. Explicitly excluding employment and educational use in the terms of service is a meaningful protective measure, not just boilerplate.

Article 50 transparency obligations — applicable from August 2, 2026, and relevant to your app.

Article 50(1) requires that providers of AI systems intended to interact directly with natural persons ensure those persons are informed they are interacting with an AI system, unless this is obvious to a reasonably well-informed person given the circumstances. For an explicitly AI-branded personality testing service, the obvious-exception likely applies and no additional disclosure is technically required under this sub-article. However, the safer and more accountable practice is to disclose explicitly anyway.

Article 50(2) is the more practically demanding obligation. It requires that AI-generated text outputs be marked in machine-readable format as artificially generated. A personality analysis generated by calling an AI API is exactly this. The technical implementation — what machine-readable marking actually means in practice — is still being operationalised by the EU AI Office through a Code of Practice on AI-generated content that remains in development as of this writing. The legal obligation is clear; the specific technical standard is not yet final.

Your regulatory role under the AI Act: provider and deployer simultaneously.

If you build a personality testing website that calls an AI API (such as Claude), you are simultaneously a deployer of the underlying AI model (the model provider — Anthropic — being the provider of that model) and a provider of your own AI-powered personality testing system, which you are placing on the market under your own name. As the provider of the overall system, the Article 50 obligations fall on you with respect to your system. As a deployer of the underlying model, you must use it within its intended purpose, comply with the model provider's usage policies, and implement appropriate human oversight. Both roles carry obligations; neither can be disclaimed by pointing to the other.

GDPR

The structural text field problem — the fundamental issue.

The most important GDPR problem with your app is not the automated social media scraping function, which is the most obvious violation. It is that a free-text input field accepting arbitrary text submitted to an AI for personality analysis is structurally incapable of preventing the non-consensual profiling of third parties. When a user pastes someone else's social media posts, forum comments, or any other text into that field, your system processes personal data about a third party who has provided no consent and for whom you have no lawful basis under Article 6. The fact that a user did this in breach of your terms of service does not give you a lawful basis retroactively, because the processing has already occurred through your infrastructure. Foreseeable misuse cannot be disclaimed away under GDPR, and this misuse is not just foreseeable — it is virtually certain at any meaningful scale.

Terms of service, "type-only" UI restrictions, active confirmation checkboxes, and warning banners all shift moral responsibility toward the user but provide no lawful basis for the processing you are performing as controller when third-party data flows through your system. The legal harm is in the processing itself, not in the mechanism of acquisition.

The only structural solutions are input mechanism redesigns, not policy additions. Multiple-choice tests are structurally incapable of accepting third-party personal data in the form that creates the problem. Highly constrained prompted responses (asking users specific questions about their own behaviour rather than accepting open text) reduce but do not eliminate the risk. Free-text input cannot be rescued by policy.

Lawful basis — Article 6 and Article 7.

For consent to be valid under Article 7, it must be freely given, specific, informed, and unambiguous. Where consent is given in the context of a written declaration that also concerns other matters, the request for consent must be clearly distinguishable from those other matters, in intelligible and plain language. Withdrawal of consent must be as easy to give as to grant it, and data subjects must be informed of their right to withdraw before giving consent. Security Boulevard

This means bundling consent for AI personality profiling into general terms of service is not valid consent under GDPR. You need a specific, granular, separately presented consent for each distinct processing purpose: for the personality test itself, for storing the results, for using stored results as inputs to a meta-analysis, and so on. Each of these is a separate purpose requiring separate consent.

Article 9 special category data.

If your tests could produce outputs that reveal or infer mental health indicators, political opinions, religious or philosophical beliefs, sexual orientation, or other Article 9 categories, a second layer of explicit consent is required — separate from the Article 6 consent — specifically for processing of those categories. This is not a formality; it requires clearly identifying to the user what sensitive inferences the AI might draw and obtaining express, affirmative consent to that specific processing. Test design matters here: a Big Five personality inventory that produces only trait-level outputs (openness, conscientiousness, etc.) sits differently from a test whose outputs shade into clinical psychological territory.

Article 22 automated profiling — correctly identified as not directly triggered, with a nuance.

Article 22's strict requirements apply only to automated decision-making that produces legal effects or similarly significantly affects the data subject. A voluntary personality quiz that shows users their own results produces neither. However, the CJEU's 2023 ruling in SCHUFA (C-634/21) held that even a probability score generated by AI that a human then uses as the primary basis for a significant decision can constitute solely automated decision-making if the human effectively rubber-stamps the AI output. This doesn't directly apply to a self-facing tool, but it is relevant if you ever consider allowing test results to be shared with or accessed by third parties who might make decisions based on them.

The Options Analysis

Option A: Multiple-choice tests only, with optional AI meta-analysis on the user's own saved results.

This is the cleanest path. Multiple-choice tests eliminate the AI Act surface area (no AI used for primary analysis), structurally prevent the third-party data problem, and produce a much simpler GDPR compliance story (you are storing quiz answers, not AI-generated personality inferences). The GDPR compliance requirements do not disappear — you still need consent, a privacy notice, data subject rights infrastructure, ROPA, and a DPA with any third-party data processors — but the risk profile is dramatically lower.

The AI meta-analysis feature can be reintroduced on this foundation, with specific informed consent for that processing, as long as: (a) it operates only on the user's own saved results, (b) it is clearly presented as an optional feature with a separate consent flow, and (c) the outputs are disclosed as AI-generated under Article 50(2) from August 2026. This is the design you proposed and it is legally sound on its own terms, provided the consent and disclosure framework is properly implemented.

Using AI internally to generate new multiple-choice tests is entirely unaffected by any of these considerations — you are using AI as a productivity tool, not deploying it to users.

Option B: AI text analysis with a constrained prompted-response input.

Replacing the free-text field with specific prompted questions ("Describe how you typically respond when you disagree with someone") reduces the third-party data risk somewhat, because it is less obvious how to use a prompt-based form to profile someone else. But it does not eliminate it — a determined user can answer prompts from the perspective of a third party — and it reintroduces the full AI Act and GDPR complexity of the AI-analysis model. This option converges toward multiple-choice without fully solving the structural problem, and carries the full compliance burden of AI deployment. It is not the cleanest path.

Option C: Keep AI text analysis and free-text field with risk-managed policy framework.

Not viable. The structural text field problem cannot be solved through policy, and the processing of third-party data without lawful basis cannot be disclaimed away through terms of service. This option would be non-compliant on its face.

Complete Pre-Launch Compliance Checklist

This applies in full regardless of which option you choose. Items 1 and 2 must be completed before any user data is processed — including before a private beta.

Before handling any user data:

Execute a Data Processing Agreement with Anthropic (or whichever AI API you use) under GDPR Article 28, covering the scope of processing, security obligations, and sub-processor restrictions.

Establish a GDPR Chapter V international data transfer mechanism if user data will be sent to servers outside the EEA — most likely Standard Contractual Clauses with Anthropic as a US-based processor.

Before launch:
3. Conduct and document a DPIA under Article 35(1) covering the AI-based profiling, the consent model, the risks, and the mitigations. This must be completed and retained before processing begins at scale.
4. Create a Records of Processing Activities (ROPA) document under Article 30 identifying all processing activities, their legal bases, retention periods, and data flows.
5. Draft and publish a GDPR Article 13 privacy notice disclosing: who you are, what data you collect, for what purposes, on what legal basis, for how long, with whom it is shared (including the AI model provider), and what rights the user has.
6. Implement Article 6(1)(a) consent flows that meet the Article 7 validity standard: granular, purpose-specific, clearly presented separately from other terms, with withdrawal as easy as consent.
7. Implement separate explicit Article 9(2)(a) consent if any test outputs could touch special category data — and consider test design specifically to avoid this.
8. Implement data subject rights infrastructure: access (Art. 15), rectification (Art. 16), erasure (Art. 17), portability (Art. 20), and objection (Art. 21) must all be exercisable by users with respect to their test inputs, results, and profiles.
9. Define and enforce data retention periods under Article 5(1)(e) — test results must not be stored indefinitely; users must be able to delete their profiles and have deletion actually execute.
10. Implement appropriate technical and organisational security measures under Article 32.
11. Build privacy by design into the architecture from the start under Article 25 — data minimisation, consent defaults, access controls.
12. Explicitly exclude employment-related and educational-assessment use cases in the terms of service and marketing to preserve the Annex III non-high-risk classification.

At or before August 2, 2026 (if using AI features at launch):
13. Implement Article 50(2) machine-readable marking of AI-generated text outputs. The specific technical standard is still being finalised by the EU AI Office, but the legal obligation is clear. Monitor the Code of Practice on AI-generated content for the technical implementation standard.
14. Consider whether the volume of sensitive data processing triggers a DPO designation obligation under Article 37.

What Remains Genuinely Uncertain

The following questions have no definitive answer yet and represent areas where the law is still being settled:

Whether AI personality test outputs that infer emotional states would trigger Annex III 1(c) (emotion recognition as a high-risk category) is a design-dependent question. Personality trait assessment and emotion recognition are conceptually distinct, but where exactly the line falls has not been adjudicated.

The exact technical standard for Article 50(2) machine-readable marking is still being developed by the EU AI Office. You cannot fully implement this obligation yet because the specific standard has not been finalised.

How supervisory authorities will interpret the social scoring temporal condition in relation to saved test histories and longitudinal profiling systems has not yet been addressed in any enforcement action or official guidance specifically applicable to consumer self-assessment apps.

All AI Act interpretations remain non-authoritative until the CJEU rules on them. The Commission Guidelines are legally non-binding, and the Act itself has only been in force since 2024 with phased implementation ongoing.

The Honest Meta-Point

This synthesis emerged across four rounds, with significant gaps only surfacing progressively — and the most important insight in the entire conversation, the structural incompatibility of the free-text field with GDPR compliance for third-party data, only became explicit when you articulated it in the last exchange. An expert AI doing the analysis is not a substitute for a specialist data protection lawyer reviewing your specific architecture, data flows, and intended use before launch. That consultation is not optional given what is at stake.

 

Edited 8 hours ago by zurew

[Carl-Richard]

7 hours ago, zurew said:

  Hide contents

and the resulting score leads to detrimental or unfavourable treatment either in unrelated social contexts or treatment that is unjustified or disproportionate. A voluntary self-facing personality test where results are shown only to the user who produced them, with no downstream consequence for that person, does not meet the detriment condition. All three conditions must be met simultaneously, and the absence of any one means the prohibition does not apply.

 

When reading Article 5, it was unclear to me whether I should interpret that last part as "potentially leading to" rather than "necessarily leading to".

Here is the wording from the Article 5:

Quote

[...], with the social score leading to either or both of the following:

[...]