Determining the legal qualification of AI system providers

07 June 2024

AI system providers who intend to create training datasets with personal data must determine their qualification under the GDPR: they may be qualified as controllers, joint controllers or processors.

This content is a courtesy translation of the original publication in French. In the event of any inconsistencies between the French version and this English translation, please note that the French version shall prevail.

Several operators may intervene in the development of an AI system, with varying degrees of involvement in the processing of personal data. In particular, there are:

  • AI system providers developing or delegating the development of a system and placing it on the market or putting it into service under their own name or brand, against payment or for free.
  • importers, distributors, and users of these systems (i.e. those deploying AI systems).

The qualification of the operators involved in each processing, within the meaning of the GDPR, must be analysed on a case-by-case basis.

The controller

Joint controllers

The use of a processor