Source: PPC Land

The French data protection authority CNIL published comprehensive recommendations on July 22, 2025, detailing how AI developers must comply with the GDPR. The guidance clarifies the applicability of GDPR to AI models, establishes security requirements including data confidentiality, system integrity, and encryption, and sets strict conditions for annotating training data to ensure minimization and accuracy.

CNIL requires organizations to conduct Data Protection Impact Assessments for AI systems posing high risks to individual rights, addressing AI-specific risks such as automated discrimination and data vulnerabilities. The recommendations also emphasize managing individual rights in AI development, including procedures for identifying personal data memorized by generative AI models and retraining or filtering outputs accordingly. The guidance notably affects marketing technology platforms using AI for audience targeting, requiring robust security and compliance measures.