Legitimate interest in the development of AI systems: CNIL guidance

Legitimate interests in the development of AI systems: The French data protection supervisory authority CNIL has published guidance on this.
Categories:

In June 2025, the French data protection supervisory authority CNIL published guidance on the application of Art. 6 para. 1 lit. f GDPR (legitimate interest) as the legal basis for the Development of AI systems more precisely. This assistance is aimed at companies and organizations that are in the development or innovation phase of IT systems, software or AI applications.

Objective of the CNIL guidance

The central question of the CNIL guidance is: Under what conditions may personal data can already be processed during the development phase of an AI system without the need for Consent or requires another specific legal basis?

The CNIL emphasizes that the development of systems can also be based on other Legal basis can be based, in particular on:

  • the Consent of the data subject (Art. 6 para. 1 lit. a GDPR),
  • Fulfillment of the contract (Art. 6 para. 1 lit. b GDPR).


However, the legitimate interest is particularly relevant if none of these alternatives is practicable.

Definition: "Development of a system"

This includes all activities relating to the design, development, testing and improvement of systems that are later personal data should process. Examples:

  • Development of recommendation systems
  • Development of fraud detection algorithms
  • Training of chatbots or AI language models.
  • Test new CRM or ERP modules.


Important: This is exclusively about the pre-production phase, i.e. the time before live operation.

Legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR

The CNIL confirms that the Processing of personal data for development purposes can generally be based on the legitimate interest of the controller. However, this requires a careful and structured examination based on the requirements of Art. 6 para. 1 lit. f GDPR oriented.

First of all, the Responsible persons demonstrate a legitimate interest. This can be, for example, the improvement of services, the increase of the IT security or the development of new, customer-friendly functionalities. Economic interests or the optimization of internal processes can also be recognized as legitimate interests.

It must then be checked whether the planned Processing is necessary. This means that there must be no other, more data protection-friendly alternatives with which the same development goal could be achieved. It must be analyzed whether the use of anonymized or synthetic data is sufficient or whether access to personal data is really necessary.

In the third step, the legitimate interests of the controller are weighed against the fundamental rights and freedoms of the data subjects. The following factors in particular must be taken into account:

  • Type of data processed (e.g. whether sensitive data is involved)
  • Scope of the Processing
  • Duration of storage
  • Transparency towards the persons concerned
  • Implementation of protective measures such as Pseudonymization, Encryption or access restrictions


The aim of this balancing is to ensure that the interests or fundamental rights of the data subject do not outweigh the interests of the controller.

Special categories of personal data

The CNIL clarifies that the Processing of this data is only permitted under very strict conditions. These special categories include, for example Health databiometric data for unique identification, genetic data, data on racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership and data on sexual orientation.

For the development phase of a system, this specifically means that a Processing of such data is generally not permitted. Unless one of the exceptions listed in Art. 9 para. 2 GDPR mentioned exceptions. These include in particular

  • The explicit Consent of the data subject pursuant to Art. 9 para. 2 lit. a GDPR.
  • One Processingwhich for reasons of substantial public interest is necessary (Art. 9 para. 2 lit. g GDPR), provided it is based on a legal basis.
  • Further, specifically regulated exceptions such as the assertion, exercise or defense of legal claims.


The CNIL emphasizes that even if an exception applies, the general data protection principles pursuant to Art. Art. 5 GDPR must be observed, in particular:


In addition, the CNIL recommends that the use of such data be prevented as early as the development phase through technical protection measures such as Pseudonymization, Encryption or the use of synthetic test data to be secured. In cases where the Processing of special categories of personal data cannot be avoided, a data Data protection impact assessment (DSFA) must be checked and documented.

Legitimate interest and Data protection impact assessment (DSFA)

The CNIL emphasizes the importance of a Data protection impact assessment (DSFA) as an important instrument for risk assessment and minimization when development projects entail a high risk to the rights and freedoms of data subjects. The legal basis for this is Art. 35 GDPRwhich stipulates the obligation to carry out a DPIA for risky processing operations.

Typical Indicators for a DPIA obligation are among others:

  • Extensive Processing personal dataespecially if large amounts of data or a large number of data subjects are affected.
  • The Use of new or innovative technologiesfor example in the development of AI systems, machine learning applications or Big Data Solutions.
  • The Processing of data with a high risk charactersensitive or special categories of personal data (Art. 9 GDPR). GDPR) are affected.
  • Automated decision-making or Profilingwhich have a significant impact on affected people can have.


In accordance with the requirements of the GDPR the following steps:

  1. Systematic description of the planned processing activitiesits purposes and the categories of data concerned.
  2. Assessment of necessity and proportionality the Processing in relation to the purpose pursued.
  3. Identification and assessment of risks for the rights and freedoms of data subjects.
  4. Determination and Documentation of remedial measuresto reduce or eliminate the identified risks (e.g. Technical and organizational measures, Pseudonymization, access controls).


The CNIL recommends that the DSFA early in the development phase in order to identify risks at the system design stage and implement suitable countermeasures. In addition, the DPIA should regularly updated in particular in the event of significant changes to the system or the purpose of processing.

Reading tip: When must a Data protection impact assessment take place?

Concrete data protection measures ("safeguards")

The CNIL attaches particular importance to the implementation of data protection-friendly precautions (safeguards) already in the development phase of a system. The aim of these measures is to minimize the risk to the rights and freedoms of data subjects as far as possible, even if the data processing is not yet in productive operation.

The safeguards recommended by the CNIL include in particular

  • Pseudonymization: Wherever it is technically possible and practicable, the personal data are processed pseudonymously. This means that the identity of the data subject is not immediately recognizable without additional information. The separation of identifiers and content data as well as the secure Storage of the assignment lists are essential here.
  • Data minimizationOnly data that is absolutely necessary for the respective development purpose should be processed. The CNIL expressly recommends a critical examination of whether the data fields used are really needed or whether a reduction to a minimum is possible.
  • Access restrictions and role managementAccess to personal data must be strictly limited to those employees or developers who are directly involved in the development project and for whom knowledge of the data is essential. Technical access control systems (e.g. Role Based Access Control) and organizational measures such as confidentiality obligations must be used.
  • Use of synthetic or anonymized test dataWherever possible, fully anonymized or synthetically generated data should be used for testing and development purposes in order to avoid the use of real data. personal data to avoid. Synthetic data offer the advantage that they simulate realistic data structures without using real personal information.
  • Encryption and other technical protective measuresIn addition to the aforementioned points, the CNIL also requires the use of technical protection measures such as Encryption during storage and transmission, Logging of accessesand the Regular security checks of the development environment.


Responsible persons should also have a detailed Documentation all protective measures taken in order to be able to prove, in the event of an audit by supervisory authorities, that the requirements of the GDPR were already fully taken into account during the development phase.

Transparency and Duty to inform

The CNIL emphasizes that even during the development phase of a system, the Transparency and Duty to inform in accordance with Art. 13 and 14 GDPR apply in full. This means that affected persons must be informed that their personal data is being processed for development purposes, even if the development has not yet gone live.

The persons concerned must be informed of the following points in particular:

  • Purpose of the Processing: It must be specifically stated that the Processing data for the development, testing or improvement of a system.
  • Legal basis of the Processing: Here, the legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR including a brief description of the respective interest.
  • Recipients or categories of recipientsIf external service providers or other bodies are given access to the data, they must be named.
  • Storage duration or criteria for determining the durationThe length of time the data is stored in the development phase or the criteria used to determine the storage period must be specified.
  • Rights of data subjectsThe data subjects are informed about their rights, such as information, Correction, DeletionRestriction of the Processing, Contradiction and Complaint with a Supervisory authorityto inform you.
  • Origin of the dataIf the personal data was not collected directly from the data subject, the source of the data must also be disclosed.

In addition, the CNIL recommends that the information in clear, simple language and, if possible in the same channelsThe data subjects also communicate with the company in other ways (e.g. data protection guidelines on the website, separate notification letters or notices in customer portals).

The fulfillment of this Duty to inform should also documented in writing in order to be able to provide the supervisory authorities with proof of proper implementation.

Legitimate interest: Examples of permissible and impermissible scenarios

Permitted:

  • Development of a fraud detection tool with pseudonymized real data from an existing customer base.

  • Test of a recommendation algorithm with a minimum amount of data and clear Data Access Control.

Inadmissible:

  • Use of complete customer profiles without Anonymization or risk analysis.

  • Processing special categories of personal data without a corresponding legal basis or exception.

Liability and sanction risks

Violations of the data protection requirements set out in the guidelines can be considerable Legal and financial consequences result. The GDPR provides for breaches of key obligations, such as the principles of Processing (Art. 5 GDPR), which Legal basis (Art. 6 GDPR) or the Rights of data subjects (Art. 12 ff. GDPR), Fines of up to 20 million euros or up to 4 % of a company's global annual turnover whichever is higher (Art. 83 para. 5 GDPR).

Specifically, infringements in the development phase can lead to the following liability risks:

  • Fines imposed by the supervisory authorities: In particular in the absence of or inadequate weighing of interests, failure to carry out Data protection impact assessment or inadequate technical and organizational protective measures.

  • Orders of the supervisory authorities: This may include the prohibition of data processing or an order to Deletion of unlawfully processed data.

  • Claims for damages due to Affected partiesAccording to Art. 82 GDPR have affected persons are entitled to compensation for the material or immaterial damage they have suffered.

  • Reputational damageData protection breaches can lead to a considerable loss of trust among customers, partners and the public.

The CNIL therefore expressly recommends that, as early as the development phase Establish internal compliance structures and comprehensively document all relevant data protection processes. These include, among others:

By taking these preventive measures, companies can not only avoid sanctions, but also improve their Data protection compliance in the sense of accountability (Accountability, Art. 5 para. 2 GDPR) prove.

Conclusion: Data protection by design and by default during development

With this guidance document, the CNIL provides companies and developers with a Guide to data protection-compliant system development to the hand. The Legitimate interest as legal basis offers practical advantages. However, it also requires careful Risk assessment, Transparencythe implementation of DPIAwhere necessary, and the consistent implementation of technical and organizational measures (TOMs).

For companies, this means Data protection by design and by default already applies during development and not only in productive operation.

Source: "IA : Mobiliser la base légale de l'intérêt légitime pour développer un système d'IA"

Contact us
Tags:
Share this post :

Popular categories

Newsletter

Subscribe to our data protection newsletter to receive the latest updates, tips and insights straight to your inbox.
Subscribe

Latest posts