Aristotelis Zervos
Aristotelis Zervos, Editorial Director at 2B Advice, combines legal and journalistic expertise in Data protectionIT compliance and AI regulation.
Various companies are currently receiving letters from data protection authorities regarding the use of AI. These are based on a request for information pursuant to Art. 58(1)(a). GDPR, which the authorities use to exercise their auditing powers. The supervisory authorities apparently want to gain an up-to-date overview of the use of AI in companies, particularly in the HR sector. What specific questions do the data protection authorities ask and how should companies respond when they receive a request for information?.
Background: Survey by data protection authorities on the use of AI
We have received an original letter from the State Commissioner for Data Protection and Freedom of Information in Rhineland-Palatinate. The aim of the survey is to “the status quo of digitization in human resources evaluate” and analyze the extent to which companies use AI-supported tools.
The authority expressly emphasizes that AI is particularly important for the Processing The use of large amounts of data creates new efficiency potential, which further increases the need for testing.
Companies should answer these 7 questions on the use of AI
The request for information comprises seven detailed questions. The subject of the letter already makes the direction of travel clear: „Data processing in personnel management; use of Artificial intelligence (AI) tools“
Companies must answer the following questions:
- Which software/IT tools do you use in your company to handle HR management? Please describe the functions of the IT tool and name the categories of personal data that are processed with it.
- Please submit all relevant processing records in accordance with Art. 30 GDPR in connection with the Processing of personal data.
- If data protection impact assessments have been carried out in connection with personnel management, please submit them.
- If not already answered in question 1: What software/IT tools do you use to carry out application procedures. Please describe the data processing.
- If your company uses an IT tool that works on the basis of artificial intelligence or relies on artificial intelligence for some of its functionality, you can Artificial intelligence is used? If yes, please describe the intended use and how it works. Please also name the AI model on which the IT tool is based.
- If the answer to question 5 is yes: Are these IT tools used by employees or are they used to process personnel data? In particular, please describe the processing carried out in this context Processing of personal data.
- If the answer to question 5 is yes: Are AI tools used in the application process?
In all answers, companies should also explain how the tools are operated technically (e.g. SaaS, IaaS, on-premise).
When do questions 6 & 7 have to be answered?
Companies should pay close attention to the wording in the questions:
Question 5 refers to the use of AI throughout the company, not just in HR.
This means:
- If an AI tool is used in the company (e.g., MS 365 Copilot, ChatGPT, AI-supported analysis tools),
- even if no personal data is processed,
- question 5 must be answered with „Yes.“.
In this case, questions 6 and 7 must also be answered. If the use of AI does not affect human resources management, the questions can be answered in the negative.
This increases the documentation and testing effort.
Reading tip: Why model maps are so important for AI documentation
Recommendations for companies
Companies should not underestimate the request for information from the authorities. The following steps are useful:
1. complete inventory of all IT and AI tools used
Hidden AI functions in standard software (e.g. HR suites, applicant management systems, office tools) must also be taken into account.
2. updating the processing directories
Together with the specialist departments, it must be ensured that all processes in accordance with Art. 30 GDPR are correctly documented.
3. examination of the DPIA obligation for AI-supported processes
AI that processes personnel data, such as in recruiting, can necessarily be a Data protection impact assessment (DSFA) are required.
4. document technical operating models
Authorities are increasingly attaching importance to information on hosting, storage locations, data centers and service architecture.
5. clarify internal responsibilities
HR, IT, data protection and, if applicable. Compliance must proceed in a coordinated manner in order to meet deadlines.
6. have the letter legally checked
Incorrect or incomplete information may result in further inquiries or in-depth investigations. To avoid regulatory action, you should therefore have the request reviewed by a data protection expert.
Conclusion
The current requests for information clearly show that the supervisory authorities are increasingly focusing on the use of AI in HR management and in companies as a whole. Companies should carefully review such letters and ensure that all information is complete, correct and legally sound.
Do you need support in responding to an official request for information or in evaluating your use of AI? Our data protection experts will review your letter, prepare the necessary documents and support you with all regulatory requirements. Contact us for a non-binding initial consultation.
Tip: With Ailance AI governance you have an overview of all AI models used in your company. The Documentation for the Supervisory authority you can create quickly and easily.
Aristotelis Zervos is Editorial Director at 2B Advice, a lawyer and journalist with profound expertise in data protection, GDPRIT compliance and AI governance. He regularly publishes in-depth articles on AI regulation, GDPR compliance and risk management. You can find out more about him on his Author profile page.
German 
English 
Italian 
French