HomeIco

Home

 InternalIco

Internal

 GlobalIco

Global

 ContactIco

Contact
de|en|it
Worldwide

We use cookies to personalise the website and offer you the greatest added value. They are, among other purposes, used to analyse visitor usage in order to improve the website for you. By using this website, you agree to their use. Further information can be found in our data privacy statement.



Data Protection Breaches in AI Training: Consequences for the AI System

PrintMailRate-it

​​​​​​​​​​​​​​​​​​​​​​published on 25 June 2025 | reading time approx. 4 minutes


Artificial intelligence (AI) processes data not only during operation, but already during the training of the AI system. If personal data is processed in violation of the General Data Protection Regulation (GDPR), not only this action but also the legal admissibility of the system as a whole is put to the test. The possible consequences range from fines and official usage bans to civil liability. This article shows why data protection deficiencies can significantly impair the usability of an AI system and why AI compliance issues should be included in the development process at an early stage.

Unlawful training

The GDPR does not only take effect when an AI system is used, but also during the training process. If personal data is processed without a legal basis, for example without consent, without a proper balancing of interests or in breach of information obligations, it is not only the data handling that is unlawful. The AI system that was created on this basis cannot be used without hesitation either.

This is because the processing "resides" in the AI system: the structures, weightings and prediction patterns were derived from the unlawfully used data, regardless of whether the raw data is later deleted. It becomes particularly critical when personal content remains technically traceable in the system, for example in the case of language models with memorization effects. An abstract data protection problem then becomes a concrete point of attack, with legal and economic consequences.

Sanctions and liability

The consequences of AI systems trained in violation of data protection regulations are diverse and considerable in their scope. The following three levels are particularly relevant for companies:

  • ​​​​​​Supervisory measures

According to Art. 58 GDPR, supervisory authorities can prohibit the use of an AI system or order its deletion if the underlying data processing was unlawful. As a result, the entire AI system could no longer be used, even if it functions technically flawlessly;

  • ​​​​Fines and economic risks​​

Violations of the General Data Protection Regulation can be sanctioned with fines of up to 20 million euros or 4 per cent of the annual global turnover in accordance with Art. 83 GDPR. 
In addition, from August 2, 2025, the sanction provisions of the AI Act will apply, which provide for further fines in the event of prohibited AI systems or a lack of transparency - with an upper limit of up to 35 million euros or 7 per cent of the annual global turnover. For data-driven AI systems that are provided externally or exploited commercially, this can become a significant business risk, not only financially but also strategically;

  • ​Civil law claims and reputational damage

In addition to official measures, data subjects can assert claims under civil law, in particular for damages in accordance with Art. 82 GDPR. This presupposes that they become aware that their personal data has been used unlawfully, for example through requests for information on data protection, public proceedings or media reports. In the case of complex AI systems, it is often not readily apparent to data subjects whether and how their data is being processed in the AI system. Nevertheless, a verifiable reference is sufficient to trigger claims, e.g. if a personal reference can be technically reconstructed or the AI system generates content that can be traced back to identifiable data. 
Publicly known breaches also often lead to reputational damage - the trust of customers, partners or investors can be permanently impaired, especially if the AI system is already visible on the market.​

Technical and legal measures

An illegally trained AI system cannot usually be rectified by simple corrections. Even if inadmissible personal data is subsequently removed, its influences can continue to have an effect on the model, for example through trained weightings or reproducible patterns. Whether retraining is sufficient or the AI system needs to be completely rebuilt depends on the technical structure and the extent of the breach. Modular systems in which individual training phases can be repeated or adapted in isolation are advantageous. Wherever possible, anonymized or aggregated data should also be used to avoid the risk of personal repercussions from the outset.

An early Data Protection Impact Assessment (DPIA) can also be an important risk management tool. Although it does not replace lawful data processing, it helps to systematically identify risks and provide documented evidence that legal requirements are checked at an early stage. 

Companies that coordinate technical and legal assessment processes as early as the development stage not only ensure compliance, but also the longterm viability of the models.

Conclusion

Compliance with data protection regulations is not a mere formality, but a central component of any responsible AI strategy, especially with regard to training processes, which are often outside the immediate focus of operational control. Companies that bring together technical structures, legal requirements and internal control mechanisms at an early stage not only create legal certainty, but also reduce the risk of regu​latory intervention and financial damage. Ultimately, they also protect the trust in their technology, a factor that is crucial for the acceptance and long-term usability of AI systems.

DATA PROTECTION BITES
Read all releases »

author

Contact Person Picture

Johannes Marco Holz, LL.M.

Attorney at law (German)

Partner

+49 911 9193 1511

Send inquiry

Contact Person Picture

Prishila Hanelli, LL.M.

Business lawyer

+49 521 260 748 34

Send inquiry

RÖDL & PARTNER GERMANY
​Discover more about our offices in Germany. Rea​d more »
Skip Ribbon Commands
Skip to main content
Deutschland Weltweit Search Menu