EU regulation governing how personal data is collected, stored, processed, and shared. In force since May 2018. Applies to any organization handling EU residents' personal data, regardless of where the organization is based.
Definition: EU regulation governing how personal data is collected, stored, processed, and shared. In force since May 2018. Applies to any organization handling EU residents' personal data, regardless of where the organization is based.
GDPR is the EU's main privacy law and the default framework for handling personal data in UX research. It applies whenever a study touches identifiable participant data, even when participants are recruited outside the EU but reside in member states. Two GDPR concepts dominate vendor evaluation: lawful basis (usually consent for research) and data minimisation (collect only what's needed for the stated purpose).
For AI tools, the relevant questions are: who is the controller, who is the processor, where is the data processed, and what is the basis for international transfers if any. A vendor that uses participant data to train models without a clear legal basis turns your study into a compliance incident. The DPA (Data Processing Agreement) is the document that nails these obligations down.
GDPR coexists with the EU AI Act since August 2024. The AI Act adds transparency and documentation obligations on top, it does not replace GDPR.
Contract between a data controller (the research team or commissioning organization) and a data processor (a vendor handling data on their behalf) defining what the processor may do with the data. Mandatory under GDPR Article 28.
Third party that a vendor uses to deliver their service and that therefore also handles your data. Examples: cloud providers, LLM APIs, transcription services. Vendors must disclose them under GDPR and request permission before adding new ones.
EU regulation classifying AI systems by risk level and imposing obligations accordingly. In force since August 2024, with obligations phasing in through 2026 and 2027. Stacks on top of GDPR rather than replacing it.
This term is referenced in the following articles: