<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//NLM//DTD JATS (Z39.96) Journal Publishing DTD v1.3 20210610//EN" "JATS-journalpublishing1-3.dtd">
<article article-type="research-article" dtd-version="1.3" xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xml:lang="en"><front><journal-meta><journal-id journal-id-type="publisher-id">diright</journal-id><journal-title-group><journal-title xml:lang="en">Digital Law Journal</journal-title><trans-title-group xml:lang="ru"><trans-title>Цифровое право</trans-title></trans-title-group></journal-title-group><issn pub-type="epub">2686-9136</issn><publisher><publisher-name>Maxim Inozemtsev</publisher-name></publisher></journal-meta><article-meta><article-id pub-id-type="doi">10.38044/2686-9136-2025-6-12</article-id><article-id custom-type="elpub" pub-id-type="custom">diright-302</article-id><article-categories><subj-group subj-group-type="heading"><subject>Research Article</subject></subj-group><subj-group subj-group-type="section-heading" xml:lang="en"><subject>ARTICLES</subject></subj-group><subj-group subj-group-type="section-heading" xml:lang="ru"><subject>СТАТЬИ</subject></subj-group></article-categories><title-group><article-title>Using personal data in AI model training under EU law</article-title><trans-title-group xml:lang="ru"><trans-title>Использование персональных данных для обучения моделей искусственного интеллекта в праве Европейского союза</trans-title></trans-title-group></title-group><contrib-group><contrib contrib-type="author" corresp="yes"><contrib-id contrib-id-type="orcid">https://orcid.org/0000-0002-2186-281X</contrib-id><name-alternatives><name name-style="eastern" xml:lang="ru"><surname>Олифиренко</surname><given-names>А. А.</given-names></name><name name-style="western" xml:lang="en"><surname>Olifirenko</surname><given-names>A. A.</given-names></name></name-alternatives><bio xml:lang="ru"><p>Магистрант, кафедра информационного права и цифровых технологий; магистрант, кафедра «Информационная безопасность автоматизированных систем», Институт электронной техники и приборостроения; специалист по защите данных, ответственный за безопасность ИИ-систем, ООО «Экосистема недвижимости "Метр квадратный"», Москва</p><p>410056, Саратов, ул. Вольская, 1;</p><p>410008, Саратов, ул. Политехническая, 77к1.</p></bio><bio xml:lang="en"><p>Artem A. Olifirenko — Master’s student, Department of Information Law and Digital Technologies; Master’s student, Department of Information Security of Automated Systems, Institute of Electronic Engineering and Instrumentation; Data Protection Specialist, responsible for AI governance and security, “Ecosystem Real Estate ‘Metr Kvadratny’” LLC, Moscow</p><p>1, Volskaya st., Saratov, Russia, 410056;</p><p>77-1, Polytechnicheskaya st., Saratov, Russia, 410008</p></bio><email xlink:type="simple">panolifer@gmail.com</email><xref ref-type="aff" rid="aff-1"/></contrib></contrib-group><aff-alternatives id="aff-1"><aff xml:lang="ru"><institution>Саратовская государственная юридическая академия; Саратовский государственный технический университет им. Ю. А. Гагарина</institution><country>Россия</country></aff><aff xml:lang="en"><institution>Saratov State Law Academy; Yuri Gagarin State Technical University of Saratov</institution><country>Russian Federation</country></aff></aff-alternatives><pub-date pub-type="collection"><year>2025</year></pub-date><pub-date pub-type="epub"><day>28</day><month>02</month><year>2026</year></pub-date><volume>6</volume><issue>3</issue><fpage>94</fpage><lpage>124</lpage><permissions><copyright-statement>Copyright &amp;#x00A9; Olifirenko A.A., 2026</copyright-statement><copyright-year>2026</copyright-year><copyright-holder xml:lang="ru">Олифиренко А.А.</copyright-holder><copyright-holder xml:lang="en">Olifirenko A.A.</copyright-holder><license xml:lang="ru" license-type="creative-commons-attribution" xlink:href="https://creativecommons.org/licenses/by/4.0/" xlink:type="simple"><license-p>Данная работа распространяется под лицензией Creative Commons Attribution 4.0.</license-p></license><license xml:lang="en" license-type="creative-commons-attribution" xlink:href="https://creativecommons.org/licenses/by/4.0/" xlink:type="simple"><license-p>This work is licensed under a Creative Commons Attribution 4.0 License.</license-p></license></permissions><self-uri xlink:href="https://www.digitallawjournal.org/jour/article/view/302">https://www.digitallawjournal.org/jour/article/view/302</self-uri><abstract><p>The adoption of the EU Artificial Intelligence Act (AI Act) established mandatory life-cycle regulation of AI systems in the European Union while preserving the validity of the General Data Protection Regulation (GDPR). The training stage of AI models has consequently become a point of intersection between two regulatory regimes: while the AI Act emphasizes data quality and representativeness along with risk management and documentation of training processes, the GDPR sets out the applicable principles of lawfulness, data minimization, purpose, and storage limitation, as well as providing data subjects with a set of safeguards and remedies. In practical terms, this interaction creates a risk of legally defective model training due to the pursuit of representativeness through excessive data collection and repeated re-use of personal data. This article examines the permissibility and organization of AI model training under the joint application of the AI Act and the GDPR. The research sets out to substantiate a legal model that enables proportionate technical and organizational safeguards while preserving training quality and ensuring the lawfulness of personal data processing that respects the fundamental rights of data subjects. As well as combining doctrinal legal analysis of the AI Act requirements on risk management and data governance with a comparative assessment of the GDPR principles and procedural tools for ensuring lawful processing, the methodology involves a systematization of typical governance artefacts used in the development and deployment of high-risk AI systems. The results are presented as an integrated compliance-by-design model for actors involved in the training stage. A practical distinction between an “AI system” and an “AI model” is substantiated: whereas an AI system is qualified as an organizational and technical envelope comprising the model, infrastructure, input and output interfaces, monitoring, and human interaction, an AI model is treated as the algorithmic core trained on data and used to infer outputs. This distinction can be applied to allocate obligations between the provider and entities deploying or operating the system. The proposed mechanism for reconciling dataset representativeness and accuracy with the GDPR data minimization principle through a documented feature inventory is based on a necessity rationale for each class of data and the exclusion of irrelevant attributes alongside an assessment of indirect discrimination risks. The choice of safeguards (pseudonymization, anonymization, aggregation, synthetic generation, and differential privacy) to data sensitivity, use context, and the level of risk to fundamental rights is carried out on the basis of a proportionality model. This model is supported by the outcomes of a data protection impact assessment and a fundamental rights impact assessment. Finally, a practical legal governance loop for the training life cycle is formulated to cover the determination of the purpose and legal basis, limits on dataset re-use, access control and logging, as well as retention and deletion rules, along with procedures for revisiting training parameters and monitoring after deployment. The proposed model increases legal certainty and provides a reproducible framework for aligning the AI Act and GDPR during the training stage.</p></abstract><trans-abstract xml:lang="ru"><p>Принятие европейского Акта об искусственном интеллекте (AI Act) закрепило обязательное регулирование жизненного цикла систем искусственного интеллекта в Европейском союзе при сохранении действия Общего регламента по защите данных (GDPR). Стадия обучения ИИ-моделей оказалась в зоне пересечения двух режимов: Акт об ИИ ориентирует участников на качество и репрезентативность наборов данных, управление рисками и документирование процесса обучения, тогда как Общий регламент о защите данных фиксирует принципы правомерности, минимизации, ограничения целей и сроков хранения, а также предоставляет субъекту персональных данных комплекс гарантий и средств защиты. В практических проектах это создает риск юридически дефектного обучения, когда стремление к репрезентативности реализуется через избыточный сбор и повторное использование данных. Статья исследует допустимость и организацию обучения ИИ-моделей при совместном применении Акта об ИИ и Общего регламента о защите данных. Цель исследования состоит в обосновании правовой модели, позволяющей выстроить соразмерные технические и организационные гарантии, сохранить качество обучения и одновременно обеспечить законность обработки персональных данных и защиту основных прав. Методология включает нормативно-догматический анализ требований Акта об ИИ к системе управления рисками и управлению данными, сопоставление с принципами Общего регламента о защите данных и процедурными инструментами обеспечения законности обработки, а также систематизацию типовых управленческих артефактов, используемых при разработке и эксплуатации высокорисковых ИИ-систем. Результаты исследования представлены как согласованная модель поведения участников на стадии обучения. Обосновано прикладное разграничение «ИИ-система» и «ИИ-модель»: система квалифицируется как организационно-техническая оболочка, включающая модель, инфраструктуру, интерфейсы ввода и вывода, мониторинг и взаимодействие с человеком, тогда как модель рассматривается как алгоритмическое ядро, обученное на данных и применяемое для вывода результатов; данное разграничение используется для распределения обязанностей провайдера и лиц, внедряющих или эксплуатирующих систему. Предложен механизм согласования репрезентативности и достоверности наборов данных с принципом минимизации через документируемую инвентаризацию признаков, обоснование необходимости каждого класса данных и исключение нерелевантных атрибутов с одновременной оценкой риска косвенной дискриминации. Разработана модель соразмерности защитных мер, связывающая выбор псевдонимизации, анонимизации, агрегирования, синтетической генерации и дифференциальной приватности с чувствительностью данных, контекстом использования и уровнем риска для основных прав, подтверждаемым результатами оценки воздействия на защиту данных и оценки воздействия на основные права. Сформулирован практический контур правового обеспечения жизненного цикла обучения: постановка цели и правового основания, ограничение повторного использования наборов данных, контроль доступа и журналирование операций, правила сроков хранения и удаления, а также процедуры пересмотра параметров обучения и мониторинга после внедрения. Предложенная модель повышает предсказуемость правоприменения и задает воспроизводимый порядок согласования требований Акта об ИИ и Общего регламента о защите данных на стадии обучения.</p></trans-abstract><kwd-group xml:lang="ru"><kwd>искусственный интеллект</kwd><kwd>обучение модели искусственного интеллекта</kwd><kwd>правовое регулирование персональных данных</kwd><kwd>минимизация данных</kwd><kwd>соразмерность мер</kwd><kwd>Общий регламент о защите данных</kwd><kwd>Регламент об искусственном интеллекте</kwd><kwd>комплаенс</kwd><kwd>жизненный цикл ИИ</kwd></kwd-group><kwd-group xml:lang="en"><kwd>artificial intelligence</kwd><kwd>AI model training</kwd><kwd>data protection law</kwd><kwd>data minimization</kwd><kwd>proportionality of safeguards</kwd><kwd>GDPR</kwd><kwd>AI Act</kwd><kwd>compliance</kwd><kwd>AI life cycle</kwd></kwd-group></article-meta></front><back><ref-list><title>References</title><ref id="cit1"><label>1</label><citation-alternatives><mixed-citation xml:lang="ru">Arasteh, S. T., Ziller, A., Kuhl, C., Makowski, M. R., Nebelung, S., Braren, R. F., Rueckert, D., Truhn, D., &amp; Kaissis, G. (2024). Preserving fairness and diagnostic accuracy in private large-scale AI models for medical imaging. Communications Medicine, (4), Article 46 (2024). https://doi.org/10.1038/s43856-024-00462-6</mixed-citation><mixed-citation xml:lang="en">Arasteh, S. T., Ziller, A., Kuhl, C., Makowski, M. R., Nebelung, S., Braren, R. F., Rueckert, D., Truhn, D., &amp; Kaissis, G. (2024). Preserving fairness and diagnostic accuracy in private large-scale AI models for medical imaging. Communications Medicine, (4), Article 46 (2024). https://doi.org/10.1038/s43856-024-00462-6</mixed-citation></citation-alternatives></ref><ref id="cit2"><label>2</label><citation-alternatives><mixed-citation xml:lang="ru">Basdekis, I., Kloukinas, C., Agostinho, C., Vezakis, I., Pimenta, A., Gallo, L., &amp; Spanoudakis, G. (2023). Pseudonymisation in the context of GDPR-compliant medical research. In 2023 19th International Conference on the Design of Reliable Communication Networks (DRCN) (pp. 1–6). IEEE. https://doi.org/10.1109/DRCN57075.2023.10108370</mixed-citation><mixed-citation xml:lang="en">Basdekis, I., Kloukinas, C., Agostinho, C., Vezakis, I., Pimenta, A., Gallo, L., &amp; Spanoudakis, G. (2023). Pseudonymisation in the context of GDPR-compliant medical research. In 2023 19th International Conference on the Design of Reliable Communication Networks (DRCN) (pp. 1–6). IEEE. https://doi.org/10.1109/DRCN57075.2023.10108370</mixed-citation></citation-alternatives></ref><ref id="cit3"><label>3</label><citation-alternatives><mixed-citation xml:lang="ru">De Hert, P., &amp; Hajduk, P. (2024). EU cross-regime enforcement, redundancy and interdependence: Addressing overlap of enforcement structures in the digital sphere after Meta. Technology and Regulation, 2024, 291–308. https://doi.org/10.71265/fydwsg59</mixed-citation><mixed-citation xml:lang="en">De Hert, P., &amp; Hajduk, P. (2024). EU cross-regime enforcement, redundancy and interdependence: Addressing overlap of enforcement structures in the digital sphere after Meta. Technology and Regulation, 2024, 291–308. https://doi.org/10.71265/fydwsg59</mixed-citation></citation-alternatives></ref><ref id="cit4"><label>4</label><citation-alternatives><mixed-citation xml:lang="ru">De Silva, D., &amp; Alahakoon, D. (2022). An artificial intelligence life cycle: From conception to production. Patterns, 3(6), Article 100489. https://doi.org/10.1016/j.patter.2022.100489</mixed-citation><mixed-citation xml:lang="en">De Silva, D., &amp; Alahakoon, D. (2022). An artificial intelligence life cycle: From conception to production. Patterns, 3(6), Article 100489. https://doi.org/10.1016/j.patter.2022.100489</mixed-citation></citation-alternatives></ref><ref id="cit5"><label>5</label><citation-alternatives><mixed-citation xml:lang="ru">Dwork, C., McSherry, F., Nissim, K., &amp; Smith, A. (2006). Calibrating noise to sensitivity in private data analysis. In S. Halevi &amp; T. Rabin (Eds.), Lecture notes in computer science, Vol. 3876. Theory of cryptography (pp. 265– 284). Springer. https://doi.org/10.1007/11681878_14</mixed-citation><mixed-citation xml:lang="en">Dwork, C., McSherry, F., Nissim, K., &amp; Smith, A. (2006). Calibrating noise to sensitivity in private data analysis. In S. Halevi &amp; T. Rabin (Eds.), Lecture notes in computer science, Vol. 3876. Theory of cryptography (pp. 265– 284). Springer. https://doi.org/10.1007/11681878_14</mixed-citation></citation-alternatives></ref><ref id="cit6"><label>6</label><citation-alternatives><mixed-citation xml:lang="ru">Finck, M., &amp; Biega, A. (2021). Reviving purpose limitation and data minimisation in data-driven systems. Technology and Regulation, 2021, 44–61. https://doi.org/10.26116/techreg.2021.004</mixed-citation><mixed-citation xml:lang="en">Finck, M., &amp; Biega, A. (2021). Reviving purpose limitation and data minimisation in data-driven systems. Technology and Regulation, 2021, 44–61. https://doi.org/10.26116/techreg.2021.004</mixed-citation></citation-alternatives></ref><ref id="cit7"><label>7</label><citation-alternatives><mixed-citation xml:lang="ru">Hadwick, D. (2024). Slipping through the cracks, the carve-outs for AI tax enforcement systems in the EU AI Act. European Papers: A Journal on Law and Integration, 9(3), 936–955. https://doi.org/10.15166/2499-8249/793</mixed-citation><mixed-citation xml:lang="en">Hadwick, D. (2024). Slipping through the cracks, the carve-outs for AI tax enforcement systems in the EU AI Act. European Papers: A Journal on Law and Integration, 9(3), 936–955. https://doi.org/10.15166/2499-8249/793</mixed-citation></citation-alternatives></ref><ref id="cit8"><label>8</label><citation-alternatives><mixed-citation xml:lang="ru">Haripriya, R., Khare, N., &amp; Pandey, M. (2025). Privacy-preserving federated learning for collaborative medical data mining in multi-institutional settings. Scientific Reports, (15), Article 12482 (2025). https://doi.org/10.1038/s41598-025-97565-4</mixed-citation><mixed-citation xml:lang="en">Haripriya, R., Khare, N., &amp; Pandey, M. (2025). Privacy-preserving federated learning for collaborative medical data mining in multi-institutional settings. Scientific Reports, (15), Article 12482 (2025). https://doi.org/10.1038/s41598-025-97565-4</mixed-citation></citation-alternatives></ref><ref id="cit9"><label>9</label><citation-alternatives><mixed-citation xml:lang="ru">Kaminski, M. E., &amp; Malgieri, G. (2025). Impacted stakeholder participation in AI and data governance. Yale Journal of Law &amp; Technology, 27(1), 247–326.</mixed-citation><mixed-citation xml:lang="en">Kaminski, M. E., &amp; Malgieri, G. (2025). Impacted stakeholder participation in AI and data governance. Yale Journal of Law &amp; Technology, 27(1), 247–326.</mixed-citation></citation-alternatives></ref><ref id="cit10"><label>10</label><citation-alternatives><mixed-citation xml:lang="ru">Kindt, E. J. (2025). EU biometric data regulation: Part 2: The AI Act. IEEE Biometrics Council Newsletter, 54, 30–41.</mixed-citation><mixed-citation xml:lang="en">Kindt, E. J. (2025). EU biometric data regulation: Part 2: The AI Act. IEEE Biometrics Council Newsletter, 54, 30–41.</mixed-citation></citation-alternatives></ref><ref id="cit11"><label>11</label><citation-alternatives><mixed-citation xml:lang="ru">Laato, S., Birkstedt, T., Mäntymäki, M., Minkkinen, M., &amp; Mikkonen, T. (2022). AI governance in the system development life cycle: Insights on responsible machine learning engineering. In Proceedings of the 1st International Conference on AI Engineering: Software Engineering for AI (pp. 113–123). ACM. https://doi.org/10.1145/3522664.3528598</mixed-citation><mixed-citation xml:lang="en">Laato, S., Birkstedt, T., Mäntymäki, M., Minkkinen, M., &amp; Mikkonen, T. (2022). AI governance in the system development life cycle: Insights on responsible machine learning engineering. In Proceedings of the 1st International Conference on AI Engineering: Software Engineering for AI (pp. 113–123). ACM. https://doi.org/10.1145/3522664.3528598</mixed-citation></citation-alternatives></ref><ref id="cit12"><label>12</label><citation-alternatives><mixed-citation xml:lang="ru">Liu, W., Zhang, y., yang, H., &amp; Meng, Q. (2024). A survey on differential privacy for medical data analysis. Annals of Data Science, 11, 733–747. https://doi.org/10.1007/s40745-023-00475-3</mixed-citation><mixed-citation xml:lang="en">Liu, W., Zhang, y., yang, H., &amp; Meng, Q. (2024). A survey on differential privacy for medical data analysis. Annals of Data Science, 11, 733–747. https://doi.org/10.1007/s40745-023-00475-3</mixed-citation></citation-alternatives></ref><ref id="cit13"><label>13</label><citation-alternatives><mixed-citation xml:lang="ru">Malgieri, G., &amp; Santos, C. (2025). Assessing the (severity of) impacts on fundamental rights. Computer Law &amp; Security Review, 56, Article 106113. https://doi.org/10.1016/j.clsr.2025.106113</mixed-citation><mixed-citation xml:lang="en">Malgieri, G., &amp; Santos, C. (2025). Assessing the (severity of) impacts on fundamental rights. Computer Law &amp; Security Review, 56, Article 106113. https://doi.org/10.1016/j.clsr.2025.106113</mixed-citation></citation-alternatives></ref><ref id="cit14"><label>14</label><citation-alternatives><mixed-citation xml:lang="ru">Mantelero, A. (2024). The Fundamental Rights Impact Assessment (FRIA) in the AI Act: Roots, legal obligations and key elements for a model template. Computer Law &amp; Security Review, 54, Article 106020. https://doi.org/10.1016/j.clsr.2024.106020</mixed-citation><mixed-citation xml:lang="en">Mantelero, A. (2024). The Fundamental Rights Impact Assessment (FRIA) in the AI Act: Roots, legal obligations and key elements for a model template. Computer Law &amp; Security Review, 54, Article 106020. https://doi.org/10.1016/j.clsr.2024.106020</mixed-citation></citation-alternatives></ref><ref id="cit15"><label>15</label><citation-alternatives><mixed-citation xml:lang="ru">Menges, F., Latzo, T., Vielberth, M., Sobola, S., Pöhls, H. C., Taubmann, B., Köstler, J., Puchta, A., Freiling, F., Reiser, H. P., &amp; Pernul, G. (2021). Towards GDPR-compliant data processing in modern SIEM systems. Computers &amp; Security, 103, Article 102165. https://doi.org/10.1016/j.cose.2020.102165</mixed-citation><mixed-citation xml:lang="en">Menges, F., Latzo, T., Vielberth, M., Sobola, S., Pöhls, H. C., Taubmann, B., Köstler, J., Puchta, A., Freiling, F., Reiser, H. P., &amp; Pernul, G. (2021). Towards GDPR-compliant data processing in modern SIEM systems. Computers &amp; Security, 103, Article 102165. https://doi.org/10.1016/j.cose.2020.102165</mixed-citation></citation-alternatives></ref><ref id="cit16"><label>16</label><citation-alternatives><mixed-citation xml:lang="ru">Novelli, C., Casolari, F., Hacker, P., Spedicato, G., &amp; Floridi, L. (2024a). Generative AI in EU Law: Liability, privacy, intellectual property, and cybersecurity. Computer Law &amp; Security Review, 55, Article 106066. https://doi.org/10.1016/j.clsr.2024.106066</mixed-citation><mixed-citation xml:lang="en">Novelli, C., Casolari, F., Hacker, P., Spedicato, G., &amp; Floridi, L. (2024a). Generative AI in EU Law: Liability, privacy, intellectual property, and cybersecurity. Computer Law &amp; Security Review, 55, Article 106066. https://doi.org/10.1016/j.clsr.2024.106066</mixed-citation></citation-alternatives></ref><ref id="cit17"><label>17</label><citation-alternatives><mixed-citation xml:lang="ru">Novelli, C., Casolari, F., Rotolo, A., Taddeo, M., &amp; Floridi, L. (2024b). AI risk assessment: A scenario-based, proportional methodology for the AI Act. Digital Society, 3, Article 13. https://doi.org/10.1007/s44206-024-00095-1</mixed-citation><mixed-citation xml:lang="en">Novelli, C., Casolari, F., Rotolo, A., Taddeo, M., &amp; Floridi, L. (2024b). AI risk assessment: A scenario-based, proportional methodology for the AI Act. Digital Society, 3, Article 13. https://doi.org/10.1007/s44206-024-00095-1</mixed-citation></citation-alternatives></ref><ref id="cit18"><label>18</label><citation-alternatives><mixed-citation xml:lang="ru">Paullada, A., Raji, I. D., Bender, E. M., Denton, E., &amp; Hanna, A. (2021). Data and its (dis)contents: A survey of dataset development and use in machine learning research. Patterns, 2(11), Article 100336. https://doi.org/10.1016/j.patter.2021.100336</mixed-citation><mixed-citation xml:lang="en">Paullada, A., Raji, I. D., Bender, E. M., Denton, E., &amp; Hanna, A. (2021). Data and its (dis)contents: A survey of dataset development and use in machine learning research. Patterns, 2(11), Article 100336. https://doi.org/10.1016/j.patter.2021.100336</mixed-citation></citation-alternatives></ref><ref id="cit19"><label>19</label><citation-alternatives><mixed-citation xml:lang="ru">Rocks, J. W., &amp; Mehta, P. (2022). Memorizing without overfitting: Bias, variance, and interpolation in over-parameterized models. Physical Review Research, 4(1), Article 013201. https://doi.org/10.1103/PhysRevResearch.4.013201</mixed-citation><mixed-citation xml:lang="en">Rocks, J. W., &amp; Mehta, P. (2022). Memorizing without overfitting: Bias, variance, and interpolation in over-parameterized models. Physical Review Research, 4(1), Article 013201. https://doi.org/10.1103/PhysRevResearch.4.013201</mixed-citation></citation-alternatives></ref><ref id="cit20"><label>20</label><citation-alternatives><mixed-citation xml:lang="ru">Slijepčević, D., Henzl, M., Klausner, L. D., Dam, T., Kieseberg, P., &amp; Zeppelzauer, M. (2021). k-Anonymity in practice: How generalisation and suppression affect machine learning classifiers. Computers &amp; Security, 111, Article 102488. https://doi.org/10.1016/j.cose.2021.102488</mixed-citation><mixed-citation xml:lang="en">Slijepčević, D., Henzl, M., Klausner, L. D., Dam, T., Kieseberg, P., &amp; Zeppelzauer, M. (2021). k-Anonymity in practice: How generalisation and suppression affect machine learning classifiers. Computers &amp; Security, 111, Article 102488. https://doi.org/10.1016/j.cose.2021.102488</mixed-citation></citation-alternatives></ref><ref id="cit21"><label>21</label><citation-alternatives><mixed-citation xml:lang="ru">Sovrano, F., Hine, E., &amp; Anzolut, S. (2025). Simplifying software compliance: AI technologies in drafting technical documentation for the AI Act. Empirical Software Engineering, 30, Article 91. https://doi.org/10.1007/s10664-025-10645-x</mixed-citation><mixed-citation xml:lang="en">Sovrano, F., Hine, E., &amp; Anzolut, S. (2025). Simplifying software compliance: AI technologies in drafting technical documentation for the AI Act. Empirical Software Engineering, 30, Article 91. https://doi.org/10.1007/s10664-025-10645-x</mixed-citation></citation-alternatives></ref><ref id="cit22"><label>22</label><citation-alternatives><mixed-citation xml:lang="ru">Söderlund, K., &amp; Larsson, S. (2024). Enforcement Design Patterns in EU Law: An Analysis of the AI Act. Digital Society, 3, Article 41. https://doi.org/10.1007/s44206-024-00129-8</mixed-citation><mixed-citation xml:lang="en">Söderlund, K., &amp; Larsson, S. (2024). Enforcement Design Patterns in EU Law: An Analysis of the AI Act. Digital Society, 3, Article 41. https://doi.org/10.1007/s44206-024-00129-8</mixed-citation></citation-alternatives></ref><ref id="cit23"><label>23</label><citation-alternatives><mixed-citation xml:lang="ru">Van Bekkum, M. (2025). Using sensitive data to de-bias AI systems: Article 10(5) of the EU AI Act. Computer Law &amp; Security Review, 56, Article 106115. https://doi.org/10.1016/j.clsr.2025.106115</mixed-citation><mixed-citation xml:lang="en">Van Bekkum, M. (2025). Using sensitive data to de-bias AI systems: Article 10(5) of the EU AI Act. Computer Law &amp; Security Review, 56, Article 106115. https://doi.org/10.1016/j.clsr.2025.106115</mixed-citation></citation-alternatives></ref><ref id="cit24"><label>24</label><citation-alternatives><mixed-citation xml:lang="ru">Van Bekkum, M., &amp; Zuiderveen Borgesius, F. (2023). Using sensitive data to prevent discrimination by artificial intelligence: Does the GDPR need a new exception? Computer Law &amp; Security Review, 48, Article 105770. https://doi.org/10.1016/j.clsr.2022.105770</mixed-citation><mixed-citation xml:lang="en">Van Bekkum, M., &amp; Zuiderveen Borgesius, F. (2023). Using sensitive data to prevent discrimination by artificial intelligence: Does the GDPR need a new exception? Computer Law &amp; Security Review, 48, Article 105770. https://doi.org/10.1016/j.clsr.2022.105770</mixed-citation></citation-alternatives></ref><ref id="cit25"><label>25</label><citation-alternatives><mixed-citation xml:lang="ru">Veltmeijer, E., &amp; Gerritsen, C. (2025). Legal and ethical implications of AI-based crowd analysis: The AI Act and beyond. AI and Ethics, 5, 3173–3183. https://doi.org/10.1007/s43681-024-00644-x</mixed-citation><mixed-citation xml:lang="en">Veltmeijer, E., &amp; Gerritsen, C. (2025). Legal and ethical implications of AI-based crowd analysis: The AI Act and beyond. AI and Ethics, 5, 3173–3183. https://doi.org/10.1007/s43681-024-00644-x</mixed-citation></citation-alternatives></ref><ref id="cit26"><label>26</label><citation-alternatives><mixed-citation xml:lang="ru">Wang, L., Liu, Z., Liu, A., &amp; Tao, F. (2021). Artificial intelligence in product lifecycle management. The International Journal of Advanced Manufacturing Technology, 114, 771–796. https://doi.org/10.1007/s00170-021-06882-1</mixed-citation><mixed-citation xml:lang="en">Wang, L., Liu, Z., Liu, A., &amp; Tao, F. (2021). Artificial intelligence in product lifecycle management. The International Journal of Advanced Manufacturing Technology, 114, 771–796. https://doi.org/10.1007/s00170-021-06882-1</mixed-citation></citation-alternatives></ref><ref id="cit27"><label>27</label><citation-alternatives><mixed-citation xml:lang="ru">Winau, M. (2023). On the lack of substantive balancing and coordinated legal concretisation in the European Commission’s proposal for a regulation on AI. European Data Protection Law Review, 9(2), 123–135. https://doi.org/10.21552/edpl/2023/2/7</mixed-citation><mixed-citation xml:lang="en">Winau, M. (2023). On the lack of substantive balancing and coordinated legal concretisation in the European Commission’s proposal for a regulation on AI. European Data Protection Law Review, 9(2), 123–135. https://doi.org/10.21552/edpl/2023/2/7</mixed-citation></citation-alternatives></ref></ref-list><fn-group><fn fn-type="conflict"><p>The authors declare that there are no conflicts of interest present.</p></fn></fn-group></back></article>
