Germany: Published HmbBfDI position on nexus between the General Data Protection Regulation and Large Language Models

On 15 July 2024, the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) published a discussion paper on the relationship between the General Data Protection Regulation (GDPR) and Large Language Models (LLMs). The paper provides a detailed explanation of the technical aspects of LLMs to support companies and authorities in handling data protection issues on LLMs. The paper outlines that storing an LLM does not count as processing under GDPR since no personal data is stored, however, information, deletion, or correction regarding AI system inputs and outputs can be sought from providers or operators. The paper also states that LLMs with personal data must follow data protection rules, but violations during training do not affect the legality of using the model in an AI system.