What personal data is processed when deploying AI digital humans?

AI digital humans process diverse personal data throughout their lifecycle. This includes raw high-resolution video and voice recordings during the creation stage, large datasets used for model training and optimization, and real-time interaction data such as text queries, voice inputs, and facial expressions captured from users during active operational sessions.

How can companies confirm the lawfulness of processing for AI avatars?

Organizations must establish a valid legal basis under GDPR Article 6 for each processing stage separately, including modeling, voice cloning, and optimization. Relying on catch-all consent is insufficient. Explicit consent under Article 9 is typically required for biometric templates, while employee usage requires demonstrating that consent is truly freely given.

What transparency requirements apply to AI digital humans under the AI Act?

Article 50 of the AI Act mandates that providers inform users they are interacting with an AI system. Additionally, all synthetic content, including deepfakes or AI-generated avatars, must be marked in a machine-readable format to ensure the output is clearly detectable and identifiable as artificial to the end user.

When is a Data Protection Impact Assessment (DPIA) required for AI avatars?

A DPIA is mandatory under GDPR Article 35 whenever processing is likely to result in high risks to individuals. Triggers include processing biometric data for unique identification, interacting with vulnerable populations like children, or utilizing digital humans for automated evaluation processes in human resources, education, or other significant decision-making contexts.

AI Digital Humans in the EU: GDPR and AI Act Compliance Guide

Key Takeaways

AI digital humans projects should assess the lawful basis under GDPR Art. 6 separately for each relevant processing purpose, including avatar creation, model training, optimization and user interaction.
Article 50 of the AI Act creates separate transparency obligations for interactive AI systems, synthetic content generated or manipulated by AI systems, deepfakes and certain AI-generated text made available to the public.
Processing biometric data, emotion-related signals or data from vulnerable users is likely to require a Data Protection Impact Assessment (DPIA) where the processing may result in a high risk to individuals, especially in large-scale, systematic or sensitive deployment scenarios.
The AI Act introduces 'AI Literacy' requirements (Art. 4), mandating that staff operating digital human systems understand the technology's risks and legal obligations.

What Types of Personal Data May Be Processed When Deploying AI Digital Humans?

AI digital human compliance begins with a clear mapping of data flows. Unlike traditional software, AI avatars process personal data across a multi-stage lifecycle, from the initial capture of a human subject to the iterative refinement of the underlying model. Under General Data Protection Regulation (GDPR) Article 4(1), 'personal data' encompasses any information relating to an identified or identifiable natural person. In the context of digital humans, this definition is broad, covering everything from high-resolution video of an actor to the subtle behavioral patterns of an end-user interacting with the avatar.

1.1 Creation Stage of the Digital Human

The creation stage involves capturing the physical and vocal attributes of a real person (often an actor or spokesperson). This process typically involves the collection of 'raw' data—high-definition video, 3D mesh scans and voice recordings. These are usually personal data under GDPR Article 4(1). If the intent is to create a unique identifier for the person (e.g., a biometric template used to generate the avatar's movements), this may involve the processing of special categories of data under GDPR Article 9.

1.2 Training and Optimisation Stage

Once the base model is created, it must be trained to respond realistically. This 'optimisation' stage often utilizes large datasets that may include the personal data of the original subject or thousands of third parties. Providers must ensure that data used for training is processed according to the principles of data minimisation (GDPR Article 5(1)(c)) and purpose limitation (GDPR Article 5(1)(b)). Even if the data is pseudonymised, it remains within the scope of GDPR if the subjects are still indirectly identifiable.

1.3 Operation and User Interaction Stage

During deployment, the AI digital human processes 'interaction data.' This includes the user’s voice inputs, text queries and potentially their facial expressions if the system uses a camera to modulate its response. Under GDPR Article 13 and 14, users must be informed about what data is being collected and for what specific purposes—such as sentiment analysis or service improvement. This stage is critical for AI digital human compliance, as it involves real-time processing of user behavior.

1.4 Distinguishing Ordinary Personal Data, Special Categories of Personal Data and Biometric Data

Providers should also distinguish between ordinary personal data, biometric data and special categories of personal data. Images, videos and voice recordings will usually be personal data where the person is identifiable, but they do not automatically constitute special-category data under GDPR Art. 9. Biometric data becomes subject to Art. 9 where it is processed for the purpose of uniquely identifying a natural person. If the system analyses facial expressions, voice tone or other signals to infer emotions or intentions, the provider should also assess whether the AI Act Art. 5(1)(f) on emotion recognition systems are relevant.
.

Confirming the Lawfulness of Data Processing

Every processing activity involving an AI digital human must have a valid legal basis under GDPR Article 6. A common mistake is to rely on a single 'catch-all' consent for all stages of the lifecycle. Instead, companies must assess the lawful basis separately for digital human modelling, voice cloning, and subsequent model optimisation.

2.1 Authorisation for the Use of Real Persons’ Images and Voices

For the individuals whose likenesses are used to create the digital human, explicit consent under GDPR Article 9(2)(a) is often the most practical route, depending on the context, particularly if biometric templates are created. This consent must be specific, informed and freely given. The contract should also clearly define the scope of use to avoid exceeding the granted authorisation.

2.2 Can Employee Images and Voices Be Used Directly?

Using employees as the basis for digital humans requires particular caution. European Data Protection Authorities and the European Data Protection Board generally consider consent in employment relationships difficult to rely on, because the imbalance of power between employer and employee may prevent consent from being 'freely given'). If a company uses an employee's likeness, it must demonstrate that there are no negative consequences for refusing and that the processing is truly necessary.

2.3 Can User Interaction Data Be Used for Training and Optimisation?

Using user data to 'train' or 'fine-tune' the avatar’s performance may require consent or another robust legal basis, depending on the data and use case. While some providers argue 'legitimate interest' (GDPR Article 6(1)(f)), regulators often expect explicit consent for training on user-generated content, especially if the interaction involves sensitive topics. Transparency is key; users must know if their data is being used to improve the vendor’s general models.

Improving Transparency, Consent and Labelling Mechanisms

Transparency is a core requirement under both GDPR and the AI Act. AI digital human compliance requires a 'privacy by design' approach (GDPR Article 25) to reduce the risk that users are misled into thinking they are interacting with a real person.

3.1 Transparency and Consent for the Replicated Person

The person being replicated must be provided with detailed information under GDPR Articles 13 or 14, including the duration of data storage and their right to withdraw consent at any time. If the system is used to make automated decisions about individuals that produce legal or similarly significant effects, GDPR Art. 22 should also be assessed.

3.2 Transparency and Consent for Users

Users interacting with the avatar must be notified at the start of the session. This notification should cover the identity of the controller, the purposes of data processing and the existence of any AI-driven behavioral analysis.

3.3 AI Act Requirements on AI Interaction Notices and Synthetic Content Labelling

Article 50(1) of the AI Act mandates that providers of AI systems intended to interact directly with natural persons must design them so that users are informed they are interacting with an AI. Furthermore, Article 50(2) requires that any synthetic audio, image or video content (deepfakes or avatars) must be marked in a machine-readable format and detectable as artificially generated. This means technical metadata must be embedded in the output to identify it as synthetic.

3.4 Typical Deployment Scenarios

In marketing, Article 50 may be relevant where a campaign uses interactive AI agents, synthetic presenters, deepfake-style image/audio/video content, or AI-generated public-facing text. In customer support, the interaction notice is mandatory. In every scenario, providers and deployers must also ensure 'AI Literacy' among their staff (AI Act Article 4), ensuring that employees can explain the system's nature to concerned users.

Conducting Data Protection Impact Assessments for High-Risk Scenarios

A Data Protection Impact Assessment (DPIA) for AI systems is mandatory under GDPR Article 35(1) whenever processing is likely to result in a high risk to individuals. For digital humans, high-risk triggers include: (1) processing biometric data for unique identification, (2) interacting with vulnerable populations like children (see the Italian Garante’s ban on Replika), or (3) using the avatar for automated evaluation in HR or education. The DPIA must describe the processing, assess the necessity and proportionality, and document the measures taken to mitigate risks (GDPR Article 35(7)). Failure to conduct a DPIA when required is a direct violation of GDPR Article 35.

Clarifying Responsibilities Between the Company and Its Vendors

The AI avatar vendor responsibility model is complex. Responsibilities must be clearly allocated between the 'Provider' (the actor that develops or has an AI system developed and places it o n the market or puts it into service under its own name or trademark and the 'Deployer' (the actor using the system under its authority) to ensure compliance with both the AI Act and GDPR.

5.1 Common Cooperation Models Between Companies

Most companies use a SaaS model for digital humans. In typical situations the customer may act as the 'Deployer' under the AI Act and the 'Controller' under GDPR, while the vendor may act as the 'Provider' and the 'Processor.' However, if the vendor uses customer data for its own model improvement or analytics purposes, it may act as an independent controller or, in some cases, a joint controller.

5.2 Distinguishing Controllers, Processors and Joint Controllers

Under GDPR Article 4(7) and 4(8), the distinction depends on who determines the 'purposes and means' of processing. If a SaaS vendor uses client data to improve its own global models, they may be acting as a Controller, potentially leading to a 'Joint Controller' relationship (GDPR Article 26) which requires a specific arrangement defining their respective responsibilities.

5.3 Key Contractual Issues to Address

A robust Data Processing Agreement (DPA) under GDPR Article 28 is mandatory. It must include: (1) appropriate technical and organisational measures (GDPR Article 32), (2) assistance with DPIAs and DSARs, and (3) clear rules on sub-processors and international data transfers (GDPR Chapter V). For the AI Act, the contract should specify who is responsible for the machine-readable labelling required by Article 50(2).

Conclusion

Deploying AI digital humans in the EU requires a dual-track compliance strategy. Companies must adhere to the established principles of GDPR—focusing on lawfulness (Art. 6), transparency (Art. 13), and risk assessment (Art. 35)—while simultaneously preparing for the specific transparency and synthetic content requirements of the AI Act (Art. 50). By conducting a thorough DPIA and clearly defining vendor responsibilities in DPAs, companies can leverage digital human technology while reducing GDPR and AI Act compliance risks.