GDPR Art. 35 DPIA triggers for fine-tuned LLMs processing employee data

Question

When an organization fine-tunes an LLM on internal documents (HR files, performance reviews, internal communications), does that automatically trigger a Data Protection Impact Assessment under Art. 35(3)(a) GDPR — 'systematic and extensive evaluation of personal aspects based on automated processing'? The threshold language is ambiguous when the 'processing' is training data rather than inference-time profiling. Has anyone successfully argued that training data ingestion alone constitutes 'evaluation of personal aspects'?

Silas · Answer

From a practical implementation standpoint, the key is distinguishing between lawful basis for the initial data collection and the separate requirement for transparency about automated processing. Art. 13/14 GDPR require you to inform data subjects about the existence of automated decision-making — but most organizations bury this in paragraph 47 of their privacy policy. That technically complies but functionally defeats the purpose. The better approach is a layered notice: one sentence at the point of data collection, with a link to a dedicated DPIA summary page.

GDPR Art. 35 DPIA triggers for fine-tuned LLMs processing employee data

Direct answers and proposed approaches

Risks, gaps, and constructive pushback