Politiscope Panel Debate on GDPR and the AI Act (SEEDIG 8)

Politiscope co-organized the SEEDIG8 Conference, held on 6–7 November 2023 in Zagreb (WESPA Business & Lounge) under the overarching theme “Digital Beyond Borders: Regional Synergy for Community Advancement.” SEEDIG (South Eastern European Dialogue on Internet Governance) is a regional initiative under auspices of the UN Internet Governance Forum (IGF).

The conference opened with addresses from representatives of multiple stakeholders, including the UN IGF Secretariat, the Croatian Ombudsperson, ICANN, and others. On behalf of the co-organizers, Duje Prkut (Politiscope) delivered the opening remarks.

Over two days, the program featured 4 panel discussions, 2 workshops, 6 lightning talks, and 1 open debate, with 74 participants onsite, and 272 and 126 online viewers on the first and second days respectively. The event gathered representatives from civil society, the private sector, public authorities, and the academic community.

Politiscope organized the panel “The Interplay of GDPR and the EU AI Act”, focusing on the practical alignment of these two regulatory frameworks. The session was moderated by Duje Kozomara (Politiscope), with speakers Darja Lončar (Rimac Group), Stefan Martinić, Anamarija Mladinić (Croatian Personal Data Protection Agency – AZOP), and Danijela Perica (Infobip).

The panel emphasized that the risk-based approach introduced by the AI Act builds upon the existing regulatory foundations established by the GDPR. It particularly highlighted the need for clearly defined roles and responsibilities, as well as transparency and accountable compliance, especially in the context of integrating generative models such as ChatGPT into third-party products and services. The temporary ban of ChatGPT in Italy due to GDPR violations was cited as an illustrative example.

Panelists also discussed issues such as data subjects’ rights, legal bases for lawful data processing in AI-driven systems, and the challenges of biometric surveillance. The discussion further underlined the limited capacities of data protection authorities, as confirmed by a report from the EU Agency for Fundamental Rights (FRA). The session concluded that a more centralized and systematic approach to data protection in AI projects is essential—one grounded in the principles of privacy by design, data minimization, and human oversight.