Article 10: Data and Data Governance
Article 10
Data and Data Governance
Updated on 31 July 2024 based on the version published in the Official Journal of the EU dated 12 July 2024 and entered into force on 1 August 2024.
1. High-risk AI systems which make use of techniques involving the training of AI models with data shall be developed on the basis of training, validation and testing data sets that meet the quality criteria referred to in paragraphs 2 to 5 whenever such data sets are used.
2. Training, validation and testing data sets shall be subject to data governance and management practices appropriate for the intended purpose of the high-risk AI system. Those practices shall concern in particular:
- the relevant design choices;
- data collection processes and the origin of data, and in the case of personal data, the original purpose of the data collection;
- relevant data-preparation processing operations, such as annotation, labelling, cleaning, updating, enrichment and aggregation;
- the formulation of assumptions, in particular with respect to the information that the data are supposed to measure and represent;
- an assessment of the availability, quantity and suitability of the data sets that are needed;
- examination in view of possible biases that are likely to affect the health and safety of persons, have a negative impact on fundamental rights or lead to discrimination prohibited under Union law, especially where data outputs influence inputs for future operations;
- appropriate measures to detect, prevent and mitigate possible biases identified according to point (f);
- the identification of relevant data gaps or shortcomings that prevent compliance with this Regulation, and how those gaps and shortcomings can be addressed.
- the bias detection and correction cannot be effectively fulfilled by processing other data, including synthetic or anonymised data;
- the special categories of personal data are subject to technical limitations on the re-use of the personal data, and state-of-the-art security and privacy-preserving measures, including pseudonymisation;
- the special categories of personal data are subject to measures to ensure that the personal data processed are secured, protected, subject to suitable safeguards, including strict controls and documentation of the access, to avoid misuse and ensure that only authorised persons have access to those personal data with appropriate confidentiality obligations;
- the special categories of personal data are not to be transmitted, transferred or otherwise accessed by other parties;
- the special categories of personal data are deleted once the bias has been corrected or the personal data has reached the end of its retention period, whichever comes first;
- the records of processing activities pursuant to Regulations (EU) 2016/679 and (EU) 2018/1725 and Directive (EU) 2016/680 include the reasons why the processing of special categories of personal data was strictly necessary to detect and correct biases, and why that objective could not be achieved by processing other data.
Table of Contents
[articleloop_all]