FAQ – Compliance, Cookies & Data

The AI Act is marketed in a dedicated or complementary module of the Privacy offerings. Depending on the number of employees in your company, the subscription amount will vary. Please consult our pricing page or contact us to learn more.

The approach to AI systems is based on a risk assessment. The regulatory framework defines four categories of risk for artificial intelligence systems (AIS), with varying levels of regulation depending on the different levels of the pyramid.

• Unacceptable risks
• High risks
• Limited/Moderate risks
• Minimal or no risks

The AI Act aims to create a harmonized legal framework in the EU to ensure that artificial intelligence systems are safe, transparent, ethical, and respect fundamental rights. More specifically, it has the following objectives:

• Protect citizens against the use of AI deemed dangerous or intrusive (e.g., mass surveillance, behavioral manipulation)
• Regulate high-risk systems with strict obligations for transparency, human oversight, data quality, and documentation
• Promote trustworthy innovation by providing a clear framework for AI developers and companies
• Enhance public and professional user trust in AI

The AI Act, or Regulation on Artificial Intelligence, is a regulation developed to regulate and encourage the development as well as the marketing of artificial intelligence systems within the European Union. Proposed by the European Commission in April 2021, the AI Act came into effect on July 12, 2024, after three years of negotiations.

Distinction between AI Model and AI System

Understanding the distinction between an AI model and an AI system is important for anyone interested in artificial intelligence, whether for developing new technologies or using them.

AI models are the fundamental components that perform specific tasks, while AI systems integrate these models into complete and functional solutions to address practical needs.

By recognizing these differences, one can better appreciate the complexity and scope of AI applications in various fields.

AI Model

An AI model is a central component of artificial intelligence. It is a mathematical or statistical representation of a specific problem, developed from data.

AI models are trained to recognize patterns, make predictions, or make decisions based on data.

The most common types of AI models include neural networks, decision trees, support vector machines, and regression models.

Examples of AI models include:

• Deep neural networks: Used for tasks such as image recognition or natural language processing.
• Decision trees: Used for classification and regression.
• Regression models: Used to predict continuous values.
• Linear regression: Used to predict future stock prices based on past prices and other information. Analyzes materials, machines, and time-based data to improve production processes.
• Random forest: Helps explain cases where treatments may have unintended effects or negative outcomes.
• Naive Bayes: Can predict real-time customer preferences based on their browsing behavior or purchase history.

The AI model is somewhat like the brain of AI. It is built and optimized through a training process, where it learns from historical data to improve its accuracy and efficiency.

AI System

An AI system is a broader and more complex application that integrates one or more AI models to accomplish a specific task.

It encompasses not only AI models but also the necessary components to collect, process, and analyze data, as well as interact with users.

In other words, an AI system is a complete solution that implements AI models within an operational framework.

Components of an AI system include:

• AI Models: Algorithms trained to perform predictions or analysis.
• Data Collection and Processing: Processes for gathering and preparing data for the model.
• User Interface: Means by which users interact with the system, such as web or mobile applications.
• Infrastructure: The hardware and software necessary to operate the system, such as servers and databases.

Example of an AI system includes:

• Virtual Assistant: Like Siri or Alexa, which use multiple AI models for speech recognition, natural language understanding, and generating responses, while integrating databases and user interfaces to interact with users.
• Recommendation Systems: Used by platforms like Netflix or Amazon to suggest content or products, incorporating collaborative filtering models and user data processing.

Key Differences between AI Model and AI System

1. Scale and Complexity:

   • AI Model: is a specific component focused on a precise task such as prediction or classification.
   • AI System: is a use case that integrates multiple components, including AI models, training data, to solve a problem or provide a service.

2. Components:

   • AI Model: Only includes the algorithm.
   • AI System: Includes infrastructure for deployment, user interfaces, data management, and AI models.

3. Functionality:

   • AI Model: Provides an output based on data analysis.
   • AI System: Uses this output to interact with users or other systems, often in real-time.

Register of AI Systems in Dastra

List your AI use cases and identify associated risks within Dastra.

The GDPR prohibits the collection and use of data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, as well as the processing of genetic data, biometric data allowing for the unique identification of a person, health information, or data related to an individual's sexual life or sexual orientation.

However, there are exceptions to this prohibition, including:

• If the data subject has given explicit consent, which must be free, specific, informed, and preferably in writing.
• If the information has been manifestly made public by the data subject.
• If this data is necessary for the protection of human life.
• If its use is justified by a public interest and authorized by the CNIL.
• If it concerns members or affiliates of an association or political, religious, philosophical, or trade union organization.

• Inform the data subjects clearly and accessibly about the use of their data (purpose, retention period, rights, etc.).
• Justify a legal basis for each processing (consent, contract, legitimate interest, etc.).
• Respect the rights of data subjects (access, rectification, erasure, objection, etc.).
• Ensure the security of personal data: appropriate technical and organizational measures must be implemented to protect data against risks of loss, unauthorized access, or disclosure.
• Document all processing activities in a record, especially starting from 250 employees or in the case of sensitive or non-occasional processing.
• Notify data breaches to the CNIL (or other competent authority) within 72 hours, and sometimes, to the affected data subjects.
• Frame relationships with subcontractors through formalized contracts, to ensure their compliance with GDPR requirements and clarify each party's responsibilities.

The three main principles of the general data protection regulation are:

1. Transparency, fairness, and legality: Personal data must be collected and processed in a transparent, lawful, and fair manner. This involves informing the data subjects about how their data will be used and ensuring that they provide informed consent.
2. Data minimization: Only the data necessary for the specific purpose should be collected. This principle encourages companies to limit the amount of personal data they process, thereby reducing risks to individuals' privacy.
3. Security and confidentiality: Personal data must be protected against unauthorized access, processing, or disclosure. Companies must implement technical and organizational measures to ensure the security of the personal data they process.

The consent management platform is marketed as a dedicated module. Depending on the number of visitors to your website, the subscription fee will vary. See our pricing page or contact us for more information.

A cookie banner is essential as soon as you store or access information on a user's device, regardless of the technology used. As soon as non-essential trackers are used — such as those for targeted advertising, audience measurement with identifiable data, or personalization — you must inform the user and obtain their prior consent.

Cookies can be classified into several categories:

1. strictly necessary cookies
2. performance cookies
3. functionality cookies

The ePrivacy Directive 2002/58/EC, amended in 2009, often referred to as the "Privacy and Electronic Communications Directive", is an initiative of the European Commission aimed at ensuring the confidentiality of communications and protecting users against certain intrusive practices in the digital realm. It is transposed differently in each Member State (in France, through the Data Protection Act, particularly regarding cookies and direct marketing).