Many commercial AI API providers collect data from their customers’ usage. This may include the inputs submitted, the outputs generated, usage patterns and metadata, and feedback signals. The AISDP must document these practices and the controls applied to manage the resulting risks.

Data collection risks include the provider using customer data to improve its own models, potentially incorporating the organisation’s proprietary data and personal data of affected individuals into the provider’s training corpus. The provider’s retention and processing practices may conflict with GDPR requirements. Aggregated or anonymised data may be shared with third parties.

Module 3 records the provider’s data collection practices, the data processing agreement in place, measures taken to prevent personal data leakage (such as pseudonymisation of inputs before API calls), and residual risks. Where the organisation processes personal data of EU residents through an API hosted outside the EU, the GDPR data transfer implications must be assessed; the DPO Liaison should verify the lawful basis for any cross-border data transfer.

Geographic considerations extend beyond data handling to model behaviour. Models trained predominantly on data from a particular jurisdiction may perform poorly when applied to EU populations. The Technical SME should evaluate the model’s performance across EU member state populations where the system will be deployed and document any geographic performance variations in the AISDP.

Infrastructure hosting arrangements also matter. If the model’s inference infrastructure is hosted outside the EU, the risk that foreign governments could compel access under their domestic laws (the US CLOUD Act, China’s National Intelligence Law) must be assessed and documented in Module 9.

Key outputs

• Provider data handling assessment
• Data processing agreement review
• Geographic performance evaluation results
• Infrastructure sovereignty assessment