Lawful Basis (GDPR Art. 6(1)(f) + AI Act Art. 72) PMM monitoring data frequently contains personal data: inference inputs may include personal characteristics, outputs may include decisions about identified individuals, and operational logs may record which operators handled which cases. Processing personal data for PMM purposes requires a lawful basis under GDPR Article 6. Legitimate interest under Article 6(1)(f) is the most common basis, supported by the legal obligation under the AI Act to conduct post-market monitoring. The legitimate interest assessment documents the purpose (regulatory compliance and system safety monitoring), the necessity (the PMM obligation cannot be met without processing inference data), and the balancing test (individual interests are protected by data minimisation, access controls, and retention limits). The DPO Liaison ensures the legitimate interest assessment is documented and reviewed annually. Where the system processes special category data, the additional conditions under GDPR Article 9 are addressed in the DPIA. Key outputs

• Legitimate interest assessment documented for PMM data processing
• Purpose, necessity, and balancing test specified
• Annual review by DPO Liaison
• Module 4 and Module 12 AISDP documentation

Data Minimisation & Tiered Retention PMM monitoring collects only the data necessary for its compliance purpose. Where full inference inputs are not needed (where aggregated statistics suffice), the data collection layer anonymises or aggregates at the point of collection. Where individual-level data is needed for disaggregated performance analysis or incident investigation, it is retained at minimum granularity and duration. A tiered retention approach balances the AI Act’s ten-year documentation obligation with the GDPR’s storage limitation principle. Individual-level inference data is retained at full granularity for 90 days (sufficient for incident investigation and short-term analysis), then aggregated to statistical summaries for long-term retention. The summaries, together with the PMM reports they generate, are retained for the full ten-year period. The DPO Liaison documents the retention policy in both the PMM plan and the DPIA. The retention tiers, aggregation methodology, and deletion schedules are implemented through automated lifecycle policies. Key outputs

• Data minimisation at point of collection where possible
• 90-day individual-level retention, then aggregation
• Ten-year retention for statistical summaries and PMM reports
• Automated lifecycle policies enforcing retention tiers

Access Controls & Regulatory Access Profile Access to PMM data containing personal information is restricted to authorised PMM analysts and investigators, with access logged and reviewed. Role-based access controls enforce the principle of least privilege: the governance dashboard provides compliance-relevant metrics without exposing individual-level data. The “regulatory access” profile provides competent authority inspectors with access to PMM dashboards and reports without granting access to raw individual-level data unless specifically required for an investigation. Where an inspector requests individual-level data, the Legal and Regulatory Advisor negotiates the scope, applies data protection safeguards, and documents the access provided. Access logs for PMM data are retained and reviewed quarterly by the DPO Liaison, who verifies that access patterns are consistent with authorised purposes. Key outputs

• Role-based access controls with least privilege
• Regulatory access profile for inspectors (dashboards, not raw data)
• Access logging and quarterly DPO Liaison review
• Module 4 and Module 12 AISDP documentation