New rules in force for the use of Artificial Intelligence (AI) in the private sector

Contact People

Theodore Konstantakopoulos

Theodore Konstantakopoulos

Partner

vcard

LEARN MORE

Yolanda Antoniou-Rapti

Yolanda Antoniou-Rapti

Senior Associate

vcard

LEARN MORE

Iliana Papantoni

Iliana Papantoni

Associate

vcard

LEARN MORE

Rules for the use of Artificial Intelligence (AI) by private companies for HR management, as well as for commercial and marketing practices entered into force on 01.01.2023.

Law 4961/2022 on emerging information and communication technologies has introduced obligations for companies using AI tools and systems, aiming to establish a fair, transparent and secure framework for the use of AI in private sector.

1. Which companies are affected?

a. all companies which use AI systems[1] affecting in any way decisions relating to employees or prospective employees and has an impact on:

  • their working conditions,
  • their selection,
  • recruitment, or
  • evaluation;

b. digital platforms with regard to natural persons linked to them by virtue of either an employment contract or an independent services provision or project contract; and

c. medium-sized companies[2] and large companies[3] which use AI systems in the context of consumer profiling or of the evaluation of their employees or partners.

2. What are the obligations?

a. Companies under 1(a) and 1(b) should:

  • provide sufficient and clear notice to all employees and prospective employees, which shall include at least the parameters on which the relevant decision that will be derived from the use AI systems is based;
  • ensure compliance with the principles of equal treatment and non-discrimination in the workplace for reasons of gender, race, religion, etc.; and
  • carry out a Data Protection Impact Assessment (DPIA) according to relevant GDPR standards.

b. Companies under 1(c), in addition to the above-mentioned obligations to which they might be subject to, should:

  • maintain an electronic Register of the AI systems they use (eRegister); minimum content is provided by Law (see section 3 below);
  • prepare and adopt a Data Use Code of Conduct, establishing the measures, actions and procedures they implement on data ethics issues when using AI systems;
  • where the company is a listed société anonyme obliged by law to prepare a corporate governance statement, it must include in such statement information about its Data Use Code of Conduct; and
  • carry out a DPIA according to relevant GDPR standards.

3. What should the eRegister include?

The eRegister should include, at least, the following information:

  • description of the operating parameters, capabilities and technical characteristics of the AI system;
  • the number and the status of the natural persons affected or likely to be concerned;
  • technical information concerning the supplier or external partners involved in the development or operation of the AI system;
  • the operation period of the AI system; and
  • the measures taken to ensure the safe operation of the AI system.

4. Sanctions for non-compliance

Under certain circumstances, both administrative and criminal sanctions may apply.

Administrative sanctions:

  • fine of EUR 300 – 50,000
  • temporary shut-down of the operation of a specific production process or department of the company or temporary shut-down of the whole company

Criminal sanctions:

  • imprisonment of 6 months – 5 years
  • fine of at least EUR 900

5. Key take-aways

Organisations must

  • properly record and audit all systems and tools they use, in order to identify instances where AI technology is being used (e.g., for screening and evaluation of candidate employees, for credit risk evaluation of business partners, for consumer profiling, etc.);
  • take actions to ensure compliance with GDPR standards, which include carrying out a DPIA, and providing notice to affected individuals;
  • create and maintain an eRegistry of the AI systems they use and prepare and adopt a Data Use Code of Conduct (applicable to medium-sized and large companies only);
  • ensure that a legal and technical due diligence is performed before the adoption or introduction of AI systems and tools.

[1] The Law does not provide a definition of “AI systems”.

[2] Companies not exceeding at least two of the following thresholds: (i) an average of 250 employees; (ii) liquid assets above EUR 20,000,000; and (iii) a total turnover of EUR 40,000,000.

[3] Companies exceeding at least two of the following thresholds: (i) an average of 250 employees; (ii) liquid assets above EUR 20,000,000; and (iii) a total turnover of EUR 40,000,000.