GDPR Compliance & EU AI Act Transparency
Last Updated: [DATE]
Important: This document outlines how Onpage Pilot Inc. ("we", "us", "our", "OnPagePilot") fulfils its obligations under the EU General Data Protection Regulation (GDPR), the Danish Data Protection Act (Databeskyttelsesloven, Lov nr. 502 af 23. maj 2018), and the EU Artificial Intelligence Act (Regulation (EU) 2024/1689). It explains how you can exercise your data protection rights, how we handle data breaches, and how we ensure transparency regarding our use of artificial intelligence. For details on what personal data we collect and how we process it, please refer to our Privacy Policy.
- Our Commitment to Data Protection
- Data Protection Officer
- Legal Framework
- Your Data Subject Rights — How to Exercise Them
- Cross-Border Data Transfers
- Data Breach Notification
- Data Protection Impact Assessments
- EU AI Act Transparency
- AI Features Inventory
- Human Oversight & AI Governance
- Your Rights Regarding AI-Generated Content
- Filing a Complaint
1. Our Commitment to Data Protection
OnPagePilot is committed to processing personal data lawfully, fairly, and transparently. Data protection is not merely a regulatory obligation — it is a core principle embedded in our platform architecture, our development processes, and our organisational culture.
We adhere to the following principles in all data processing activities:
- Lawfulness, Fairness, and Transparency (Art. 5(1)(a)): We process personal data only where we have a valid legal basis, and we inform you clearly about how your data is used.
- Purpose Limitation (Art. 5(1)(b)): We collect personal data only for specified, explicit, and legitimate purposes and do not process it in a manner incompatible with those purposes.
- Data Minimisation (Art. 5(1)(c)): We limit the personal data we collect to what is adequate, relevant, and necessary for the purposes for which it is processed.
- Accuracy (Art. 5(1)(d)): We take reasonable steps to ensure personal data is accurate and kept up to date.
- Storage Limitation (Art. 5(1)(e)): We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law.
- Integrity and Confidentiality (Art. 5(1)(f)): We implement appropriate technical and organisational measures to protect personal data against unauthorised processing, accidental loss, destruction, or damage.
- Accountability (Art. 5(2)): We are responsible for, and able to demonstrate, compliance with these principles.
2. Data Protection Officer
We have designated a Data Protection Officer (DPO) in accordance with GDPR Article 37. The DPO independently monitors our compliance with data protection legislation and serves as the primary contact point for data subjects and the Danish Data Protection Agency (Datatilsynet).
You may contact the DPO directly regarding any questions about how we process your personal data, to exercise your data subject rights, or to raise concerns about our data protection practices. The DPO is bound by confidentiality and will respond to your enquiry without undue delay.
3. Legal Framework
Our data protection and AI transparency practices are governed by the following legislation:
| Legislation | Scope |
|---|---|
| GDPR (Regulation (EU) 2016/679) | General data protection — legal bases, data subject rights, processor obligations, cross-border transfers, breach notification |
| Danish Data Protection Act (Databeskyttelsesloven, Lov nr. 502 af 23. maj 2018) | National supplementary rules — age of consent (13 years), CPR-nummer processing restrictions, Datatilsynet supervisory authority |
| ePrivacy Directive (2002/58/EC as amended by 2009/136/EC) | Cookie and electronic communications regulation, implemented in Denmark via the Executive Order on Cookies (Cookiebekendtgørelsen) |
| EU AI Act (Regulation (EU) 2024/1689) | AI transparency obligations (Article 50), risk classification, human oversight requirements. Full application from 2 August 2026 |
Where the GDPR and the Danish Data Protection Act overlap, the more specific national provision applies. Where the GDPR and the EU AI Act overlap (e.g., automated decision-making under GDPR Art. 22 and AI transparency under AI Act Art. 50), both sets of obligations apply cumulatively.
4. Your Data Subject Rights — How to Exercise Them
Under the GDPR and the Danish Data Protection Act, you have the following rights regarding your personal data. For each right, we explain what it means and provide step-by-step instructions on how to exercise it.
How to submit a request: Send an email to [DPO EMAIL ADDRESS] with the subject line "Data Subject Request — [Right Name]". Include your full name, the email address associated with your OnPagePilot account, and a description of your request. We may ask you to verify your identity before processing the request.
Response timeline: We will acknowledge your request within 5 business days and provide a substantive response within one (1) month of receipt (GDPR Art. 12(3)). This period may be extended by up to two additional months where the request is complex or we have received numerous requests, in which case we will inform you of the extension and the reasons for it within the initial one-month period. There is no fee for exercising your rights unless your request is manifestly unfounded or excessive.
4.1 Right of Access (Art. 15)
What it means: You have the right to obtain confirmation as to whether your personal data is being processed and, if so, to receive a copy of that data together with information about the purposes, categories of data, recipients, retention periods, and your further rights.
How to exercise:
- Send an email to [DPO EMAIL ADDRESS] with subject "Data Subject Request — Access".
- Specify whether you want a copy of all personal data we hold about you, or specific categories only.
- We will verify your identity (you may be asked to confirm your account email from your registered email address).
- Within one month, we will provide your personal data in a structured, commonly used, machine-readable format (JSON or CSV).
4.2 Right to Rectification (Art. 16)
What it means: You have the right to have inaccurate personal data corrected and incomplete personal data completed.
How to exercise:
- For account information (name, email, company): You can update this directly in your OnPagePilot account settings.
- For other data: Send an email to [DPO EMAIL ADDRESS] with subject "Data Subject Request — Rectification", specifying which data is inaccurate and providing the correct information.
- We will process rectification requests promptly and notify any recipients to whom the data was disclosed.
4.3 Right to Erasure ("Right to Be Forgotten") (Art. 17)
What it means: You have the right to request deletion of your personal data where: (a) the data is no longer necessary for the purposes for which it was collected; (b) you withdraw consent (where processing was based on consent); (c) you object to processing and there are no overriding legitimate grounds; (d) the data has been unlawfully processed; or (e) the data must be erased for compliance with a legal obligation.
How to exercise:
- Send an email to [DPO EMAIL ADDRESS] with subject "Data Subject Request — Erasure".
- Specify whether you want all your data erased or specific categories only.
- We will evaluate whether an exemption applies (e.g., legal obligation to retain billing records under Danish Bogføringsloven).
- Where erasure is granted, we will delete your data within 30 days and confirm completion. Where we cannot erase certain data due to legal obligations, we will inform you of the specific data retained and the legal basis for retention.
4.4 Right to Restriction of Processing (Art. 18)
What it means: You have the right to request that we restrict processing of your personal data where: (a) you contest the accuracy of the data (restriction applies while we verify accuracy); (b) processing is unlawful but you oppose erasure; (c) we no longer need the data but you require it for legal claims; or (d) you have objected to processing (restriction applies pending verification of legitimate grounds).
How to exercise:
- Send an email to [DPO EMAIL ADDRESS] with subject "Data Subject Request — Restriction".
- Specify the grounds for restriction and which data or processing activities should be restricted.
- While processing is restricted, we will only store your data and will not process it further without your consent (except for legal claims, protection of another person's rights, or important public interest).
- We will inform you before lifting any restriction.
4.5 Right to Data Portability (Art. 20)
What it means: Where processing is based on consent or contract and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit that data to another controller without hindrance.
How to exercise:
- Send an email to [DPO EMAIL ADDRESS] with subject "Data Subject Request — Portability".
- Specify which data you wish to export (account data, SEO analysis results, AI-generated content, etc.).
- We will provide your data in JSON format within one month. Where technically feasible and requested, we can transmit the data directly to another controller.
4.6 Right to Object (Art. 21)
What it means: You have the right to object to processing based on legitimate interest (Art. 6(1)(f)) or public interest (Art. 6(1)(e)) at any time. You also have an absolute right to object to processing for direct marketing purposes (cf. Danish Data Protection Act §22).
How to exercise:
- Send an email to [DPO EMAIL ADDRESS] with subject "Data Subject Request — Objection".
- Explain the grounds for your objection relating to your particular situation.
- For direct marketing objections: We will cease processing immediately upon receipt, no further justification required.
- For legitimate interest objections: We will assess whether our compelling legitimate grounds override your interests, rights, and freedoms. We will inform you of the outcome within one month.
4.7 Right to Withdraw Consent (Art. 7(3))
What it means: Where we process personal data based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
How to exercise:
- For cookie consent: Adjust your cookie preferences via the cookie settings on our website.
- For other consent-based processing: Send an email to [DPO EMAIL ADDRESS] specifying which consent you wish to withdraw.
- We will cease the relevant processing promptly upon receiving your withdrawal.
4.8 Right Not to Be Subject to Automated Decision-Making (Art. 22)
What it means: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
OnPagePilot's position: Our AI features are tools that assist your SEO work — they generate content drafts, produce analysis reports, and provide recommendations. All final decisions regarding content publication, SEO strategy, and business actions remain entirely with you. None of our automated processing produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22. However, if you believe a specific automated decision has significantly affected you, you may contact our DPO to request human review.
5. Cross-Border Data Transfers
OnPagePilot is operated by Onpage Pilot Inc. Our servers are located in the United States. When you use our service from within the European Economic Area (EEA), your personal data is transferred to the United States.
We rely on the following safeguards for international data transfers, in accordance with GDPR Chapter V:
5.1 EU-U.S. Data Privacy Framework
The European Commission adopted an adequacy decision for the EU-U.S. Data Privacy Framework on 10 July 2023 (Implementing Decision (EU) 2023/1795). We rely on this framework as our primary transfer mechanism.
5.2 Standard Contractual Clauses (SCCs)
As a supplementary safeguard, and in the event the Data Privacy Framework adequacy decision is invalidated or modified, we maintain EU Commission-approved Standard Contractual Clauses (adopted pursuant to Commission Implementing Decision (EU) 2021/914) with our data processors to ensure an adequate level of protection for your personal data.
5.3 Third-Party AI Model Providers
When our AI pipeline processes your content prompts via third-party model providers (accessed through the OpenRouter API), data is transmitted to model provider infrastructure. We ensure that:
- Only content prompts and parameters are transmitted — no personally identifiable user data is sent to AI model providers.
- Data processing agreements are in place with all third-party providers.
- Where providers are located outside the EEA, appropriate transfer safeguards (SCCs or adequacy decisions) are in place.
You may request a copy of the applicable transfer safeguards by contacting our DPO.
6. Data Breach Notification
We maintain a data breach response procedure in accordance with GDPR Articles 33 and 34:
6.1 Notification to Supervisory Authority
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the Danish Data Protection Agency (Datatilsynet) within 72 hours of becoming aware of the breach (Art. 33). The notification will include:
- The nature of the breach, including the categories and approximate number of data subjects and records concerned.
- The name and contact details of the Data Protection Officer.
- A description of the likely consequences of the breach.
- A description of the measures taken or proposed to address the breach, including mitigation measures.
6.2 Notification to Affected Data Subjects
Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, we will communicate the breach to you without undue delay (Art. 34). This notification will describe the nature of the breach in clear and plain language and provide recommendations for protective measures you can take.
We are not required to notify you if: (a) we have applied encryption or other measures rendering the data unintelligible; (b) subsequent measures ensure the high risk is no longer likely to materialise; or (c) individual notification would involve disproportionate effort, in which case a public communication will be made.
7. Data Protection Impact Assessments
Where processing operations are likely to result in a high risk to the rights and freedoms of natural persons, we conduct Data Protection Impact Assessments (DPIAs) in accordance with GDPR Article 35. This includes an assessment of:
- The necessity and proportionality of the processing in relation to its purpose.
- The risks to the rights and freedoms of data subjects.
- The measures envisaged to address the risks, including safeguards, security measures, and mechanisms to ensure the protection of personal data.
We have conducted DPIAs for the following processing activities involving our AI pipeline:
- AI-assisted content generation (processing of content prompts via third-party LLM providers).
- Automated competitor analysis (systematic processing of publicly available website data).
- Local AI model inference (processing via locally hosted models for classification and analysis).
Summaries of our DPIAs are available upon request by contacting our DPO.
8. EU AI Act Transparency
The EU Artificial Intelligence Act (Regulation (EU) 2024/1689) establishes harmonised rules for the development, deployment, and use of AI systems within the European Union. OnPagePilot uses AI technologies extensively and is committed to full transparency about our AI practices in accordance with Article 50 of the AI Act.
8.1 Our Role Under the AI Act
OnPagePilot operates in multiple roles under the AI Act:
| Role | Description | Obligations |
|---|---|---|
| AI System Provider | We develop and provide the overall AI system that generates content, analyses competitors, and produces semantic analysis for our users. | Art. 50(1): Inform users they are interacting with AI. Art. 50(2): Mark AI-generated outputs in machine-readable format. |
| AI Model Provider | We develop and fine-tune our own AI models (including image classification models trained on OnPagePilot data) using our proprietary ModelTrainer pipeline. | Art. 50(2): Mark outputs from fine-tuned models as AI-generated in machine-readable format. Provider-level obligations for models trained on our own data. |
| AI Deployer | We deploy third-party large language models via the OpenRouter API and locally hosted models via Ollama for various NLP and generation tasks. | Art. 50(1): Ensure users are informed when interacting with AI-generated outputs. Art. 50(4): Disclose AI-generated text intended for public information. |
8.2 AI Risk Classification
Under the AI Act's risk-based classification framework (Articles 5 and 6, Annex III), OnPagePilot's AI features are classified as limited-risk AI systems. Our AI features — content generation, semantic analysis, competitor analysis, and automated classification — do not fall within the high-risk categories defined in Annex III (which cover biometric identification, critical infrastructure, education scoring, employment decisions, law enforcement, and immigration). They are not prohibited practices under Article 5.
As limited-risk AI systems, our primary obligation is transparency under Article 50: ensuring users are clearly informed when they are interacting with AI-generated content or AI-derived analysis.
8.3 Transparency Measures
In compliance with Article 50, we implement the following transparency measures:
- Clear disclosure (Art. 50(1)): All AI features within OnPagePilot are clearly identified as AI-powered. When you use content generation, semantic analysis, or competitor analysis tools, the interface clearly indicates that the outputs are produced by artificial intelligence.
- AI-generated content marking (Art. 50(2)): Content generated through our AI pipeline is marked as AI-generated. We are implementing machine-readable marking of AI outputs in accordance with the standards expected under the Code of Practice for general-purpose AI models.
- Publication disclosure (Art. 50(4)): AI-generated text produced by OnPagePilot that is intended for public publication is disclosed as AI-generated. Users are informed that content undergoes human review and editorial control before publication, which may qualify for the editorial exception under Art. 50(4), but the initial AI generation is always disclosed.
8.4 Applicable Timeline
The EU AI Act entered into force on 1 August 2024. Key compliance milestones for OnPagePilot:
- 2 February 2025: Prohibited AI practices provisions apply (Art. 5) — OnPagePilot has no prohibited AI practices.
- 2 August 2025: General-purpose AI model obligations begin — applicable to our use of third-party GPAI models.
- 2 August 2026: Full application of remaining provisions, including Art. 50 transparency obligations and all high-risk AI system requirements.
Non-compliance with Article 50 transparency obligations may result in fines of up to €15 million or 3% of worldwide annual turnover, whichever is higher.
9. AI Features Inventory
The following table provides a complete inventory of AI-powered features within OnPagePilot, the type of AI technology used, the data processed, and the level of human oversight:
9.1 Cloud AI Services
| Feature | AI Technology | Purpose | Data Processed | Human Oversight |
|---|---|---|---|---|
| Content Generation | Large Language Models (LLMs) via API | Generate SEO-optimised content drafts from user prompts | User-provided keywords, topic data, content parameters | Full — user reviews, edits, and approves all generated content before use |
| Semantic Analysis | LLM-based analysis | Analyse semantic relationships between topics and keywords | Keyword data, search engine results data, competitor content summaries | Presented as analysis — user interprets and acts on findings |
| Competitor Analysis | LLM-based analysis | Analyse competitor content strategies using publicly available data | Publicly accessible competitor page content, keyword position data | Advisory — user evaluates competitive insights independently |
| ContentPlanner Semantic Cards | LLM-based generation | Generate semantic relationship data for interactive visualisation | Domain and keyword data, search engine analysis | Visualisation tool — user interprets the semantic map |
| Topical Authority Analysis | LLM-based evaluation | Evaluate topic coverage and identify content gaps | Content inventory, keyword mapping, indexation data | Advisory — user decides which gaps to address |
9.2 Local AI Infrastructure
| Feature | AI Technology | Purpose | Data Processed | Human Oversight |
|---|---|---|---|---|
| Page Overlay Classification | Fine-tuned image classification model (proprietary, trained on OnPagePilot data) | Classify page overlays during crawling (cookie consent, captcha, clean page, other overlay) | Page screenshots from automated crawling | Automated pipeline — classification informs crawl behaviour; operators can review |
| Text Embeddings | Locally hosted embedding models | Semantic search, retrieval-augmented generation, content similarity analysis | Content text, user search queries | Infrastructure component — supports user-facing features |
| Visual Content Analysis | Vision-language models (locally hosted) | Image analysis and visual content extraction from web pages | Page screenshots, images from crawled pages | Advisory — analysis presented to user for interpretation |
| Retrieval-Augmented Generation (RAG) | Modular RAG architecture with advanced document chunking and reranking | Context-aware content retrieval and AI-augmented generation | Indexed content, user queries | Full — user reviews and approves all generated outputs |
No personal data as training data: Our fine-tuned models are trained on operational data (e.g., page screenshots for overlay classification) and do not use personal user data as training input. Third-party LLM providers are contractually prohibited from using OnPagePilot user data for model training.
10. Human Oversight & AI Governance
10.1 AI Model Selection and Routing
OnPagePilot employs a database-driven AI model routing system that automatically selects the most appropriate AI model for each generation task based on content type, language, and complexity. This routing is governed by configuration tables (AiModels and AiGenerationRouting) that are maintained by our engineering team. Model selection does not involve personal data processing — it is a technical optimisation mechanism.
10.2 Human Oversight Principles
We apply the following human oversight principles to all AI features:
- Human-in-the-loop for content generation: All AI-generated content is presented as a draft. Users must review, edit, and explicitly approve content before it can be published or used externally. The AI does not publish content autonomously.
- Human-on-the-loop for analysis: AI-derived analysis (semantic analysis, competitor analysis, topical authority evaluation) is presented as advisory information. Users interpret the analysis and make all strategic decisions independently.
- Human-in-command for system operations: AI model configuration, routing rules, and system-level AI decisions are controlled exclusively by authorised engineering personnel. No automated system can modify AI model selection or routing without human authorisation.
10.3 AI Safety and Security Measures
OnPagePilot implements a comprehensive, multi-layered defence architecture to ensure the safety, reliability, and security of our AI systems. These measures include:
- Input validation and prompt sanitisation to prevent adversarial manipulation.
- Output monitoring and filtering to ensure AI-generated content meets quality and safety standards.
- Session isolation to prevent cross-user data leakage in AI processing.
- Logging and audit trails for all AI generation activities, enabling traceability and accountability.
- Rate limiting and abuse prevention mechanisms on all AI endpoints.
Our security architecture is subject to ongoing review and improvement. Details of specific security measures are maintained internally and are available to regulatory authorities upon request.
10.4 Accuracy Limitations and Disclaimers
AI-generated content and AI-derived analysis may contain inaccuracies, omissions, or errors. Specifically:
- Content generation: AI-generated text may contain factual errors, outdated information, or inappropriate phrasing. Users are responsible for verifying all facts, checking for accuracy, and ensuring suitability before publication.
- Semantic and competitor analysis: AI-derived analysis reflects patterns identified by machine learning models and may not capture all relevant factors. Analysis results should be considered as one input among many in your decision-making process.
- Classification models: Our fine-tuned classification models (e.g., page overlay classification) operate at documented accuracy levels and may produce incorrect classifications in edge cases.
OnPagePilot does not guarantee the accuracy, completeness, or fitness for any particular purpose of AI-generated content or AI-derived analysis. All AI outputs are tools to assist your work, not substitutes for professional judgement.
10.5 AI Feedback and Incident Reporting
If you encounter issues with AI-generated content or AI-derived analysis — including inaccurate outputs, unexpected behaviour, or content that appears harmful or inappropriate — please report it to us:
Email: [DPO EMAIL ADDRESS]
Subject line: "AI Feedback — [Brief Description]"
We investigate all AI-related reports and use feedback to improve the safety and quality of our AI systems.
11. Your Rights Regarding AI-Generated Content
In addition to your GDPR data subject rights (Section 4 above), we recognise the following rights in relation to AI-generated content and AI-derived analysis produced by OnPagePilot:
| Right | Description | How to Exercise |
|---|---|---|
| Right to Know | You have the right to know when content or analysis presented to you has been generated or substantially influenced by AI. | All AI features are clearly labelled within the OnPagePilot interface. This document serves as comprehensive disclosure. |
| Right to Human Review | You have the right to request human review of any AI-generated output or AI-derived analysis if you believe it is inaccurate or has been produced in error. | Contact [DPO EMAIL ADDRESS] with subject "AI Human Review Request". |
| Right to Explanation | You have the right to receive a meaningful explanation of how AI features work, including the types of models used, the data they process, and their limitations. | This document provides a comprehensive overview. For specific questions, contact our DPO. |
| Right to Opt Out | You have the right to use OnPagePilot's non-AI features without engaging AI-powered tools. AI content generation and AI analysis features are opt-in — you choose when to invoke them. | Simply do not use the AI generation or AI analysis features. Core SEO monitoring, technical auditing, and reporting functions operate independently of AI. |
12. Filing a Complaint
12.1 Contact Us First
We encourage you to contact us directly before filing a complaint with a supervisory authority. Many concerns can be resolved promptly through direct communication with our Data Protection Officer:
Onpage Pilot Inc.
Email: [DPO EMAIL ADDRESS]
We aim to resolve all data protection enquiries within 30 days.
12.2 Complaint to Datatilsynet
If you are not satisfied with our response, or if you believe our processing of your personal data infringes the GDPR or the Danish Data Protection Act, you have the right to lodge a complaint with the Danish Data Protection Agency (Datatilsynet) in accordance with GDPR Article 77.
How to file a complaint:
- We recommend contacting OnPagePilot first (see Section 12.1) to attempt resolution.
- Visit datatilsynet.dk/english/file-a-complaint for complaint submission guidance and the complaint form (PDF).
- Your complaint must include your name and address. Anonymous complaints are generally not processed.
- Describe the processing activity you believe is non-compliant and the steps you have taken to resolve the matter with the data controller.
Carl Jacobsens Vej 35
2500 Valby, Denmark
Phone: +45 33 19 32 00
Email: [email protected]
Website: www.datatilsynet.dk
Note on enforcement: Datatilsynet does not issue fines directly. If Datatilsynet determines that a violation has occurred, it may recommend the matter to the police, who bring the case before the courts. The courts determine whether a fine is imposed and its amount, within the limits set by the GDPR (up to €20 million or 4% of worldwide annual turnover, whichever is higher).
12.3 Cross-Border Complaints
If you are located outside Denmark within the EU/EEA, you also have the right to lodge a complaint with the supervisory authority in the Member State of your habitual residence, place of work, or place of the alleged infringement (GDPR Art. 77(1)). The lead supervisory authority mechanism under Article 56 applies to cross-border processing.
12.4 Judicial Remedy
Without prejudice to any available administrative or non-judicial remedy (including the right to lodge a complaint with a supervisory authority), you have the right to an effective judicial remedy where you consider that your rights under the GDPR have been infringed as a result of the processing of your personal data (GDPR Art. 79).
Related Documents
- Privacy Policy — What personal data we collect, how we process it, legal bases, data retention, and cookies.
- Terms & Conditions — Terms of service, user obligations, intellectual property, AI-generated content disclaimers, and limitation of liability.
- Cookie Policy — Detailed information about cookies and similar technologies used on our platform.
Regulatory References: This document is drafted in compliance with Regulation (EU) 2016/679 (General Data Protection Regulation), the Danish Data Protection Act (Databeskyttelsesloven, Lov nr. 502 af 23. maj 2018), the ePrivacy Directive (2002/58/EC as amended by 2009/136/EC), and Regulation (EU) 2024/1689 (EU Artificial Intelligence Act), in particular Article 50 (transparency obligations for AI systems and AI-generated content).
Disclaimer: This document has been prepared with care but must be reviewed by a qualified legal professional, a Data Protection Officer, and an EU AI Act compliance specialist before being published. It does not constitute legal advice. The information provided is intended as a starting point for compliance documentation and should be adapted to reflect the specific circumstances and practices of the organisation.