AI, GDPR & Digital Law

01 · About this practice

The regulatory environment for digital services in the EU has undergone a fundamental transformation in recent years. GDPR, the AI Act, the Data Act, Data Governance Act, DSA, DMA, and NIS2 form a dense web of obligations that affect virtually every company working with data, algorithmic decision-making, or an online platform. Our role is to help clients navigate this web and make business decisions with full awareness of legal risk.

The practice is led by Marek Poloni, who, alongside transactional law, has long focused on data and AI law. He regularly lectures on the AI Act and its impact on Czech business for companies, professional associations, and internal client training. As a result, he can explain regulation to non-technical audiences and operationalize it into concrete steps.

For clients we follow three typical steps: (1) risk classification and gap analysis — what you specifically must comply with and what you don't, (2) operationalization — contracts, internal policies, records of processing, DPIA, (3) roll-out and training — so that people in the company know what to do. We use this approach for both GDPR and the AI Act.

For AI development agreements and data licensing, we address sensitive questions: who owns the training data, who owns the outputs, who's liable for model errors, how to set SLAs for probabilistic systems. We also guide clients through standards in areas like fine-tuning, RAG architectures, open-source models, or use of third-party foundation models.

02 · What we actually do

AI Act compliance

AI system classification (non-prohibited / high-risk / GPAI / limited), gap analysis, documentation (technical, risk management, post-market monitoring), CE marking for high-risk systems.

AI development agreements

Development agreements, licensing models, IP in training data and outputs, liability for hallucinations, SLAs for probabilistic systems, exit and portability.

Data licensing

Data sharing agreements, data licensing, data pools, Data Act compliance, anonymization and pseudonymization, secondary data use, cross-border data transfers.

GDPR audits & DPIA

Corporate GDPR audit, records of processing activities, data protection impact assessment (DPIA), cookies and consent management, responding to data subject requests.

DSA & DMA compliance

For platforms and online stores — obligations under the Digital Services Act (transparency, moderation, reporting), notice-and-action implementation, gatekeeper compliance under the DMA.

E-commerce & consumer

Online sales terms, complaints rules, withdrawal from contract, dark patterns, Omnibus Directive, marketing and cookies, compliance with the Czech Trade Inspection and Data Protection Office.

03 · Representative engagements

2025

AI Act gap analysis for a Czech fintech using ML models for credit scoring — classification as high-risk, documentation plan, risk management framework, preparation of internal processes.

AI Act

2024–2025

Development agreement for a custom AI assistant for a corporate client — licensing model, IP for fine-tuning, data licensing for training, SLA, liability for hallucinations, model exit and portability.

AI development

2024

GDPR audit and consent flow redesign for a Czech-Slovak marketplace — DPIA, cookie consent, records of processing, procedures for responding to data subject requests, DPAs with sub-processors.

GDPR

2024

AI Act lecture and training for the management of a manufacturing company with 300+ employees — classification of internally developed AI tools, governance model, role of DPO vs. AI compliance officer.

Training

2023

DSA compliance for a mid-sized Czech online marketplace — notice-and-action mechanism implementation, transparency of algorithmic recommendations, protection of minors, reporting obligations.

DSA

04 · From the Knowledge Center

AI & GDPR

AI Act — what exactly must I comply with, and from when?

Open answer