GDPR Compliance for AI-Generated Synthetic Media and Deepfakes

Synthetic media are virtually everywhere, not just in the EU, but across the world. AI-generated voices handle customer support calls. Hyper-realistic deepfake videos circulate online, sometimes as satire, sometimes as political messaging, and sometimes as outright impersonation. Voice cloning scams have targeted corporate executives. Marketing teams deploy synthetic influencers. Film studios recreate performances without traditional filming. What began as experimental technology has quickly become part of the digital mainstream.

The unease surrounding this shift has largely been driven by identity more than anything else. Synthetic media may be artificial, yet it often replicates real people — their faces, voices, or biometric traits. A generated image may resemble an identifiable individual. A cloned voice may be built from real recordings. An AI-produced video may place words into the mouth of someone who never spoke them. All this has raised a lot of concerns, which have in turn necessitated regulation.

Under the General Data Protection Regulation, personal data includes any information relating to an identified or identifiable natural person. When it comes to synthetic media, even though the content itself may be artificially generated, it often reproduces characteristics that can be traced back to real individuals. In such cases, the output may still relate to an identifiable person, bringing it within the scope of data protection law.

But when exactly does synthetic content become enforceable under GDPR? When does it cross the line into biometric data? Who bears legal responsibility for its creation and deployment? And what lawful basis could justify replicating someone’s likeness or voice in the first place? These questions are becoming more urgent as the EU’s AI Act, besides the GDPR, enters into force and regulatory scrutiny of biometric and profiling technologies intensifies. This article answers all these questions, hence enabling you to remain GDPR compliant in the midst of all this tech advancement.

Table of Contents

When Does the GDPR Apply to AI-Generated Synthetic Media?

Under Article 2(1), the GDPR applies to the processing of personal data. That means two elements must be present: processing and personal data. Synthetic media only triggers the Regulation where both conditions are satisfied.

Where Synthetic Media Involves Processing of Personal Data

Article 4(2) defines processing broadly. It includes collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, restriction, erasure, or destruction of personal data. The definition is intentionally expansive to capture nearly every operation performed on data, whether automated or not.

In the context of synthetic media, processing can occur at multiple stages:

When training data is collected and used to train a generative model
When real images, videos, or voice recordings are uploaded into a system
When an AI model adapts, modifies, or reconstructs identifiable features
When the resulting output is published, distributed, or stored

Even if the final output is newly generated, the upstream use of real individuals’ images, voices, or biometric patterns may already constitute processing. The automation of the system does not remove the human or organizational decision-making behind its deployment. If an entity determines why and how personal data is used within the generative process, processing is taking place.

The second element is equally crucial: the output must relate to a natural person. Personal data under Article 4(1) covers any information relating to an identified or identifiable natural person. A synthetic video that clearly depicts a real politician, executive, or private individual — even if the speech is fabricated — relates to that person. The artificial nature of the content does not negate the relational link.

If the generated media is connected to a real person’s identity, characteristics, or biometric traits, it falls within the conceptual scope of personal data. At that point, the GDPR framework is engaged.

The GDPR Applies Where a Natural Person Is Identifiable — Even Indirectly

Identifiability is not limited to naming someone explicitly. A person may be identified directly, for example, where a synthetic video labels an individual by name or clearly reproduces their recognizable face or voice.

However, identifiability also exists indirectly. A person can be identifiable through contextual elements such as role, appearance, distinctive mannerisms, metadata, or a combination with other available information. A deepfake of “the CEO of a major telecom company speaking at a 2025 earnings call” may allow identification even without naming the individual. If a reasonable person, using means likely to be used, can single out the individual, the threshold is met.

Importantly, the fact that source material is publicly available does not remove GDPR protection. Images scraped from public social media profiles, speeches from public conferences, or interviews posted online remain personal data. Public accessibility does not convert personal data into unregulated material. The Regulation applies irrespective of whether the data was initially obtained from private or public sources.

This is particularly significant for synthetic media systems trained on publicly available datasets. The argument that “the data was already online” does not eliminate obligations concerning lawful basis, transparency, or data subject rights. Identifiability remains the decisive factor.

The GDPR Does Not Apply Where Synthetic Content Is Fully Fictional and Non-Identifiable

There is, however, a boundary.

If synthetic media is entirely fictional and does not relate to any identified or identifiable natural person, the GDPR does not apply. A completely artificial face generated without reference to real individuals, a fictional avatar with no resemblance to any existing person, or a synthetic voice not derived from identifiable recordings would fall outside the Regulation — provided no individual can be singled out, directly or indirectly.

The key test is not realism, but identifiability. Hyper-realistic content can still be outside GDPR scope if it does not correspond to any real person and cannot reasonably be linked to one. Conversely, even subtle imitation may trigger the Regulation if identification is possible.

When Does Synthetic Media Trigger Special Category Processing?

After establishing that synthetic media involves personal data, this next question is even more consequential. This is because, when processing escalates to biometric data, Article 9 is triggered. This essentially means the default rule shifts from “processing is permitted with a lawful basis” to“processing is prohibited unless a specific exception applies.” So, synthetic media triggers biometric processing when:

It Is Used to Uniquely Identify a Natural Person

GDPR Article 4(14) defines biometric data as:

“personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that person.“

Several elements must be satisfied simultaneously.

First, there must be specific technical processing. Synthetic media systems typically rely on algorithmic analysis of facial geometry, vocal patterns, micro-expressions, or behavioural markers. Facial mapping, voiceprint extraction, and feature encoding are all forms of technical processing within the meaning of the Regulation.

Second, the data must relate to physical, physiological, or behavioural characteristics. Facial structure, iris patterns, voice frequency and cadence, and even distinctive speech rhythms fall squarely within these categories.

Third — and most important — the processing must allow or confirm the unique identification of a natural person.

This is where synthetic media becomes legally sensitive.

If a system replicates a specific individual’s face to authenticate identity in a verification system, it is using biometric characteristics for identification.
If a cloned voice is used to pass voice-based authentication in banking or corporate security systems, it engages biometric identification.
If facial replication is used to match a synthetic image against a real database of individuals, the identification threshold is clearly met.

In these circumstances, the system is engaging in biometric processing because it technically processes unique characteristics capable of singling out a person.

However, realism alone is insufficient. A synthetic face that resembles a person but is not used to identify or verify that person does not automatically constitute biometric data under Article 4(14). The identification function is the decisive factor.

Article 9 Special Category Processing Is Triggered Where the Biometric Data Is Used for Identification

Article 9 includes “biometric data for the purpose of uniquely identifying a natural person” among categories of data that are, in principle, prohibited from processing unless one of the Article 9(2) exceptions applies.

Not all biometric data falls under Article 9. Only biometric data processed for the purpose of uniquely identifying a person triggers the special category regime.

If a generative AI system processes facial vectors to verify whether a person matches a stored identity profile, the purpose is identification. Article 9 is triggered. The controller must then rely on one of the limited exceptions, such as:

Explicit consent
Substantial public interest under EU or Member State law
Legal claims
Employment or social security law grounds

Absence of such an exception, processing is unlawful.

Once the identification purpose exists, compliance obligations intensify. A lawful basis under Article 6 is no longer sufficient. Article 9 must also be satisfied.

This is a higher regulatory threshold with significantly increased enforcement risk.

When Article 9 is Not Triggered

If biometric characteristics are processed but not for the purpose of uniquely identifying a person, Article 9 is not automatically triggered.

For example:

A synthetic character generated using aggregated facial data that cannot be traced back to a specific individual.
A voice model trained on multiple recordings, but not deployed to verify or authenticate identity.
A deepfake created for parody that does not function within an identification system.

In such scenarios, the data may still qualify as personal data if a person is identifiable. It may even involve biometric traits in a descriptive sense. But unless the processing is carried out for identification purposes, the special category prohibition under Article 9 does not apply.

What Lawful Basis Is Required for Synthetic Media Processing?

Once synthetic media falls within the scope of the General Data Protection Regulation — because it involves processing of personal data — the next step is unavoidable: what lawful basis permits the processing?

Under Article 6(1), processing of personal data is lawful only if at least one of the listed grounds applies. There is no “AI exception.” The controller must identify and document a valid legal basis before collecting training data, generating synthetic outputs tied to individuals, or distributing that content.

Synthetic Media Processing Requires a Valid Article 6 Lawful Basis in All Cases

Article 6(1) provides six possible lawful bases:

Consent
Performance of a contract
Compliance with a legal obligation
Protection of vital interests
Performance of a task carried out in the public interest or exercise of official authority
Legitimate interests pursued by the controller or a third party

In commercial synthetic media deployments, the most realistic candidates are consent (Article 6(1)(a)) and legitimate interests (Article 6(1)(f)). Contract may apply in limited contexts, such as where an actor contractually agrees to digital replication. Public interest grounds may arise in limited governmental or journalistic settings.

The lawful basis must exist at each relevant stage of processing. Controllers cannot rely on a vague assertion that the output is “creative” or “innovative.” The GDPR requires legal grounding for the processing itself.

Importantly, the chosen lawful basis determines the compliance architecture — including transparency obligations, withdrawal rights, and documentation duties under Articles 13, 14, and 30.

Explicit Consent

Where synthetic media replicates a specific, identifiable individual — particularly their face, voice, or likeness — consent is often the most appropriate lawful basis.

Under Article 4(11), consent must be freely given, specific, informed, and unambiguous. Article 7 adds conditions concerning demonstrability and withdrawal. If the processing involves special category data (for example, biometric identification under Article 9), consent must be explicit.

Replication of a person’s likeness carries significant risks to dignity, reputation, and identity autonomy. The more precise and individualized the synthetic reproduction, the stronger the case that consent is required to ensure fairness and lawfulness under Article 5(1)(a).

For consent to be valid in this context:

The individual must understand that their image, voice, or biometric traits will be used to generate synthetic content.
The scope of use must be clearly defined (commercial advertising, internal simulation, entertainment, etc.).
The individual must be able to withdraw consent at any time, and withdrawal must be as easy as giving it.

Blanket consent buried in platform terms is unlikely to satisfy GDPR standards where realistic digital replication is involved. Supervisory authorities assess consent strictly, especially where there is imbalance of power or significant impact on the data subject.

In high-risk synthetic replication, reliance on anything less than explicit, documented consent may expose controllers to serious enforcement risk.

Legitimate Interests

Article 6(1)(f) permits processing where it is necessary for the legitimate interests pursued by the controller or a third party, except where overridden by the interests or fundamental rights and freedoms of the data subject.

This requires a structured three-part balancing test:

Purpose test — Is there a legitimate interest?
Examples might include fraud detection, security research, artistic expression, or technological development.
Necessity test — Is the processing necessary for that purpose?
Could the objective be achieved without replicating identifiable individuals?
Balancing test — Do the individual’s rights override the interest?
This includes considering the nature of the data, reasonable expectations, potential harm, and safeguards implemented.

In synthetic media cases, the balancing test is highly contextual. Replicating a public figure for clearly labeled satire may weigh differently from cloning a private individual’s voice for commercial exploitation. The more intrusive, realistic, or reputation-sensitive the output, the harder it becomes to justify reliance on legitimate interests.

Controllers must document this balancing assessment as accountability requires demonstrable compliance.

Who Is the Controller or Processor in Synthetic Media Ecosystems?

Synthetic media is not created for its own sake. It is deployed in advertising campaigns, political messaging, internal corporate training, entertainment production, and increasingly in fraud schemes.

In all such scenarios, the GDPR focuses on who decided to use a person’s identity, likeness, or biometric traits in that context, rather than whoever created it.

Under Article 4(7), the controller is the entity that determines the purposes and essential means of processing. In synthetic media environments, that determination often occurs at the moment identity is intentionally deployed.

Control Arises Where Identity Is Deliberately Replicated

When a company launches a campaign using a synthetic spokesperson modelled on a real individual, that company determines:

Why the likeness is being used (commercial persuasion),
In what markets it will appear,
How long it will circulate,
Whether it will be modified or localized.

That entity is the controller for that deployment — even if the underlying generative tool was built elsewhere.

The same logic applies where:

A studio recreates an actor’s digital performance,
A political organization distributes AI-generated speeches,
A business clones an executive’s voice for automation.

The controller is the entity that decides to operationalize identity.

Private Individuals Can Also Be Controllers Under the GDPR

The General Data Protection Regulation applies not only to companies, but to “natural or legal persons” who determine the purposes and means of processing (Article 4(7)). The Regulation does not distinguish between corporate and private actors at the definitional level.

The only structural limitation relevant to private citizens appears in Article 2(2)(c): the GDPR does not apply to processing carried out by a natural person “in the course of a purely personal or household activity.” This is commonly referred to as the household exemption.

However, this exemption is interpreted narrowly.

In Ryneš (C-212/13), the Court of Justice of the European Union held that a home CCTV system lost the household exemption because it captured part of a public street. The Court reasoned that once processing extends beyond the private sphere, it is no longer “purely personal.” The principle derived from that judgment is functional: public-facing processing does not benefit from the exemption merely because it is carried out by an individual.

Applied to synthetic media, this means:

If a private individual creates and publishes a deepfake of an identifiable person on a public social media account,
If an individual clones someone’s voice to conduct a fraud scheme,
If someone distributes AI-generated content targeting a real person’s likeness or reputation to a broad audience,

the activity is unlikely to qualify as “purely personal.”

In those situations, the individual determines:

The purpose of processing (e.g., satire, deception, harassment, financial gain), and
The means of processing (selection of tools, choice of subject, method of dissemination).

Under Article 4(7), that individual meets the definition of a controller.

Model Providers and Platforms May Be Controllers in Parallel

Responsibility does not necessarily rest only with the person generating the content.

If a technology provider:

Trains its system on identifiable faces or voices,
Retains user-generated outputs for model refinement,
Designs systems specifically optimized for realistic identity replication,

it may independently determine processing purposes.

In such cases, controller responsibility can exist at multiple layers. The individual deploying a deepfake may be a controller for dissemination. The platform hosting or monetizing that content may be a controller for distribution and amplification. The model developer may be a controller for training and system design.

Synthetic ecosystems frequently produce parallel or joint controllership, not singular responsibility.

Processor Status Is Narrow and Instruction-Bound

An entity qualifies as a processor only where it processes personal data strictly on documented instructions and does not determine its own purposes.

Cloud infrastructure providers hosting AI systems may fall into this category — but only if they do not reuse, analyze, or independently exploit the data.

The moment an entity shapes purpose — through analytics, model improvement, monetization strategies, or algorithmic prioritization — it may move into controller territory.

When Is a Data Protection Impact Assessment (DPIA) Required?

Under the GDPR, a Data Protection Impact Assessment (DPIA) is required whenever processing crosses into “high risk” territory. Article 35(1) states that a DPIA is required where processing is “likely to result in a high risk to the rights and freedoms of natural persons.” The legal test is forward-looking and risk-based. The obligation is triggered not by harm already occurring, but by thelikelihood and severity of potential harm.

Where Synthetic Media Processing Is Likely to Result in High Risk

The GDPR does not provide a closed definition of “high risk.” However, it links the assessment directly to impacts on fundamental rights protected under EU law, including privacy, dignity, non-discrimination, and personal integrity. Risk becomes “high” where processing could significantly affect an individual’s legal position, economic interests, reputation, or access to services — particularly where biometric identification, profiling, or automated decision-making is involved (Articles 22 and 35(3)).

To clarify what “likely high risk” means in practice, the former Article 29 Working Party adopted its Guidelines on DPIA and determining whether processing is likely to result in a high risk (WP248 rev.01) in 2017. These Guidelines were later endorsed by the European Data Protection Board (EDPB), which replaced WP29 in 2018. They remain authoritative interpretative guidance at EU level.

In WP248 rev.01, the Working Party identified nine criteria that increase the likelihood that a DPIA is required. High risk is more likely where processing involves:

Evaluation or scoring of individuals (including profiling and prediction of behavior or characteristics)
Automated decision-making with legal or similarly significant effects (Article 22 context)
Systematic monitoring, especially of publicly accessible areas
Sensitive data or highly personal data, including biometric data under Article 9
Large-scale processing
Matching or combining datasets
Data concerning vulnerable individuals
Innovative use or application of new technological solutions
Processing that prevents individuals from exercising a right or accessing a service

Crucially, the Guidelines state that where processing meets two or more of these criteria, a DPIA will generally be required.

Synthetic media systems frequently satisfy multiple criteria simultaneously.

For example:

AI-driven facial reenactment or voice-cloning tools may involve biometric data used for identification (Article 9).
Generative AI models qualify as innovative technological applications.
Platform-wide deployment can amount to large-scale processing.
Deepfake-based impersonation systems may enable automated decisions with significant effects (e.g., identity verification failures or fraud).
Content scraping or mass analysis of publicly available images may constitute systematic monitoring.

Even where the final output is “synthetic,” if the model is trained on, derived from, or capable of identifying real individuals, the processing remains within GDPR scope. The DPIA analysis must therefore consider not only the artificial output but also the data inputs, training datasets, deployment context, and downstream risks.

Ultimately, where synthetic media processing creates a realistic likelihood of identity misuse, reputational harm, discriminatory profiling, manipulation, or exclusion from services — and particularly where multiple WP248 criteria are present — Article 35 makes a DPIA mandatory, not discretionary.

Large-Scale Biometric or Systematic Monitoring Through Synthetic Media

While Article 35(1) establishes the general “likely high risk” test, Article 35(3) goes further by identifying situations where a DPIA is specifically required.

Under Article 35(3), a DPIA is mandatory in particular where there is:

Systematic and extensive evaluation of personal aspects based on automated processing, including profiling, where decisions produce legal or similarly significant effects;
Large-scale processing of special categories of data, including biometric data under Article 9;
Systematic monitoring of a publicly accessible area on a large scale.

These are statutory triggers.

For synthetic media systems, the second and third triggers are especially relevant.

Large-Scale Biometric Processing

As stated earlier, if a synthetic media platform processes facial geometry, voice patterns, or other identifiers used to uniquely identify individuals, it may be processing biometric data within the meaning of Article 4(14) GDPR.

Where such biometric data is processed on a large scale, Article 35(3)(b) requires a DPIA.

“Large scale” is not defined numerically in the Regulation, but WP248 rev.01 clarifies that it should be assessed by considering:

The number of data subjects concerned
The volume and range of data processed
The duration or permanence of processing
The geographical extent

A deepfake engine trained on millions of scraped facial images or deployed across a global platform will strongly point toward large-scale processing.

Systematic Monitoring

Article 35(3)(c) requires a DPIA for systematic monitoring of publicly accessible areas on a large scale. While originally framed with CCTV in mind, supervisory authorities have interpreted “monitoring” more broadly to include structured observation or tracking of individuals’ behavior online.

If synthetic media systems scrape public images, analyze user-generated content at scale, or automatically detect and classify manipulated media across platforms, the systematic element may be present.

In these Article 35(3) scenarios, the DPIA is not triggered merely because the risk seems serious. It is triggered because the Regulation itself identifies these operations as inherently risk-prone.

Deepfake Technologies Create Specific Risks That Strengthen the Case for Conducting a DPIA

Even where Article 35(3) does not automatically apply, deepfake technologies often satisfy multiple WP248 high-risk criteria simultaneously. The risk analysis therefore becomes legally structured rather than speculative.

a) Manipulation and Profiling Risk

Where synthetic media is used to simulate speech or conduct in a way that influences perception, employment decisions, political participation, or access to services, the processing may qualify as:

Evaluation or scoring of individuals, or
Automated decision-making with significant effects.

WP248 expressly lists these as high-risk criteria.

b) Identity Fraud and Biometric Exploitation

Voice cloning and facial synthesis systems may process biometric identifiers capable of uniquely identifying a person. If such systems enable impersonation or bypass authentication systems, the risk is not merely reputational — it affects legal and economic rights.

This links directly to:

Article 9 (special category biometric data), and
Article 35(1) (risk to rights and freedoms).

c) Reputational and Dignitary Harm

The GDPR protects more than financial interests. Recitals 75 and 85 explicitly recognize risks such as:

Identity theft or fraud
Damage to reputation
Loss of confidentiality
Significant social disadvantage

Non-consensual deepfake pornography, fabricated criminal confessions, or falsified corporate communications fall squarely within these risk categories.

When synthetic media processing plausibly creates the types of harm identified in Recital 75, the “likely high risk” threshold under Article 35(1) is strengthened.

The Procedural Consequence

Where a DPIA is required, Article 35(7) mandates that it:

Describe the processing operations and purposes
Assess necessity and proportionality
Evaluate risks to rights and freedoms
Identify measures to address those risks

If residual high risk remains after mitigation, Article 36 requires prior consultation with the supervisory authority before processing begins.

How Do Data Subject Rights Apply to AI-Generated Synthetic Media?

Under the law, data subject rights apply whenever synthetic media processing involves personal data relating to an identifiable natural person (Article 4(1)).

Transparency Obligations Apply Over Personal Data

Articles 12–14 GDPR impose mandatory transparency obligations on controllers.

Where synthetic media is created using personal data, such as scraped images, voice recordings, or biometric templates, the controller must:

Inform the individual of the identity of the controller (Article 13(1)(a))
State the purposes and legal basis of processing (Article 13(1)(c))
Identify recipients of the data (Article 13(1)(e))
Explain retention periods (Article 13(2)(a))
Inform individuals of their rights (Articles 13(2)(b)–(f))

If the personal data was not obtained directly from the individual, for example, scraped from social media to train a deepfake model, Article 14 applies. In such cases, the controller must inform the data subject within a reasonable period (no later than one month), unless a narrow exemption applies.

Given that facial images capable of identifying a person constitute personal data, synthetic systems that rely on such images are subject to the same transparency obligations.

Therefore, failure to provide notice is an infringement of Articles 12–14 and can independently trigger administrative fines.

In short: if personal data is used to generate or deploy synthetic media, transparency is legally required — even where the final output is AI-generated.

Can Individuals Invoke the Right to Erasure Where Synthetic Media Unlawfully Replicates Their Identity?

Article 17 GDPR establishes the right to erasure (“right to be forgotten”).

A data subject may require deletion where:

The data is no longer necessary for its original purpose (Article 17(1)(a));
Consent was the legal basis and is withdrawn (Article 17(1)(b));
The individual successfully objects under Article 21 (Article 17(1)(c));
The data has been unlawfully processed (Article 17(1)(d)).

In the synthetic media context, this becomes particularly relevant where:

A person’s face or voice was used without a lawful basis;
A deepfake replicates an identifiable individual without consent;
Biometric identifiers were processed in violation of Article 9.

If processing lacks a valid legal basis under Article 6, or a valid exception under Article 9 for biometric data, the data subject has a direct statutory claim to erasure.

Importantly, Article 17(2) extends the obligation where data has been made public. Controllers must take “reasonable steps” to inform other controllers processing the data that the data subject has requested erasure. This is highly relevant in viral deepfake dissemination scenarios.

The right is not absolute, though. Article 17(3) provides exceptions, such as freedom of expression or legal claims. However, these must be interpreted strictly and balanced against fundamental rights under the EU Charter.

Where synthetic media unlawfully replicates a person’s identity, Article 17 provides a direct legal remedy.

The Right to Object Applies Where Synthetic Media Processing Is Based on Legitimate Interests

Many synthetic media systems rely on Article 6(1)(f) — legitimate interests — particularly for model training, content analysis, or security-related applications.

Article 21(1) gives individuals the right to object at any time to processing based on legitimate interests.

Once an objection is raised, the controller must stop processing unless it demonstrates:

Compelling legitimate grounds that override the interests, rights, and freedoms of the data subject; or
That processing is necessary for legal claims.

This shifts the burden of justification onto the controller.

According to the Court of Justice of the European Union, legitimate interests require a three-part test:

Existence of a legitimate interest;
Necessity of processing for that interest;
Balancing against the individual’s rights.

If a synthetic media platform trains models on publicly available photos without consent and relies on legitimate interests, individuals may object. The controller must then perform a documented balancing test.

Where biometric data is involved, legitimate interests alone are insufficient — Article 9 requires a separate special category condition.

Therefore, the right to object becomes a powerful mechanism against non-consensual AI training or deployment.

Distributed AI Systems May Create Practical Barriers to Effective Rights Enforcement

While the GDPR rights framework is robust on paper, synthetic media ecosystems introduce enforcement complexities.

Many AI systems are:

Trained across multiple jurisdictions;
Developed by one entity and deployed by another;
Hosted on decentralized or user-driven platforms;
Integrated via APIs into third-party services.

In distributed AI systems, identifying the controller – the entity determining the purposes and means of processing – can be legally and factually complex.

And with regards to joint controllership – where multiple entities jointly determine purposes and means – the Court of Justice clarified in cases such as Wirtschaftsakademie (C-210/16) and Fashion ID (C-40/17) that it can extend to entities that influence processing parameters, even if they do not directly access the data.

This matters because data subject rights must be exercisable against an identifiable controller (Articles 12–22). If synthetic media is generated by anonymous users or decentralized models, practical enforcement becomes difficult — though the legal obligation still exists.

Additionally:

Viral redistribution complicates Article 17(2) erasure obligations;
Open-source models raise questions about who determines “means”;
Cross-border deployments trigger the one-stop-shop mechanism under Articles 56–60.

The GDPR does not suspend rights merely because systems are technologically complex. However, distributed AI architectures may create procedural and jurisdictional barriers that make enforcement slower or fragmented.

What Are the Enforcement and Liability Risks?

Where synthetic media processing falls within the scope of the General Data Protection Regulation (GDPR), there are consequences to non-compliance. The Regulation establishes administrative, civil, and structural liability mechanisms that apply regardless of whether the actor is a multinational company, a startup, or, in certain cases, a private individual acting outside the household exemption.

The legal risks arise from the Regulation’s structure itself.

1) Administrative Fines For Unlawful Synthetic Media Processing

Article 83 empowers regulatory authorities to impose administrative fines where controllers or processors infringe the Regulation.

The Article does not merely mention fines in general terms. It sets two distinct tiers:

a) Higher Tier — Up to €20 Million or 4% of Global Annual Turnover

Under Article 83(5), infringements of the following may trigger fines of up to:

€20 million, or
4% of total worldwide annual turnover of the preceding financial year, whichever is higher.

This higher tier applies to violations of:

The basic principles of processing (Article 5)
Lawfulness of processing (Article 6)
Conditions for consent (Article 7)
Special category data, including biometric data (Article 9)
Data subject rights (Articles 12–22)
Transfers to third countries (Chapter V)

Therefore, if a synthetic media platform:

Processes facial or voice data without a lawful basis (Article 6),
Uses biometric identifiers without meeting Article 9 conditions,
Ignores erasure or objection requests (Articles 17 and 21),

It exposes itself to the higher-tier penalty structure.

b) Lower Tier — Up to €10 Million or 2% of Global Annual Turnover

Article 83(4) provides for fines up to:

€10 million, or
2% of global annual turnover.

This applies to violations such as:

Failure to conduct a required DPIA (Article 35)
Failure to appoint a DPO where required (Article 37)
Failure to implement appropriate security measures (Article 32)

If a deepfake system processes biometric data at scale without conducting a mandatory DPIA, Article 83(4) becomes directly relevant.

How Fines Are Determined

Article 83(2) requires authorities to consider:

The nature, gravity, and duration of the infringement
Whether it was intentional or negligent
Categories of data affected
Degree of cooperation
Previous infringements

So, where synthetic media involves intentional impersonation, non-consensual identity replication, or large-scale biometric misuse, the “nature and gravity” element becomes particularly significant.

2) Civil Liability Arises Where Individuals Suffer Material or Non-Material Damage

Administrative fines are not the only risk.

Article 82 creates a direct right to compensation.

It states:

“Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.”

This provision is powerful for synthetic media cases because:

“Material damage” includes financial loss (e.g., fraud enabled by voice cloning).
“Non-material damage” includes emotional distress, reputational harm, and loss of control over personal data.

And according to the Court of Justice of the European Union, non-material damage is compensable under Article 82, provided actual damage is proven — even if no economic loss occurred.

This means that a person targeted by a defamatory deepfake or non-consensual synthetic content may bring a civil claim for damages, independent of regulatory enforcement.

Joint and Several Liability

Article 82(4) states that where multiple controllers or processors are involved in the same processing, each may be held liable for the entire damage to ensure effective compensation. The liable party may later seek contribution from others involved.

For distributed AI systems, this significantly expands litigation exposure.

2) Reputational and Commercial Harm Extends Beyond Regulatory Penalties

The GDPR expressly recognizes reputational harm as a legally relevant risk.

Recital 75 states that processing may result in risks including:

Identity theft or fraud
Financial loss
Damage to reputation
Loss of confidentiality
Significant social disadvantage

Recital 85 further notes that personal data breaches may lead to “damage to reputation” and other significant economic or social disadvantages.

Where a synthetic media system generates non-consensual likenesses, deepfake pornography, fabricated corporate communications, or impersonation content, the reputational consequences can be immediate and viral.

Even where regulatory fines are avoided, organizations may face:

Loss of user trust
Contract termination by partners
Investor withdrawal
Platform bans
Litigation costs
Cross-border regulatory scrutiny

In high-profile AI misuse cases, reputational collapse often precedes formal regulatory sanctions.

How Does the EU AI Act Interact with GDPR for Synthetic Media?

The relationship between the EU Artificial Intelligence Act and the General Data Protection Regulation is cumulative, not alternative.

The GDPR governs personal data processing.
The AI Act governs AI systems placed on the EU market or put into service, regardless of whether personal data is involved.

If a synthetic media system processes personal data and qualifies as an AI system under the AI Act, both legal regimes apply simultaneously. The AI Act itself confirms this structure: it states that it is without prejudice to existing Union data protection law, meaning it does not replace or override the GDPR.

For synthetic media and deepfake systems, this dual application is the rule rather than the exception.

AI Act Transparency Obligations Complement GDPR Information Duties

The AI Act introduces specific transparency obligations for certain AI systems, including synthetic media.

a) Deepfake Disclosure Requirements

Article 50 of the AI Act requires that:

Providers of AI systems that generate or manipulate image, audio, or video content must ensure that the output is clearly disclosed as artificially generated or manipulated, unless this is obvious from context.
Deployers using such systems must disclose that content has been artificially generated where it would otherwise mislead persons into believing it is authentic.

This provision directly targets deepfakes.

The obligation is not about data protection; it is about preventing deception and protecting public trust. However, where synthetic media involves identifiable individuals, this transparency layer sits on top of GDPR duties.

b) GDPR Information Duties

Under Articles 13 and 14 GDPR, where personal data is processed, controllers must inform individuals about:

The identity of the controller
The purposes of processing
The legal basis relied upon
The recipients of the data
The retention period
The existence of rights such as access, erasure, and objection

Where a synthetic media system is trained on scraped images or voice recordings, Article 14 requires that individuals be informed even if the data was not obtained directly from them, unless a narrowly interpreted exception applies.

How the Duties Interact

The AI Act requires disclosure that content is AI-generated.
The GDPR requires disclosure that personal data is being processed and explains why and how.

A compliant synthetic media provider must therefore:

Label the output as AI-generated (AI Act Article 50), and
Inform individuals about personal data processing (GDPR Articles 13–14).

One does not replace the other. They address different legal risks: deception versus unlawful data processing.

Certain Synthetic Media Systems May Be Classified as High-Risk AI Under the AI Act

The AI Act establishes a risk-based classification system:

Prohibited AI practices
High-risk AI systems
Limited-risk systems with transparency duties
Minimal-risk systems

Synthetic media systems can fall into different categories depending on their function.

High-Risk AI Systems

Under Article 6 and Annex III of the AI Act, an AI system is classified as high-risk if it is intended to be used in specific sensitive areas, including:

Biometric identification and categorisation of natural persons
Access to education
Employment and worker management
Access to essential services (e.g., credit scoring)
Law enforcement and migration control

If a synthetic media system is used in any of these specific areas, it may qualify as high-risk.

High-risk classification triggers extensive obligations under the AI Act, including:

Risk management systems (Article 9)
Data governance and data quality requirements (Article 10)
Technical documentation (Article 11)
Record-keeping and logging (Article 12)
Transparency and instructions for use (Article 13)
Human oversight measures (Article 14)
Accuracy, robustness, and cybersecurity requirements (Article 15)

These obligations apply at the level of the AI system itself, not merely to personal data.

If the same system processes biometric data, Article 9 GDPR (special category data) and Article 35 GDPR (DPIA requirement) may simultaneously apply.

This means something like a biometric deepfake authentication system may be:

A high-risk AI system under the AI Act; and
Special category biometric processing under the GDPR.

Each regime imposes separate but overlapping compliance duties.

Organizations Must Integrate GDPR and AI Act Compliance into a Unified Governance Strategy

Because the two Regulations operate concurrently, compliance cannot be siloed.

a) Risk Assessment Alignment

The GDPR requires a Data Protection Impact Assessment under Article 35 where processing is likely to result in high risk.
The AI Act requires a formal risk management system for high-risk AI systems under Article 9.

In practice, organizations deploying synthetic media systems will need to align these processes so that:

Data protection risks (privacy, identity misuse, discrimination)
AI system risks (accuracy, bias, cybersecurity, manipulation)

are evaluated together rather than separately.

b) Documentation and Accountability

GDPR Article 5(2) establishes the principle of accountability: the controller “shall be responsible for, and be able to demonstrate compliance.”

Similarly, the AI Act requires technical documentation sufficient to demonstrate conformity before placing a high-risk AI system on the market.

This creates parallel documentation duties:

GDPR compliance documentation (lawful basis, DPIAs, processing records under Article 30);
AI Act conformity documentation and post-market monitoring.

A synthetic media provider operating in the EU will likely need both.

c) Enforcement Landscape

GDPR enforcement is led by data protection authorities under Articles 51–59.

The AI Act introduces national market surveillance authorities responsible for enforcing AI system obligations.

Therefore, a synthetic media provider may face:

GDPR investigation for unlawful personal data processing;
AI Act enforcement for failing to label deepfakes or comply with high-risk system requirements.

Penalties under the AI Act can also be significant, reaching up to €35 million or 7% of global annual turnover for certain prohibited practices.

A Step-by-Step GDPR Compliance Roadmap for Using Synthetic Media

One thing to note is that the GDPR does not contain a “synthetic media section.” It regulates outcomes: the processing of personal data.

If an AI-generated avatar, deepfake, voice clone, or facial reenactment system involves identifiable individuals, the GDPR framework applies in full.

What follows is an execution sequence grounded in the Regulation’s structure — designed for:

AI startups
Large platforms
Marketing teams
Security vendors
Developers
And even private individuals acting outside the household exemption

Step 1 – Determine Whether the Output Is Personal or Biometric Data

Everything begins with qualification.

Under Article 4(1), “personal data” means any information relating to an identified or identifiable natural person. A person is identifiable if they can be identified directly or indirectly, including by reference to an identifier such as a name, identification number, location data, or “one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity.”

Synthetic media often falls within this definition if:

A deepfake realistically depicts a specific person
A voice clone reproduces a real individual’s vocal patterns
A facial synthesis model is trained to replicate identifiable likeness

Even if the output is artificial, it “relates to” a person if it represents or can identify them.

Biometric Data Assessment

Article 4(14) defines biometric data as personal data resulting from specific technical processing relating to physical or behavioural characteristics that allow or confirm unique identification.

If your system:

Extracts facial geometry,
Maps voiceprints,
Generates identity-authentication templates,

you are likely processing biometric data.

If biometric data is used for identification, Article 9 applies. Article 9(1) prohibits processing of biometric data for the purpose of uniquely identifying a person unless a specific exception applies.

You must document this classification analysis. If you misclassify, every subsequent step collapses.

Step 2 – Identify the Correct Lawful Basis

Article 6(1) states that processing is lawful only if one of six legal bases applies.

You must explicitly select and document one.

Common Bases in Synthetic Media Context

Consent (Article 6(1)(a))
Must be freely given, specific, informed, and unambiguous (Article 4(11), Article 7). Pre-ticked boxes or bundled consent are invalid. Consent must also be withdrawable.

If you rely on consent to generate AI avatars from a person’s face, withdrawal must result in cessation and potentially erasure (Article 17).

Contract (Article 6(1)(b))
Applies only where processing is necessary for performing a contract with the individual. It cannot be stretched to justify unrelated model training.

Legitimate Interests (Article 6(1)(f))
Requires a three-part test:

A legitimate interest exists.
Processing is necessary for that interest.
The interest is not overridden by the individual’s rights and freedoms.

You must perform and document a balancing test.

Special Category Rule

If biometric data is used for identification, Article 9(2) requires an additional condition (e.g., explicit consent).

Common lawful bases alone are insufficient for Article 9 biometric identification processing.

Failure to correctly identify the lawful basis exposes you to higher-tier fines.

Step 3 – Allocate Controller and Processor Roles

Article 4(7) defines a controller as the entity that determines the purposes and means of processing.

Article 4(8) defines a processor as the entity processing personal data on behalf of the controller.

Synthetic media systems often involve:

Model developers
Cloud hosting providers
API distributors
End-user deployers

You must determine:

Who decides why the data is processed?
Who decides how it is processed?

If two or more entities jointly determine purposes and means, Article 26 applies. A transparent arrangement allocating responsibilities must be put in place.

If you act as a processor, Article 28 requires a written data processing agreement containing specific mandatory clauses.

Misallocating roles does not avoid liability. Article 82 establishes joint and several liability for damage.

Even individuals operating outside companies must ask:
“Am I determining purpose and means in a non-household context?” If yes, you may qualify as a controller.

Step 4 – Conduct and Document a DPIA

Article 35(1) requires a Data Protection Impact Assessment where processing is likely to result in high risk to rights and freedoms.

A DPIA is mandatory in particular where Article 35(3) applies, including:

Systematic and extensive automated evaluation
Large-scale processing of special categories (including biometric data)
Systematic monitoring of publicly accessible areas

Article 35(7) specifies that a DPIA must include:

A description of processing operations and purposes
An assessment of necessity and proportionality
An assessment of risks to rights and freedoms
Measures envisaged to address risks and demonstrate compliance

This is not a checklist exercise. It is a structured legal risk analysis.

If residual high risk remains after mitigation, Article 36 requires prior consultation with the supervisory authority.

Failure to conduct a required DPIA falls under Article 83(4) penalty exposure.

Step 5 – Implement Transparency and Rights Mechanisms

Transparency is not optional.

Information Duties

Articles 13 and 14 require that individuals be informed of:

Identity of the controller
Purposes of processing
Legal basis
Recipients
Retention period
Rights available

If data is scraped from public sources to train synthetic models, Article 14 requires notice unless an exemption strictly applies.

Rights Handling System

You must implement mechanisms for:

Access requests (Article 15)
Rectification (Article 16)
Erasure (Article 17)
Restriction (Article 18)
Data portability (Article 20)
Objection (Article 21)
Safeguards against automated decision-making (Article 22)

Deadlines matter. Article 12(3) requires responses within one month.

If synthetic content goes viral, Article 17(2) requires reasonable steps to inform other controllers of erasure requests.

For individuals acting publicly with synthetic media, ignoring a rights request can itself constitute an infringement.

Step 6 – Monitor Regulatory Developments and Enforcement Trends

Compliance is not static.

The GDPR requires accountability (Article 5(2)): you must be able to demonstrate compliance at any time.

In addition:

The EU Artificial Intelligence Act imposes separate transparency and risk-management duties for AI systems.
National supervisory authorities publish lists of processing operations requiring DPIAs (Article 35(4)).
Court of Justice rulings continue to shape interpretation of lawful basis, damage claims, and controllership.

Organizations should:

Review DPIAs periodically
Audit training datasets
Monitor complaints and enforcement decisions
Update legitimate interest assessments
Track cross-border exposure

Private individuals operating public synthetic media accounts should at minimum:

Avoid processing identifiable individuals without consent
Remove content promptly upon valid objection or erasure request
Avoid biometric identification processing entirely without explicit consent

Ultimately, compliance is not about slowing innovation or avoiding AI tools. It is about recognizing that identity, likeness, and voice are legally protected interests. Whether the actor is a platform, a startup, a marketing team, or an individual posting publicly online, the moment synthetic media moves beyond purely private use, accountability begins.