Article 61 of Regulation (EU) 2024/1689 — Further processing of personal data for the development of certain AI systems in the public interest. Official text, practical interpretation, key obligations and compliance implications.
Official Text Summary
Article 61 of Regulation (EU) 2024/1689 establishes a specific framework permitting the further processing of personal data — that is, the use of data originally collected for one purpose for the subsequent purpose of training, testing, or validating certain AI systems — where this is necessary for the development of AI systems in the public interest.
The article specifies that such further processing is permissible where it serves objectives of substantial public interest, including public security, the prevention, investigation, detection, or prosecution of criminal offences, public health, and the management of humanitarian emergencies or natural disasters. This list of objectives directly mirrors categories of legitimate public interest processing already recognised under Union law.
Crucially, Article 61 does not create a freestanding derogation from the GDPR. It operates by confirming that such further processing may be regarded as compatible with the original purpose of collection — the compatibility test under Article 6(4) of the GDPR — provided that Union or Member State law provides a legal basis for the further processing and appropriate safeguards are in place. The processing must remain limited to what is necessary for the specific public interest objective pursued, and the relevant data protection principles of minimisation, accuracy, storage limitation, and integrity continue to apply in full throughout the development lifecycle of the AI system.
What This Means in Practice
Article 61 addresses a recurring tension in AI development: organisations or public bodies that have accumulated personal data for one lawful purpose — for example, a hospital collecting patient records for clinical care, or a law enforcement agency collecting data for an ongoing investigation — wish to use that data to train or validate an AI model serving a broader public benefit.
Without a clear framework, this reuse raises compatibility questions under the GDPR. Article 61 resolves this by confirming that such further processing can be lawful, but only where three conditions are met simultaneously.
First, the AI system being developed must target one of the enumerated public interest objectives: public security, criminal law enforcement, public health, or emergency management. Purely commercial AI projects, even those claiming societal benefit, do not qualify.
Second, a specific legal basis under Union or Member State law must authorise the further processing. Organisations cannot self-certify that their project meets the threshold — a legislative or regulatory provision must exist that explicitly permits or mandates the processing for the relevant purpose.
Third, all standard GDPR safeguards must be observed throughout. This includes conducting a Data Protection Impact Assessment (DPIA) where processing is likely to result in high risk, applying data minimisation and pseudonymisation where possible, and honouring data subject rights to the extent permitted by the applicable exemptions under the GDPR (for example, Article 23 restrictions for law enforcement purposes).
In practice, a public health agency seeking to develop a disease-outbreak prediction model from patient datasets collected during routine care would need to identify the national public health law that authorises the reuse, implement appropriate technical and organisational safeguards, and document the entire processing rationale. A private security technology firm, by contrast, would need to demonstrate not only a qualifying objective but also an explicit statutory authorisation — a considerably higher bar.
Key Obligations
- Establish a lawful basis in national or Union law: further processing is only permitted where Union or Member State law explicitly authorises that processing for the specified public interest objective; organisations must identify and document the applicable legal instrument before any reuse commences.
- Limit processing to qualifying public interest objectives: only AI systems developed in the areas of public security, criminal law enforcement, public health, or emergency management fall within the scope of Article 61; the objective must be genuine, specific, and documented.
- Apply full GDPR compliance throughout: all data protection principles under Article 5 GDPR remain in force; organisations must implement data minimisation, pseudonymisation or anonymisation where feasible, access controls, and retention limits aligned to the development lifecycle.
- Conduct a Data Protection Impact Assessment (DPIA): where the further processing is likely to result in high risk to individuals — which AI training on sensitive data frequently will — a DPIA under Article 35 GDPR is mandatory before processing begins.
- Document and demonstrate compatibility: organisations must be able to demonstrate, through records of processing activities and impact assessments, that the further processing is compatible with the original purpose, having regard to the factors listed in Article 6(4) GDPR (nature of data, consequences, safeguards).
- Respect data subject rights to the extent applicable: even under a public interest derogation, data subjects retain rights that are not expressly restricted by the applicable national law; controllers must assess which rights apply and put in place mechanisms to honour them.
Relationship to Other Articles
Article 61 sits within Title VI of the EU AI Act (Articles 57–63), which is dedicated to measures in support of innovation, alongside provisions on regulatory sandboxes and testing in real-world conditions. It should be read in direct conjunction with Article 57 (AI regulatory sandboxes) and Article 60 (testing of high-risk AI systems in real-world conditions), as both of those provisions also address the interaction between AI development activities and personal data protection obligations.
Outside Title VI, Article 61 has a direct relationship with the provisions governing high-risk AI systems in Title III, particularly Annex III systems in the areas of law enforcement, migration, and critical infrastructure — precisely the domains where public interest AI development is most likely to involve sensitive personal data.
On the data protection side, Article 61 is inseparable from the GDPR. It operationalises Articles 6(4) (compatibility of further processing), 9(2)(g) and (i) (special category processing for substantial public interest and public health), and Article 35 (DPIAs). Organisations must treat these instruments as a single integrated compliance framework, not as separate regimes to be applied sequentially.
Compliance Timeline
The EU AI Act entered into force on 1 August 2024, twenty days after its publication in the Official Journal of the European Union. The Regulation then applies in phased stages.
Article 61 falls within Title VI, which is subject to the general application date of 2 August 2026 — 24 months after entry into force. From that date, the innovation support framework, including the permission for further processing of personal data under Article 61, becomes fully applicable across all Member States.
Organisations planning to develop AI systems in the qualifying public interest domains should nonetheless begin preparatory compliance work well in advance of August 2026. This includes auditing existing datasets for potential reuse, identifying applicable national legal bases, engaging with data protection authorities, and designing DPIA frameworks. Regulatory sandboxes established under Article 57, which became operational progressively after August 2024, may provide a structured environment in which to test data reuse approaches under supervisory oversight before the full framework applies.
The phased application dates for prohibited AI practices (February 2025), GPAI models (August 2025), and most high-risk systems (December 2026 and August 2027) are relevant context: organisations developing high-risk AI systems in public interest domains must ensure that their data reuse practices under Article 61 are compliant by the time their system enters the scope of the high-risk obligations.
Official AI Act Compliance Deadline Calendar
Updated · Sources: Regulation (EU) 2024/1689 and the 2026 Digital Omnibus on AI.
| Obligation | Applies to | Original date | New date | Status | Countdown | Legal basis |
|---|---|---|---|---|---|---|
| Prohibited Practices (Art. 5) | All providers and deployers | active | — | AI Act Art. 5 | ||
| GPAI Rules (Chapter 5) | GPAI model providers | active | — | AI Act Art. 51-56 | ||
| High-risk AI — Annex III (standalone) | Providers of standalone Annex III systems | deferred | — | AI Omnibus 2026 Art. 6(2) | ||
| High-risk AI — Annex I (embedded) | AI embedded in Annex I regulated products | deferred | — | AI Omnibus 2026 Art. 6(1) | ||
| AI-Generated Content Marking | Providers of generative GPAI systems | active | — | AI Act Art. 50(2) | ||
| Regulatory Sandboxes | National competent authorities | active | — | AI Act Art. 57 |
⬇ Download JSON · CC BY 4.0
AI Act meets DORA and NIS2
Is your organisation subject to both the AI Act and DORA? The two regulations intersect on the operational resilience of financial AI systems. Our sister site regulation-dora.eu covers DORA in depth.
Explore regulation-dora.eu ↗Frequently Asked Questions
Yes, but only under strict conditions. Article 61 permits further processing of personal data originally collected for a different purpose when the AI system serves a specific public interest objective listed in the article (such as safety, public health, or security), and only where this is authorised by Union or Member State law. Organisations cannot invoke Article 61 unilaterally — a legal basis grounding that further processing in law is required.
No. Article 61 operates within the framework of the GDPR. It invokes the compatibility assessment under Article 6(4) GDPR and relies on Union or Member State law as the legal basis for further processing. All GDPR safeguards, data subject rights, and data minimisation principles continue to apply in full.
The article is not limited to public authorities. Private entities developing AI systems that genuinely serve a qualifying public interest objective may also benefit, provided they operate under an appropriate legal authorisation under Union or Member State law and comply with all applicable data protection requirements.
The article covers AI systems developed in the public interest, including systems related to public security, prevention or investigation of criminal offences, public health monitoring, and emergency management. The development must be oriented toward these specific objectives, not general commercial purposes, and must be grounded in a specific legal authorisation.
Stay ahead of AI Act changes
Get compliance alerts when deadlines or obligations change.
No spam. One-click unsubscribe.