EU AI Act Data Governance

Article

10 EU AI Act obliges providers of high-risk AI systems whose models are trained with data to use training, validation and test datasets that meet defined quality criteria. Data governance must include documented procedures for data collection, data origin, data preparation, formulation of assumptions, prior assessment of data availability and suitability, and measures for detecting and correcting biases. These requirements apply throughout the entire lifecycle of the AI system.

Training, validation and test datasets must meet the following criteria under Article 10(3): They must be relevant for the intended purpose, sufficiently representative, as error-free and complete as possible. They must have appropriate statistical characteristics — including with respect to the persons or groups of persons on which the system is intended to be used. Particularly important is consideration of geographic, contextual and behavioural specificities of the planned deployment environment.

Article 10(2)(f) requires investigation of possible biases that could affect health, safety or fundamental rights. Where bias detection requires processing of special categories of personal data (e.g. race, health, sexual orientation), strict additional conditions under paragraph

5 apply: alternative data must be demonstrably ineffective, technical safeguards such as pseudonymisation are required, transfer to third parties is prohibited, and data must be deleted after bias correction.

The EU AI Act distinguishes three dataset types: Training data is used for model development and parameter calibration. Validation data checks during development whether the model generalises correctly and enables fine-tuning. Test data evaluates the finished system independently before placing on the market. All three dataset types must meet the quality criteria of Article 10. For AI systems without training techniques — such as rule-based systems — requirements apply only to test datasets.

Providers must comprehensively document data governance: description of data collection methods and sources, information on data origin and data lineage, description of preparation processes (annotation, labelling, cleansing), documentation of assumptions regarding data requirements, assessment of data availability and suitability, and description of bias detection and correction measures. This documentation forms part of the technical documentation under Article

11 and must be available for market surveillance inspections.

GDPR and EU AI Act apply in parallel and complement each other. GDPR governs the data protection legal basis for processing personal data in AI training — legal basis, purpose limitation, data minimisation, data subject rights. The EU AI Act sets additional requirements for data quality, representativeness and freedom from bias. Article 10(5) permits processing of special categories of personal data for bias detection under strict conditions — a provision that goes beyond GDPR.

Organisations should implement six steps: First, conduct a data inventory — which data is used for which AI systems. Second, establish data governance procedures — responsibilities, processes, quality standards. Third, implement data quality checks — completeness, representativeness, error-freeness. Fourth, set up bias detection mechanisms — statistical tests for biases across all dataset types. Fifth, build complete documentation — traceability from data origin to data use. Sixth, establish continuous monitoring — ensure data quality during ongoing operations.