COE - il Consiglio d'Europa continua l'ottimo lavoro attorno alla AI

Introduction
1. Purpose and Scope
1.1 Context and Purpose
1.2 The IAMM Approach and Its Steps
1.3 Target Audience and Stakeholders Across the LLM Ecosystem
2. Key Concepts and Definitions
2.1 Essential Concepts
2.1.1 A Lifecycle Approach Rooted in the Framework Convention on AI and the LLM
Ecosystem
2.1.2 Difference Between LLM Models and LLM-based Systems
2.1.3. Five Fundamental Steps of the Dynamic Lifecycle and Risk Management
Process of LLM-based Systems
2.2 Types of privacy and Data Protection Risks Across the AI Lifecycle and the LLM
Ecosystem
2.2.1 Lifecycle and Operational privacy Risks in LLM-based Systems
2.2.2 Data processing risks in LLM-based Systems: privacy and Data Protection
Risks
2.3 Emerging privacy and Data Protection Risks
3. Convention 108+ Principles and Articles Relevant to LLM-based systems
3.1 Understanding the Principles of Convention 108+ in the Context of Evolving LLM-
based and Agentic Systems
3.1.1 Data Security, Accuracy, Transparency, and Accountability in LLM-based and
Agentic Systems
3.1.2 Lawfulness and Fairness of Processing: Inferencing, Data Proxies, and
Reconstruction of Private Life
3.1.3 Data Minimisation and Data Subjects’ Rights in Personalised and Intention-
predictive Systems
3.1.4 Purpose Limitation in Multimodal and Interconnected Data Ecosystems
3.1.5 Balancing Principles and Trade-offs in LLM-based Systems
3.2 Understanding the Articles of Convention 108+ in the Context of LLM-based and
Agentic Systems
3.2.1 Article 10 – Additional Obligations: Risk Assessment, privacy by Design, and
Risk Prevention
3.2.2 Article 5 – Legitimacy of processing and Data Quality
3.2.3 Article 6 – Special Categories of Data
3.2.4 Article 7 – Data Security
3.2.5 Article 8 – Transparency of Processing
3.2.6 Article 9 – Rights of Data Subjects
3.2.7 Article 14 – Transborder Data Flows
4. Stakeholder-Specific Guidance
4.1 Operationalising Convention 108+ Principles Across Stakeholder Responsibilities
4.2. Risk Management Responsibilities Across the Lifecycle of LLM-based Systems
4.3. Mitigation Measures and Best Practices Across Lifecycle Phases and Risk
Categories
5. Implementation Considerations
5.1 Governance, Accountability, and Oversight Mechanisms
5.2 Cross-functional Collaboration Across Technical, Legal, and Governance Teams
5.3 Human Rights, Privacy, and Fundamental Rights Impact Assessments
5.4 Interoperability with Other Related Regulatory and Governance Frameworks
6. Annexes
Annex I: privacy and Data Protection Risk Management Framework for LLM-based
Systems
•
Overview of risk identification, assessment, mitigation, and monitoring
•
Relationship with Data Protection Impact Assessments (DPIAs)
•
Relationship with broader human rights and AI risk Assessment methodologies
Annex II: Lifecycle Phases of LLM-based Systems
•
Detailed overview of lifecycle stages and operational environments
Annex III (optional): Illustrative Case Studies and Operational Examples
•
Illustrative examples of privacy and data protection risks in LLM-based systems
•
Stakeholder responses and mitigation approaches
•
Agentic AI and compound-system deployment examples
Annex IV (optional): Glossary of Key Concepts
•
Definitions of technical, legal, and governance-related terminology