Compliance with Data Protection
In general, the regulations of the GDPR apply to the use of generative AI. It is therefore recommended that the following points in particular are observed (from the Bavaria 2025 University of Applied Sciences AI Guidelines):
- Use of AI tools that are data protection-compliant and non-discriminatory according to binding information provided by the provider, that do not use prompts for training purposes and that enable the deletion or deactivation of history logs.
- When registering for AI tools, if user registration is required, an anonymized e-mail address should be used (e.g. userpseudonym123@gmail.com). The use of an authentication procedure prevents misuse of the account.
- Prohibition of the use of AI systems outside of research, teaching, study or university management purposes when using official access data.
According to the GDPR, the input in the prompt is also of central importance. Only information that is categorized as TLP:CLEAR in accordance with the Traffic Light Protocol (TLP) (see Table 1) should be entered. This means that prompt content must be publicly accessible and non-critical.
Non-permissible entries are e.g:
Personal data
Personal data include, for example:
- Names, student numbers, contact details.
- Health data, addresses or images.
- Data that, in combination, allows conclusions to be drawn about individuals.
Manipulative prompts
These include, for example:
- Input aimed at circumventing technical protection mechanisms of the AI system.
- Input aimed at inducing the AI to engage in ethically or legally problematic behaviour.
Confidential content
Confidential content includes, for example:
- Unpublished third-party research results (e.g. as part of feedback or correction requests) or internal documents.
- Information with restricted access.
- Content that is subject to confidentiality or official secrecy.
Note: In the context of AI systems that are operated exclusively for scientific research and development purposes, exceptions may apply under certain circumstances on the basis of scientific privilege (see legal opinion on the significance of the European AI Regulation for universities (external link, opens in a new window)).
| LP level | Confidentiality levels | Description | Disclosure |
|---|---|---|---|
| LP: RED | Classified information | Only for known recipients. Information may only be passed on to the persons directly present. | No disclosure to third parties. |
| TLP: AMBER +STRICT | Strictly confidential | Restricted distribution within the organisation. | Information may only be passed on within the University of Regensburg and on a "need-to-know" basis. |
| TLP: AMBER | Confidential | Restricted distribution within the organisation. | Information may be passed on within the University of Regensburg and to partners, but not to third parties. |
| LP: GREEN | Internal | Cross-organisational dissemination. | Information may be passed on within the university community, but not published. |
| TLP: CLEAR | Public | Unrestricted disclosure. | Information may be passed on to anyone without restriction. |
Table 1: The TrafficLightProtocol (TLP) is a standardised agreement for the exchange of information that is worthy of protection but not formally classified. All documents are categorised into TLP levels, which regulate the conditions for their disclosure. Further information from the BSI on the TLP can be found at the following link (external link, opens in a new window).
Contact point and recommendations for AI applications
If you have any questions or data protection violations, please contact the UR data protection office.
In terms of copyright and data protection, the use of Microsoft Copilot at the UR is recommended (see here (external link, opens in a new window)), as all data is processed by Microsoft and the UR in accordance with the contractual agreements (Data Processing Addendum, DPA) and the conditions for M365 Education apply. Essentially, this ensures that the data is only processed within the EU, that the requests are not stored and that they are not used to train the AI models.
Similar regulations have been agreed with DeepL and are available to UR members when using the content management system for translations of website content.