Logo and page links

Main menu


Framework for the Regulatory Sandbox

What happens in the sandbox?

Project participants will receive advice and guidance from an interdisciplinary team from the Data Protection Authority, to ensure that the service or product is in compliance with relevant regulations and adequately takes privacy into account. The sandbox is open to any and all topics that highlight the use of personal data in artificial intelligence. 

The duration of sandbox participation will vary from project to project, but we believe a project period of 3 to 6 months in the sandbox is appropriate.  

Each organization will, in collaboration with the Data Protection Authority, draw up an individual plan, describing the need for guidance, how this guidance can be prepared and the form it may take.

Our contribution will therefore be tailored to each individual project’s needs — in terms of both scope and activities.

Below are some examples of sandbox activities we can offer:

  • Assist in the performance of a data protection impact assessment (DPIA).
  • Contribute to the identification of data protection challenges.
  • Provide feedback on relevant technical and legal solutions to data protection challenges.
  • Explore options for the implementation of privacy by design.
  • Conduct an informal inspection to highlight relevant requirements.
  • Contribute input to various assessments and considerations of the balance between necessity and potential adverse effects on user privacy.
  • Provide an arena for knowledge exchange and network-building for
    • other sandbox participants,
    • external experts, and
    • other authorities.
  • Share preliminary and final sandbox experiences.

Which topics do we want to highlight?

The Data Protection Authority wants to highlight topics that may be relevant for many. It is particularly interesting to highlight problems in areas where there is uncertainty concerning how to interpret and apply relevant regulations.

Examples of topics the sandbox can help address include:

  • innovative use of personal data with the help of technology that combines artificial intelligence with other technology, such as biometrics, the Internet of Things, portable technology or cloud-based products,
  • complex data-sharing,
  • building a good user experience and trust by providing transparency and explainability,
  • how to avoid discrimination or bias,
  • perceived limitations, or insufficient understanding of the General Data Protection Regulation’s provisions on automated decision-making, and
  • utilization of existing data (often to scale and to connect data) for new purposes.