Abstract
<jats:p>This article examines behavioural data and its legal regulation under EU law, applying the GDPR and the regulatory framework for artificial intelligence. It analyses the conceptual and legal distinction between behavioural characteristics and biometric data, arguing that behavioural data digitally generated do not, as a rule, enable stable and unequivocal identification of a natural person. Thus, such data do not fall under the strict prohibition regime of Article 9(1) (2) GDPR, although its remain personal data and shall be lawfully processed on one of the legal bases provided in Article 6 GDPR. The article also demonstrates that behavioural characteristics are primarily used for prediction, and pattern analysis, and are therefore regulated by the GDPR’s profiling concept rather than the special categories of personal data. Behavioral data may not identify a person at one moment, but becomes identifying through persistence, linkage, or learning effects in AI systems. The paper argues for the relevance of the AI Act as a lex specialis that complements the GDPR by restricting the use of AI systems designed to substantially influence human behaviour or to exploit subliminal techniques, particularly where such practices may cause physical or psychological harm. Moreover, in immersive or neuro-adaptive environments, individuals cannot realistically understand or meaningfully control the extraction and use of their behavioral data, which fundamentally undermines the concept of informed consent. Continuous behavioral monitoring may, over time, influence cognition, self-expression, and personal autonomy, producing chilling effects and self-censorship even outside traditionally “sensitive” domains. These risks support the emerging view that individuals should hold rights not only over their personal data, but also over how their behavior is shaped, nudged, or optimized by AI systems. Taken together, this provides a strong argument for recognizing “intimate behavioral data” or “neuro-behavioral data” as a distinct legal category that extends beyond classical biometric data. In all cases, proportionality, data minimization, and effective human supervision should be ensured. Keywords: GDPR, behavioural data, biometric data processing, profiling, AI Act, artificial intelligence, identification.</jats:p>