Digital twins of real people: Legal risks for businesses

 
Why ‘digital twins’ in fashion and advertising pose significant legal challenges beyond the technical

Yves-Alexander Wolff is a partner in BUSE's Hamburg office and has extensive expertise in intellectual property law.
Yves-Alexander Wolff, LL.M.
Rechtsanwalt

Digital Twins – Two faces face each other: on the right, a realistic human profile; on the left, a digital image made up of lines and data points.

Blog: Data protection / Data Privacy - Article from 26.03.2026
Whether as a virtual model on the catwalk, an influencer on Instagram or an AI-powered advertising character: so-called “human digital twins” have arrived in the creative industry. These are digital representations of real people – some photorealistically recreated, others merely based on real faces. What is technically impressive raises legally sensitive questions: who is permitted to create a digital twin? What role do consent, image rights and data protection play? This article examines the key legal pitfalls.

1. Digital twins as personal data: checking GDPR relevance

If a digital twin is generated from real image, video or 3D scan data, the GDPR is generally applicable. The depiction of an identifiable natural person constitutes personal data within the meaning of Article 4(1) GDPR. Particularly stringent requirements apply where biometric data within the meaning of Article 9(1) GDPR are extracted or processed – for example, for the purposes of facial recognition or AI training.

Such processing operations require a valid legal basis – in practice, this can generally only be achieved in a lawful manner through the explicit consent of the data subject pursuant to Article 9(2)(a) GDPR. Furthermore, the processing must comply with the principles of transparency, purpose limitation and proportionality. A company that, for example, digitises a model for a specific campaign and subsequently uses the resulting digital twin for a different purpose is acting in breach of the GDPR – with potentially significant legal consequences.

2. Right to one’s own image and general right of personality

In Germany, the Art Copyright Act (KunstUrhG) stipulates that images of a person may only be distributed or publicly displayed with the consent of the person depicted (Section 22 KunstUrhG). In the case of AI-generated digital twins, it is frequently contested whether an ‘image’ within the meaning of the Act exists at all – the decisive factor is whether a recognisable connection to the real person can be established.

In addition, affected individuals may take action against unwanted digital twins under the general right of personality (Section 823 of the German Civil Code (BGB) in conjunction with Articles 1 and 2 of the German Basic Law (GG)). This also applies to so-called ‘lookalikes’ or deepfakes, provided that the impression is created that the real person is behind the digital representation.

3. Fictional avatars: How close is too close?

An avatar that is merely ‘inspired’ by a real person does not automatically operate in a legal vacuum. The Federal Court of Justice (BGH) has established in its case law that even indirect commercial exploitation of a person’s identity – for example, by imitating their voice, appearance or silhouette – can constitute a violation of personality rights. Any company that models a digital twin resembling a celebrity and deploys it for advertising purposes must therefore anticipate claims for injunctive relief and damages.

4. International context: No global consensus

In the US, the ‘right of publicity’ grants individuals – particularly celebrities – control over the commercial use of their likeness. In California in particular, there is a growing body of case law addressing unauthorised digital twins. In the EU, the GDPR serves as the primary regulatory framework, supplemented by national provisions on the right to one’s own image and personality rights. Companies operating across jurisdictions must therefore adopt a multi-pronged compliance strategy and conduct location-specific legal assessments.

5. Legally compliant design: What companies can do

Companies working with digital twins should, in particular, implement the following measures:

  • Obtain explicit, informed consent in advance – ideally in writing and specifying the particular purposes of use.
  • Set out in a contract whether, to what extent and for how long a digital twin may be used – including provisions on usage rights, the right to make modifications and obligations to delete data.
  • Employ technical design measures that minimise the identifiability of real individuals, for example through stylised or abstracted representations.
  • Implement output filters to prevent abusive or infringing content.
  • Actively monitor for infringements – particularly with regard to deepfake tools and unauthorised digital replications.

Conclusion

Digital twins of real people do not exist in a legal vacuum. Any entity that replicates faces, bodies or voices – even in stylised or AI-generated form – is entering legally sensitive territory. Companies should therefore ensure that their digital twin strategy is legally sound from the outset and treat consent, transparency and control not as an afterthought, but as a strategic imperative.

Key points in brief

  • Digital twins may constitute personal data within the meaning of the GDPR and are therefore subject to its requirements.
  • Even merely “similar” avatars can infringe personality rights.
  • Explicit consent and clear contractual provisions provide the greatest degree of legal certainty.

Symbolic representation of the transition from 2025 to 2026 with a switch and light bulb – symbolising changes to trademark registration and new trademark classes from 2026 onwards.

Blog: Technology
13th edition of the Nice Classification: Changes in 2026 for trademark applications
New classification system for trademarks from 2026 – what will change?
18.12.2025
Yves-Alexander Wolff

Futuristic humanoid robot with visible circuits and cables, whose face is overlaid with the flag of the European Union (blue area with yellow stars); symbolic image for artificial intelligence and the EU AI Act in Europe.

Blog: Technology
EU AI Act: What the AI Regulation really means – overview & practical guide
19.08.2025
Yves-Alexander Wolff

The image shows a stylised world map with bright blue continents, on which a network of connected dots is depicted - symbolising the global networking and international significance of the GDPR procedural rules in data protection law.

Blog: Technology
EU Commission proposal for laying down additional procedural rules relating to the enforcement of GDPR
Relevance for multinational corporate groups and conglomerates
17.07.2025
Thorsten Behling, Timo Meisener

Abstrakte Darstellung von Cybersicherheit mit einem roten Vorhängeschloss-Symbol auf einem digitalen Hintergrund aus leuchtenden blauen und roten Datenleitungen und Schaltkreisen.

Blog: Technology
AI training data sets as intellectual property? Protectability and protection gaps of training data and data sets
08.07.2025
Yves-Alexander Wolff

Close-up of hands on a computer keyboard with digitally superimposed icons on IT security, such as a lock, documents, servers and mobile devices - illustrating modern cyber security in everyday business life.

Blog: Technology
Protecting trade secrets in the age of AI: Legal challenges and strategic approaches
15.05.2025
Yves-Alexander Wolff

Data protection in the People's Republic of China.

Blog: Data protection / Data Privacy
Data protection in the People’s Republic of China. An overview of the rules for cross-border data transfers from China.
09.04.2024
Albrecht von Wilucki
Links

Professionals
Expertise
Blog us

BUSE

About us
List of partners
Contact
Imprint
Privacy Policy

Arrange a meeting

We can discuss your request directly in a personal meeting. We ensure absolute discretion and professional and honest advice.

…to our offices

© BUSE · Rechtsanwälte Steuerberater GmbH & Co. KG