To stay GDPR-compliant with AI, start from four questions before any model: what personal data you touch, on what lawful basis you process it, how little of it you need, and where it is processed. Add a retention policy and a clear answer to data-subject rights. GDPR does not ban AI; it just asks you to justify every decision about data.
- In short: GDPR does not ban AI, but it requires a lawful basis, data minimisation, clarity on where data is processed, and a retention policy.
- The key question before any project: what personal data am I touching, why am I allowed to use it, and where does it end up.
- GDPR and the EU AI Act are separate but overlapping obligations; a serious AI project handles them together.
- This is a practical engineer's guide, not legal advice; for sensitive cases, validate with a GDPR specialist.
Can I use personal data in an AI project and stay GDPR-compliant?
Yes, GDPR does not ban the use of personal data in AI, but it requires you to justify every decision about it. Before any model, you answer four questions: what personal data you actually touch, on what lawful basis you process it (consent, contract, legitimate interest, or another Article 6 GDPR basis), how much of it you genuinely need, and where it ends up being processed. Most problems come not from using AI but from no one having asked these questions first. A project that starts from "what data may we use and why" is far easier to defend than one that collects everything it can find and looks for the justification afterwards.
What is the GDPR checklist for an AI project?
The table below summarises the practical checks we run before any model touches personal data. Each row is a question that must have a documented answer before the start, not an improvised explanation after an incident.
| Check | What you ask | Common mistake |
|---|---|---|
| Lawful basis | On what Article 6 GDPR basis do I process this data? | "We have consent" without ever asking for it |
| Data minimisation | How many fields do I genuinely need for the purpose? | Sending the whole database to the model "just in case" |
| Processing location | Where does the model run and where is data stored? | An external API outside the EU, with no transfer check |
| Retention | How long do I keep data and prompts, then who deletes them? | Indefinite logging of conversations containing personal data |
| Data-subject rights | Can I answer access and erasure requests? | Personal data "baked into" a model, impossible to extract |
| Vendors and processors | Do I have a processing agreement with each AI vendor? | Using a tool without checking what it does with your data |
Pay special attention to special-category data (health, biometric data, trade-union membership, etc.): for these, Article 9 GDPR imposes stricter conditions, and an AI project that touches them needs a data-protection impact assessment (DPIA) and, in many cases, a specialist's sign-off.
Where is data processed when I use an external AI API?
This is the question companies skip most often. When you send data to an external AI API, the data leaves your infrastructure and is processed on the vendor's servers, which may be outside the EU. That triggers GDPR rules on international data transfer and requires, depending on the case, a processing agreement, adequate safeguards, and a check on where the servers are located. Three practical options, in order of control: run the model on-premise or in an EU cloud you control (maximum control, higher cost); use a vendor with EU-based processing and a clear processing agreement (a reasonable balance); or send anonymised / pseudonymised data to an external API, so that personal data never leaves at all. The choice depends on how sensitive the data is and how strict your sector is.
A standard data-handling template that works for any AI project looks like this: document from the start what personal data enters the system, on what legal basis, where it is processed and who can access it; sign a data-processing agreement (DPA) with every AI vendor; keep a record of processing activities; define a retention and deletion policy; and set out how you respond to data-subject requests (access, rectification, erasure). Treated as part of the build rather than a closing formality, these points are what make an AI solution easy to defend.
How does GDPR connect to the EU AI Act?
These are two different but touching sets of obligations. GDPR governs the processing of personal data, whatever the technology. The EU AI Act governs AI systems according to their risk level and introduces new obligations, among them risk classification, system documentation, and staff training, becoming fully applicable from August 2026. An AI system that processes personal data must satisfy both: GDPR for the data, the AI Act for the system itself. You handle them most efficiently together, in the same upfront analysis, not as two separate projects. For the concrete steps to prepare for the new regulation, see how to prepare for the EU AI Act.
What is the next step?
If you are planning an AI project that touches personal data, the best time to handle the GDPR side is before the first line of code, not after an inspection. Run the checklist above on your case, then book a free discovery call. In that call we look together at what data is involved, where it would be processed, and what structure reduces the risk. The initial call is free; for a detailed assessment, the AI Technical Audit (our paid 2–4 week service) also covers the data and risk side.
The EU AI Act becomes fully applicable from August 2026 and adds to GDPR obligations for AI systems that process personal data — source: Digi24, cursuri-ai.ro.
Frequently asked questions
Does GDPR ban using AI with personal data?
No. GDPR does not ban AI, but it requires a lawful basis for processing, data minimisation, clarity on where data is processed, and a retention policy. The problem arises when a company uses personal data without first answering "what may I use and why". A project that starts from those questions is far easier to defend.
Where does my data end up when I use an external AI API?
On the vendor's servers, which may be outside the EU, which triggers GDPR rules on international data transfer. You have three options: run the model on-premise or in an EU cloud, use a vendor with EU-based processing and a processing agreement, or send only anonymised data so personal data never leaves at all.
What does data minimisation mean in an AI project?
It means using only the fields you genuinely need for the purpose, not the whole database "just in case". The less personal data you send to a model, the lower the risk. Minimisation is both a GDPR requirement and good engineering: less data means less risk surface.
Do I need a DPIA for an AI project?
Often, yes, especially if the project processes personal data at scale or touches special categories (health, biometric data). A data-protection impact assessment (DPIA) documents the risks and the mitigations. For sensitive cases, validate the need for and the content of the DPIA with a GDPR specialist.
Are GDPR and the EU AI Act the same thing?
No, they are separate but overlapping obligations. GDPR governs personal data, whatever the technology. The EU AI Act governs AI systems by risk level and becomes fully applicable from August 2026. An AI system with personal data must satisfy both; the most efficient approach is to handle them together, in the same upfront analysis.
Want to discuss a project?
Book a free discovery call with the Sapio team.