Navigate European privacy law when using AI with personal data
The General Data Protection Regulation (GDPR) applies to any organization that processes personal data of EU residents, regardless of where the organization is located. Fines can reach €20 million or 4% of global annual revenue, whichever is higher.
1. Lawfulness, Fairness, Transparency
Process data legally, fairly, and with user awareness
2. Purpose Limitation
Collect data for specific purposes only
3. Data Minimization
Only collect what's necessary
4. Accuracy
Keep data accurate and up to date
5. Storage Limitation
Don't keep data longer than needed
6. Integrity & Confidentiality
Secure data appropriately
⚠️ Critical for LLM Usage
When you send personal data to an LLM, you are "processing" it under GDPR. You must have a legal basis, minimize data sent, ensure security, and comply with all GDPR requirements.
Similar to HIPAA's BAA, a Data Processing Agreement is required when you use a vendor (processor) to process personal data on your behalf (as the controller).
DPA Must Include:
✓ Major Vendors with DPAs:
Individuals can request what data you have about them.
LLM Impact: Can you retrieve what personal data was sent to the LLM? Most vendors don't store request data long-term.
Individuals can request deletion of their data.
LLM Impact: Once data is used to train a model, it can't be "unlearned." Use zero-retention options.
Right to receive data in a structured, machine-readable format.
LLM Impact: Ensure LLM outputs can be exported if they contain personal data.
Right to object to processing, especially for automated decision-making.
LLM Impact: If using LLMs for automated decisions (hiring, credit), must allow human review.
⚠️ Major Compliance Challenge
Transferring EU personal data to countries outside the EU/EEA requires special safeguards. The US is NOT automatically considered "adequate" for GDPR purposes.
1. EU Data Residency
Best Option: Keep data in EU regions only
Most cloud LLM providers offer EU-specific regions (e.g., eu-west1, europe-west3)
2. Standard Contractual Clauses (SCCs)
EU-approved contract terms for international transfers
Major vendors include SCCs in their DPAs
3. Adequacy Decisions
EU recognition that a country has adequate protection
Currently: EEA countries, UK, Switzerland, Japan, Canada (commercial), and a few others. US has limited framework (EU-US Data Privacy Framework)
Ensure you have consent, contract, legal obligation, or legitimate interest
Only send the minimum personal data necessary for the task
Configure LLM services to use EU regions for data processing and storage
Disclose LLM usage in your privacy policy and data processing disclosures
Data Protection Impact Assessments for high-risk processing activities
Have procedures to handle access, deletion, and portability requests
ChatGPT Free and similar don't offer DPAs or GDPR guarantees
Opt out of data being used for model improvement or training
We can help you implement GDPR-compliant AI workflows and select appropriate vendors