GDPR and AI Tools: What EU Teams Must Know

GDPR and AI tools interact in at least three ways: your prompts may include personal data, the AI vendor processes that data on your behalf, and AI-generated output about individuals carries its own obligations. Teams already managing GDPR need to extend their compliance to cover these new flows.

Data Processing Agreements (DPAs)

If you pass personal data to an AI tool (even in a prompt), the AI vendor is processing data on your behalf and must sign a DPA. Major AI vendors offer DPAs on business tiers: OpenAI, Anthropic, Google and Microsoft all have them. Consumer tiers typically don't include a DPA, which is why they're unsuitable for work involving EU personal data.

Lawful basis for AI processing

Processing personal data through AI tools needs a lawful basis under GDPR Article 6. Legitimate interests is the most common basis for internal uses (productivity, analysis). Consent is impractical at scale. Whatever basis you use, document it in your Records of Processing Activities (RoPA).

Data subject rights

If personal data enters an AI tool that retains conversations, a data subject access request (DSAR) or erasure request could require you to retrieve or delete that data from the AI vendor's systems. Check your vendor's data retention policy and whether their enterprise tier supports deletion on request.

The EU AI Act layer

The EU AI Act adds AI-literacy obligations on top of GDPR. Since February 2025, organisations must ensure staff using AI tools have a sufficient level of AI literacy and must be transparent when AI generates content shown to users. Your AI usage policy should address both. Greenlightly's policy generator covers GDPR and EU AI Act requirements together.