← Back to the blog

June 3, 2026 · 3 min read

GDPR-Compliant AI Is a Process, Not a Place

“Runs in the EU, so it's compliant” is too short. What actually makes AI privacy-compliant — and a simple matrix for which data goes where.

AA
Anton Anders
IT consultant & developer

Quick answer up front: “GDPR-compliant AI” is not a product and not a server location, it’s a process. An AI use case doesn’t become compliant because it “runs in Europe”, but because you classify the data, have a legal basis, keep a data processing agreement and a record of processing, and control access and deletion. The hosting location falls out at the end of that process, not the start.

This post builds on the question of which data belongs on someone else’s server at all. That one is about the gut feeling. This one is about what makes the gut feeling defensible.

”Compliant because the vendor says so” isn’t enough

The most common mistake sits in one sentence: “We use Copilot, and Microsoft says it’s GDPR-compliant.” A vendor can hand you a compliant product and a clean contract. Whether your specific use is compliant isn’t their call. That depends on which data you put in, on what legal basis, with which access rights.

It shows up quickly in practice. An AI assistant that, through over-broad permissions, suddenly summarises salary lists or other people’s mailboxes was bought “compliant” and is still a privacy problem. The responsibility for that stays with you, not the vendor — the same logic that applies to Microsoft 365 and the GDPR.

The matrix: which data goes where

The process starts with a classification you do once per use case. Three classes are enough to begin:

Data classExampleWhere it goes
Public / uncriticalMarketing copy, research, public informationany serious cloud AI is fine
Personal, can be pseudonymisedSupport requests, internal notes without real namesEU cloud with a DPA, strip the data first
Sensitive / secretContracts, personnel files, health and financial datalocal or EU-sovereign, not an open API

The matrix doesn’t replace an assessment, but it prevents the most expensive mistake: treating everything the same. Most companies either tip everything into the cloud without a second thought or ban AI outright. Both are convenient and both are wrong.

The rest is craft

Once the classification stands, the rest is familiar privacy work: record the legal basis, add the AI service to your record of processing, sign the data processing agreement, run a data protection impact assessment where the risk is high, set retention periods and access. None of it is new just because it says “AI” on the box. If you’d rather not set up that process alone, get consulting once instead of yet another tool.

On top of that, since 2025 the AI Act brings an AI-literacy duty (Article 4): anyone deploying AI has to make sure the people operating it actually understand it. That doesn’t require a certified course or a formal documentation duty — it requires that your people know what the tool can do, what it can’t, and which data they’re allowed to give it. Which brings us back to the matrix.


Want to bring in AI without guessing on data protection? Get in touch — we’ll sort your use cases by data class and clarify what’s allowed to run where.

Frequently asked questions

Is using AI GDPR-compliant at all? +

Yes, but compliance is not a product feature, it's the result of a process: classify the data, record a legal basis, sign a data processing agreement, keep a record of processing, and control access and deletion.

What belongs in an AI privacy process? +

A classification of data into classes (public, personal, sensitive), a legal basis, the DPA with the vendor, the entry in the record of processing, and defined retention periods and access rights.

When is a data protection impact assessment (DPIA) needed for AI? +

When the risk to the people affected is high, for example when sensitive data such as personnel, health or financial data is processed. The DPIA is part of familiar privacy work, not special AI law.

Is a vendor's assurance of GDPR compliance enough? +

No. A vendor can deliver a compliant product and a clean contract, but whether your specific use is compliant depends on your data, your legal basis and your access rights. The responsibility stays with you.

Sounds like your situation?

Let’s talk about it — free and with no strings attached.