How is GDPR different for AI systems?

The principles are the same, but AI stresses them in specific ways — training data needs a lawful basis, prompts can leak personal data to processors, automated decisions trigger Article 22 rights, and provider logs create hidden retention you must account for.

When do I need a DPIA for an AI system?

A Data Protection Impact Assessment is required when processing is likely to result in high risk to individuals. AI involving large-scale profiling, automated decisions with legal effects, or special-category data almost always meets that threshold.

What does Article 22 require?

Article 22 gives people the right not to be subject to solely automated decisions with legal or similarly significant effects. Where you rely on such decisions you must provide a lawful basis, meaningful information about the logic, and a route to human review.

Is sending prompts to OpenAI or Anthropic a transfer under GDPR?

Yes. If the prompt contains personal data and the provider processes it on your behalf, that provider is a processor — you need a data-processing agreement, a transfer mechanism if data leaves the EEA, and confirmation of their retention and training policies.

Does anonymised or synthetic data escape GDPR?

Truly anonymised data falls outside GDPR, but the bar is high — re-identification must be irreversible. Pseudonymised data (where a key still links to a person) remains personal data and stays in scope.

GDPR for AI Systems Checklist

GDPR did not change when AI arrived, but AI changed how organisations process personal data — and where the risks hide. Training pipelines ingest data at scale, prompts quietly ship customer details to third-party processors, model outputs can reconstruct sensitive attributes, and provider logs retain your inputs long after you have forgotten them. This checklist isolates the AI-specific obligations from the generic GDPR boilerplate so you can focus on the parts that genuinely apply to machine-learning systems.

Each classic GDPR principle has an AI-shaped failure mode:

Lawful basis (Art. 6) — every use of personal data needs a basis. For training this is often the hardest part; legitimate interest needs a balancing test, and scraped web data rarely satisfies it cleanly.
Purpose limitation (Art. 5) — reusing data collected for one purpose to train a model is a new purpose that needs its own justification.
Data minimisation (Art. 5) — prompts are notorious for over-sharing. Sending an entire customer record when the task needs one field is a minimisation failure.
Storage limitation (Art. 5) — AI providers log inputs and outputs. Retention you do not control is still retention you are accountable for.
Automated decision-making (Art. 22) — solely automated decisions with significant effects trigger extra rights: information about the logic and a human-review route.

Notes and tips

Treat any external LLM API as a processor: get a data-processing agreement, confirm sub-processors, and check whether data leaves the EEA.
Run a DPIA before launch for any large-scale profiling or automated decision — it is both a legal requirement and the cleanest place to document the choices this checklist forces you to make.
Confirm the provider’s training opt-out and retention window; pair this tool with the AI Provider Data Retention Reference to fill those in.
This is an educational tool, not legal advice. Where a decision turns on special-category data or cross-border transfers, involve your DPO or counsel.

GDPR for AI Systems Checklist

GDPR, but for how AI actually processes data

How the AI angles map to GDPR principles

Notes and tips