GDPR Consultancy for AI Products
GDPR is harder when AI is involved. Most compliance programmes don’t account for that.
How GDPR works for AI products
Standard GDPR compliance was built for conventional data processing. AI changes the problem — training data provenance, automated decision-making, sensitive attribute inference, and data minimisation tension with model performance are not covered by a generic privacy audit.
European Compliance Suite provides specialist GDPR consultancy for AI products. We assess the specific ways your AI system creates data protection risk, establish the lawful basis for every processing activity your system performs, and map your GDPR obligations against the EU AI Act and Cyber Resilience Act requirements that frequently land on the same product.
One AI system. One fixed-price engagement. Every GDPR obligation specific to your product, documented and defensible.
GDPR Consultancy Built for AI Products
Fixed price · Named lawyer · AI-specific · Delivered in five working days
The GDPR obligations AI creates
GDPR establishes six data protection principles that apply to every processing activity — including AI training, inference, logging, and output generation. Each one creates specific compliance obligations for AI systems that do not exist for conventional software.
Lawfulness, fairness, and transparency
Every processing activity must have a lawful basis — consent, contract, legal obligation, vital interests, public task, or legitimate interests. For AI systems, the lawful basis question is complicated by the fact that AI often processes data for purposes that were not fully anticipated when the basis was established, and by the fact that AI inference can reveal information the data subject never disclosed. Transparency requires that individuals understand how their data is used — including by AI systems that make decisions about them.
Purpose limitation
Personal data collected for one purpose cannot be used for another incompatible purpose. AI systems that use data collected for one function to train models for another — or that repurpose interaction data for model improvement — routinely encounter purpose limitation problems that organisations have not mapped.
Data minimisation
Only data that is adequate, relevant, and limited to what is necessary for the processing purpose should be collected. AI systems, particularly those built on large language models or trained on broad datasets, frequently collect and retain more data than any specific processing purpose requires. The tension between data minimisation and model performance is one of the most common GDPR problems in AI compliance.
Accuracy
Personal data must be accurate and kept up to date. AI systems that make decisions based on personal data — credit scoring, risk assessment, medical diagnosis support — face accuracy obligations that extend beyond data quality to model accuracy and the reliability of AI-generated outputs about individuals.
Storage limitation
Personal data must not be kept longer than necessary. AI systems that log interactions, retain training data, or embed personal data in model weights face storage limitation questions that conventional data retention policies do not address.
Integrity and confidentiality
Personal data must be processed with appropriate security. AI systems face specific security obligations — model inversion attacks, membership inference attacks, and prompt injection vulnerabilities — that require security measures beyond conventional IT infrastructure controls.
GDPR obligations by AI system type
GDPR applies to all personal data processing, but the specific obligations triggered depend on what your AI system does, how it processes data, and what decisions it makes or influences. This table maps the most common AI system types to the GDPR obligations they trigger.
| AI system type | Personal data processed | Key GDPR obligations triggered |
|---|---|---|
| Large language model / chatbot | User inputs, conversation history, potentially sensitive disclosures | Lawful basis, purpose limitation, storage limitation, transparency, security |
| CV screening / recruitment AI | Name, employment history, education, potentially protected characteristics | Article 22 automated decision-making, lawful basis (likely explicit consent or substantial public interest), DPIA mandatory, accuracy |
| Credit scoring AI | Financial history, behavioural data, inferred creditworthiness | Article 22 automated decision-making, lawful basis, right to explanation, DPIA mandatory |
| Facial recognition / biometric AI | Biometric data (special category) | Explicit consent or Article 9(2) exemption required, DPIA mandatory, data minimisation, security |
| Healthcare decision-support AI | Health data (special category) | Article 9(2) exemption required, DPIA mandatory, accuracy, storage limitation |
| Behavioural analytics / profiling AI | Behavioural patterns, inferred attributes, potentially sensitive characteristics | Profiling rules, Article 22 where decisions have legal or significant effect, DPIA likely, transparency |
| Fraud detection AI | Transaction data, behavioural signals, device data | Lawful basis (legitimate interests or legal obligation), Article 22 where automated rejection occurs, DPIA likely |
| Emotion recognition AI | Facial expressions, voice patterns (potentially biometric) | Special category data rules, DPIA mandatory, purpose limitation, transparency |
| AI trained on web-scraped data | Names, images, written content of identifiable individuals | Lawful basis for training data, transparency obligations, data subject rights |
| AI recommendation system | Behavioural history, preferences, inferred interests | Profiling rules, transparency, legitimate interests assessment |
| Document processing AI | Variable — depends on document type | Lawful basis, purpose limitation, data minimisation, security, storage limitation |
| AI used in HR / performance management | Employee data, performance metrics, behavioural signals | Article 22 where automated decisions affect employment, DPIA likely, legitimate interests or contract basis |
Article 22 and automated decision-making
Article 22 of GDPR gives individuals the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. This provision is directly and immediately relevant to the majority of commercial AI systems — and it is the GDPR obligation most frequently underestimated or misapplied by AI product teams.
A decision produces a legal effect when it affects someone’s legal rights — a credit decision, an employment decision, a benefits determination. A decision produces a similarly significant effect when it substantially affects someone’s circumstances — an insurance premium, a loan rate, a job interview invitation, a content moderation outcome that affects access to a platform.
“Solely automated” does not mean what most teams think it means. A human reviewer who rubber-stamps an AI recommendation without meaningful evaluation of the individual case does not break the solely automated chain. The human in the loop must have genuine discretion and must actually exercise it. A compliance programme that interposes a nominal human review without meaningful human agency does not satisfy Article 22.
Where Article 22 applies, you must either obtain explicit consent, establish that the processing is necessary for a contract, or rely on a Union or member state law authorisation. You must implement suitable safeguards. You must provide meaningful information about the logic involved. And you must offer the data subject the right to obtain human intervention, express their point of view, and contest the decision.
Most AI products in credit, employment, insurance, and content moderation are subject to Article 22. Most of their compliance programmes have not adequately addressed it.
The gap between what Article 22 requires and what most AI teams have implemented is one of the most significant areas of GDPR enforcement risk for AI companies in 2026 and beyond.
What GDPR compliance requires for AI products
These are the requirements that land most commonly and most significantly on AI products — distinct from the general organisational GDPR obligations your data protection programme may already address.
Processor and sub-processor agreements: Every third-party service that processes personal data on your behalf — cloud providers, AI API services, analytics tools — requires a compliant data processing agreement. Sub-processor chains in AI infrastructure are frequently longer and less well-documented than teams realise.
Lawful basis determination for every processing activity: AI systems frequently involve multiple distinct processing activities: data collection, model training, inference, logging, output generation, and model improvement. Each requires its own lawful basis. A single privacy policy entry for “AI processing” does not satisfy this requirement.
Special category data assessment: AI systems frequently process or infer special category data — health, biometric, racial or ethnic origin, sexual orientation, political opinion — without the team recognising it. Inferring a health condition from behavioural data is processing health data. The lawful basis rules for special category data are significantly more demanding than for ordinary personal data.
Article 22 automated decision-making analysis: every AI system that produces decisions with legal or similarly significant effects must be assessed against Article 22. This includes the solely automated test, the effect test, the safeguards requirement, and the explanation obligation. Most AI products require this analysis and most have not done it adequately.
Data Protection Impact Assessment (DPIA): A DPIA is mandatory before processing that is likely to result in high risk to individuals. Large-scale processing of special category data, systematic monitoring, and automated decision-making with significant effects all trigger mandatory DPIAs. Many AI systems require DPIAs and have not conducted them.
Data minimisation and retention review: AI-specific review of what personal data the system collects, retains, and embeds — including in model weights, interaction logs, and training datasets — against the minimum necessary for each processing purpose.
Transparency and privacy notice update: Privacy notices must accurately describe AI processing, including profiling, automated decision-making, and any inference of sensitive attributes. Generic privacy notice language does not satisfy the transparency obligation for AI systems.
Data subject rights implementation: The right to erasure, the right to restriction, the right to portability, and the right of access all apply to AI-processed data and create technical implementation challenges — particularly where personal data has been used in model training. The right to erasure does not require model retraining in all cases, but the analysis must be done.
International transfer assessment: AI systems frequently involve international data transfers — to cloud providers, API services, model hosts, or development teams. Each transfer requires a lawful transfer mechanism. Standard Contractual Clauses must be accompanied by a Transfer Impact Assessment where the destination country does not provide adequate protection.
Legitimate interests assessment: Where legitimate interests is the chosen lawful basis, a documented three-part test is required: purpose test, necessity test, and balancing test. A legitimate interests assessment that has not been conducted is not a defence.
One engagement. Every GDPR obligation mapped.
A lawyer-built GDPR assessment covering lawful basis, Article 22 automated decision-making, DPIA triggers, special category data, data minimisation, and audit-ready compliance record — for one AI system, at a fixed price.
Frequently Asked Questions About GDPR
What is GDPR and does it still apply after Brexit?
The General Data Protection Regulation is the EU’s primary data protection law, in force since 25 May 2018. It applies to organisations processing personal data about EU residents regardless of where the organisation is established. Post-Brexit, the UK retained GDPR in domestic law as UK GDPR, administered by the Information Commissioner’s Office. UK and EU GDPR are substantially similar but have diverged in specific areas. Organisations with both EU and UK users must satisfy both regimes. GDPR compliance does not automatically satisfy UK GDPR compliance and vice versa, though in practice most obligations are identical.
Does GDPR apply to AI systems specifically?
GDPR applies to any processing of personal data — including data collected, processed, inferred, or generated by AI systems. AI creates specific GDPR challenges: training data provenance, automated decision-making under Article 22, inference of sensitive attributes from non-sensitive inputs, data minimisation tension with model performance, and the technical complexity of satisfying data subject rights where personal data is embedded in model weights. Standard organisational GDPR compliance programmes do not typically address these AI-specific obligations in the detail required.
What is a DPIA and when is one required for an AI system?
A Data Protection Impact Assessment is a structured assessment of the data protection risks created by a processing activity and the measures taken to address them. It is mandatory before processing that is likely to result in high risk to individuals. For AI systems, a DPIA is mandatory where the system involves large-scale processing of special category data, systematic monitoring of publicly accessible areas, automated decision-making with significant effects, or innovative technology applied to personal data processing. Most AI systems operating at commercial scale require a DPIA. Conducting one after launch rather than before is a compliance failure, not a technicality.
What does Article 22 GDPR require for AI systems making automated decisions?
Article 22 gives individuals the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Where Article 22 applies, you must have a lawful basis for the processing — explicit consent, contractual necessity, or a Union or member state law authorisation. You must implement suitable safeguards including the right to obtain human intervention, express a point of view, and contest the decision. You must provide meaningful information about the logic involved. A nominal human review that does not involve genuine individual assessment does not satisfy the solely automated threshold.
What is the lawful basis for AI training on personal data?
It depends on the data, the purpose, and the relationship with the individuals whose data is used. Legitimate interests is the most commonly relied-upon basis for AI training where consent is not practicable, but it requires a documented legitimate interests assessment and must not be overridden by the data subjects’ rights and interests. Consent is valid but creates practical difficulties — particularly the right to withdraw, which then raises questions about model retraining. Where training data includes special category data, a separate Article 9 lawful basis is required. There is no single answer; the analysis is product and dataset-specific.
Does GDPR require AI systems to be explainable?
Partly. GDPR does not impose a general explainability requirement on AI systems. However, where Article 22 applies — automated decision-making with legal or similarly significant effects — individuals have the right to obtain an explanation of the decision, the logic involved, and its significance and envisaged consequences. This right to explanation applies to the specific decision made about the individual, not to a general description of how the model works. The explanation must be meaningful, not a technical description of the algorithm.
What GDPR obligations apply to AI systems processing biometric data?
Biometric data processed for the purpose of uniquely identifying a natural person is special category data under Article 9. Processing special category data requires both a standard lawful basis and a separate Article 9 condition — typically explicit consent, substantial public interest, or another listed ground. A DPIA is mandatory. The security obligations for biometric data are higher than for ordinary personal data. AI systems using facial recognition, fingerprint analysis, voice recognition, or other biometric identifiers for identification purposes must satisfy all of these requirements.
How does GDPR interact with the EU AI Act for AI products?
GDPR and the EU AI Act are distinct regimes that frequently land on the same AI product simultaneously. GDPR governs the personal data the system processes; the EU AI Act governs the system itself — its risk classification, technical documentation, conformity assessment, and human oversight requirements. They overlap most significantly in automated decision-making — GDPR Article 22 and EU AI Act Article 9 risk management both require assessment of decision-making AI — and in data governance, where EU AI Act Article 10 training data obligations and GDPR data minimisation requirements apply to the same datasets.
A cross-framework assessment maps where compliance with one regime contributes to compliance with the other, and where they impose distinct and non-overlapping obligations.
Can GDPR enforcement reach non-EU companies?
Yes. GDPR applies to organisations outside the EU that offer goods or services to EU residents or monitor their behaviour. The extraterritorial enforcement mechanism works through lead supervisory authorities, fines issued to non-EU entities, and — for companies without EU establishment — through Article 27 representatives. Enforcement actions have been brought against non-EU companies. The AI Act extends this extraterritorial model to AI systems specifically. A non-EU company processing EU personal data through an AI system may be subject to both GDPR and EU AI Act enforcement simultaneously.
What are the GDPR fines for non-compliance?
GDPR fines are tiered. The higher tier — violations of core principles, lawful basis, data subject rights, and international transfer rules — carries fines of up to €20 million or 4% of global annual turnover, whichever is higher. The lower tier — violations of processor obligations, security requirements, and notification duties — carries fines of up to €10 million or 2% of global annual turnover. Supervisory authorities also have the power to impose temporary or permanent bans on processing, which for an AI product can be more damaging than a financial penalty. Fines are not purely theoretical — enforcement has been active and substantial since 2018.
How do I start GDPR compliance for my AI product?
Four steps in order. First, map every personal data processing activity your AI system performs — collection, training, inference, logging, output, and model improvement — and identify the personal data involved in each. Second, establish the lawful basis for each processing activity, including a separate Article 9 analysis for any special category data. Third, assess whether Article 22 automated decision-making obligations apply and what safeguards are required. Fourth, determine whether a DPIA is mandatory and conduct one before any high-risk processing begins.
A lawyer-built product assessment covers all four steps and delivers a documented compliance position you can act on, update as the product develops, and present to a supervisory authority if required.