GDPR & Artificial Intelligence
The EU is tightening regulations. Companies that fail to act now risk fines of up to 35 million euros. At the same time, they forfeit enormous potential by not deploying AI at all out of GDPR concerns. There is a third way: AI solutions built for data protection compliance from the ground up.
Risk Assessment
Many companies already use AI without fully understanding the data protection implications. These are the five risks we encounter most frequently in practice.
Every processing of personal data by AI requires a legal basis: consent, contract fulfilment, or legitimate interest. In practice, this is often missing because employees independently feed customer data into AI tools without involving the legal department. The result: every single processing operation constitutes a data protection violation.
Example: An HR team uses ChatGPT to summarise application documents and create candidate profiles. Names, dates of birth, qualifications, and salary expectations are transmitted to OpenAI servers in the USA – without applicant consent, without a DPA, without a documented legal basis. Following a complaint by a rejected applicant to the state data protection authority, a fine proceeding is initiated.
AI systems that process personal data require a Data Protection Impact Assessment (DPIA) in most cases. German supervisory authorities have explicitly included AI-based profiling and automated decision-making in their positive lists. Failure to conduct a DPIA means you are already in violation of the GDPR before the first productive use.
ChatGPT, Google Gemini, Microsoft Copilot: the most popular AI tools process data on US servers. Since the Schrems II ruling by the CJEU, transferring personal data to the USA is only permissible with additional safeguards. The EU-US Data Privacy Framework provides a basis but does not cover all scenarios. Supervisory authorities are scrutinising transfers with increasing rigour.
Example: A mid-market company integrates Microsoft Copilot into its CRM system to automatically respond to customer inquiries. The AI processes customer names, email addresses, order histories, and support tickets – data routed through Microsoft servers in the USA. Without careful review of Standard Contractual Clauses and a Transfer Impact Assessment, this data flow is impermissible under Art. 44 ff. GDPR.
Individuals have the right not to be subject to a decision based solely on automated processing that produces legal effects concerning them. If your company uses AI in HR processes, credit scoring, or customer scoring, you must be able to explain the logic and ensure human review.
AI systems frequently process large volumes of data and are attractive targets for attacks. Art. 32 GDPR requires security measures appropriate to the risk: encryption, pseudonymisation, access controls, and regular review. Many companies treat AI tools like any other software and neglect the special requirements for data security.
Our Approach
GDPR compliance is not a retrospective checklist. It must be built into the architecture from the start. That is exactly what we do when we automate business processes.
Every AI project begins with a data protection architecture. We minimise the processing of personal data to what is necessary, anonymise where possible, and implement access controls from day one. Data protection is not a feature – it is the foundation.
Your data never leaves German jurisdiction. We run AI models on local servers in Germany in German data centres. No data transfers to OpenAI, Google, or Microsoft. This eliminates the third-country transfer issue entirely.
We deploy open-source models like Llama and Mistral that run locally. Your customer data never flows to US services. For non-sensitive tasks such as text generation without personal data, cloud APIs can optionally be added – strictly separated from your business data.
Every AI project that processes personal data receives a documented Data Protection Impact Assessment. We identify risks, define remedial measures, and prepare the documentation your supervisory authority expects to see – before the system goes live.
All data is encrypted both in transit (TLS 1.3) and at rest (AES-256). Where possible, we pseudonymise personal data before it reaches the AI model. Deletion policies with automatic retention periods ensure data is not stored longer than necessary.
GDPR-compliant AI must fit into your existing IT landscape without creating new data protection gaps. Our system integration connects AI models with your legacy systems via secure, monitored interfaces – with a complete audit trail of every data processing operation.
Every AI interaction is logged without gaps: who submitted which data to the model and when, what output was generated, and how it was further processed. Our audit trail system creates tamper-proof records that fully meet the requirements of supervisory authorities under Art. 5(2) GDPR (accountability). During an audit, you can verifiably demonstrate every single AI processing operation – including legal basis, purpose limitation, and deletion periods. This documentation is also essential for the EU AI Act, which requires comprehensive technical documentation and record-keeping obligations for high-risk systems.
Regulation
In addition to the GDPR, the EU AI Act is being phased in. From 2026, new obligations apply to all companies that deploy or develop AI systems. The regulation classifies AI applications by risk categories.
Spam filters, AI-powered recommendations, text generation. No special obligations, but transparency requirement applies.
Chatbots, deepfakes, AI-generated content. Disclosure obligation: users must know they are interacting with AI.
AI in HR, credit scoring, applicant management, critical infrastructure. Extensive documentation, testing, and monitoring obligations.
Social scoring, real-time biometrics in public spaces, manipulative AI. Prohibited in the EU.
What mid-market companies must do: If you deploy high-risk AI systems – such as in applicant management or automated credit checks – you are required from 2026 to implement a risk management system, prepare technical documentation, ensure data quality, and guarantee human oversight.
EU AI Act fines exceed those of the GDPR: up to 35 million euros or 7% of annual global turnover for violations involving prohibited practices. For high-risk violations, fines of up to 15 million euros or 3% of turnover apply.
We support you in classifying the risk level of your AI applications, preparing the required documentation, and implementing the technical measures demanded by the AI Act – integrated into our process automation projects.
The EU AI Act timeline – deadlines you need to know: Regulation (EU) 2024/1689 entered into force on 1 August 2024 and is being phased in. From February 2025, the prohibitions on AI systems with unacceptable risk apply – including social scoring, manipulative techniques, and real-time biometrics in public spaces. From August 2025, general obligations take effect, particularly the rules for providers of general-purpose AI models (GPAI) and the AI competency requirements under Art. 4. From August 2026, the obligations for high-risk AI systems become fully applicable: risk management systems, technical documentation, data quality requirements, human oversight, and registration in the EU database. Companies deploying high-risk AI – in HR, credit decisions, or critical infrastructure – should use the remaining time to adapt their systems and processes accordingly.
Frequently Asked Questions
Answers to the questions CEOs and IT directors ask us most frequently.
Yes, but only under certain conditions. You need a legal basis under Art. 6 GDPR – typically consent, legitimate interest, or contract fulfilment. The key requirement is that data must not flow uncontrolled to third-party providers. When you run AI models on your own servers in Germany, you retain full control over data processing. Using US cloud services like the OpenAI API with real customer data is problematic from a data protection perspective, as third-country transfers under Schrems II are only permissible with additional safeguards.
GDPR-compliant AI tools process data exclusively within the EU and do not transfer personal data to US servers. These include self-hosted open-source models (e.g. Llama, Mistral), AI solutions on German cloud servers, and tools with a verifiable Data Processing Agreement (DPA) under Art. 28 GDPR. What matters is not the tool itself, but how it is configured and operated. Even a fundamentally GDPR-compliant tool becomes problematic if it is misconfigured.
GDPR fines can reach up to 20 million euros or 4% of annual global turnover – whichever is higher. The EU AI Act introduces additional sanctions of up to 35 million euros. In practice, fines imposed by German supervisory authorities are frequently in the six-figure range. Reputational damage, legal costs, and potential compensation claims from affected individuals under Art. 82 GDPR add to the total. The overall economic damage of a data protection violation often exceeds the fine many times over.
In most cases, yes. Art. 35 GDPR requires a Data Protection Impact Assessment (DPIA) when data processing is likely to result in a high risk to the rights and freedoms of individuals. AI systems that process personal data, perform profiling, or make automated decisions almost always fall into this category. German supervisory authorities have explicitly listed AI-based processing in their positive lists requiring a DPIA. We recommend incorporating the DPIA as a standard component of every AI project – it not only protects against fines but also uncovers technical vulnerabilities early.
ChatGPT processes all inputs on OpenAI servers in the USA. Any input containing personal data constitutes a third-country transfer. GDPR-compliant AI solutions, by contrast, run on servers in Germany or the EU. The data never leaves European jurisdiction. With self-hosted models, you can precisely control which data is processed, how long it is stored, and who has access – requirements that cannot be met with ChatGPT. The performance of modern open-source models is on par with ChatGPT for most business applications.