gdpr + ai 2026

TL;DR. Deploying AI under GDPR requires a legal basis for processing personal data, a data-processing agreement (DPA) with the LLM provider, and (for US providers) a secured third-country transfer. The EU-U.S. Data Privacy Framework currently covers most relevant US LLMs. As of 2026-05.

what does "gdpr + ai" actually mean?

GDPR applies the moment personal data is processed — names, email addresses, IPs, but also indirectly identifiable information. AI systems typically process such data: an employee drafts an email about a customer via Copilot, a voice agent talks to a named caller, a RAG system indexes customer records. GDPR obligations remain fully in force — the EU AI Act complements them, it doesn't replace them.

legal bases for ai use cases

Every processing needs a legal basis (Art. 6 GDPR). For SMB AI use cases, three are typically relevant:

Art. 6 (1) (b) — Performance of a contract. When a voice agent takes calls to deliver a contractually owed service, processing the call data is covered by contract performance. Precondition: AI usage is necessary (or at least "near-necessary"), not merely convenient.

Art. 6 (1) (f) — Legitimate interests. For internal AI tools (Company-GPT for research, classification of inbound mail), legitimate interests is often the cleanest basis. Obligation: a documented balancing test weighing the company's interest against the affected persons' interests.

Art. 6 (1) (a) — Consent. When you deploy AI toward end-customers whose data isn't needed for contract performance (sentiment analysis of mails, AI marketing personalisation), you need consent. It must be freely given, informed and revocable at any time.

dpa under art. 28 — what comes from the llm provider

The moment you use an external LLM provider (OpenAI, Anthropic, Microsoft, Google, Langdock), they are data processors. Obligation: a data processing agreement covering at minimum:

• Subject matter and duration of processing
• Nature and purpose of processing
• Categories of data and affected persons
• Obligations and rights of the controller
• Confidentiality and technical/organisational measures
• Sub-processors (e.g. the cloud provider underlying the LLM)
• Support for the controller on data-subject requests (access, deletion, DPIAs)
• Return or deletion of data at the end of the engagement

What's standard in 2026: every serious enterprise-tier LLM provider supplies a DPA. Free or consumer tiers (ChatGPT Plus, Anthropic Plus) do not — so no business processing of personal data on these plans.

third-country transfers: dpf, sccs, or eu-only

Most LLM providers are US companies. Transferring personal data to the US needs a legal basis under Chapter V GDPR.

EU-U.S. Data Privacy Framework (DPF). In force since 10 July 2023. Adequacy decision by the European Commission. Currently certified: Microsoft, OpenAI, Anthropic, Google, AWS, many others — status verifiable at `dataprivacyframework.gov/list`. Transfers to DPF-certified recipients are permitted.

EU Standard Contractual Clauses (SCCs). If a provider isn't (or no longer) DPF-certified, or as a redundant safeguard: SCCs under Art. 46 (2) (c) GDPR. Bundled with the enterprise DPAs of most providers.

Risk: political fragility of the DPF. The DPF can fall to a lawsuit (like Schrems II killed Privacy Shield) at any time. To avoid the risk, choose EU-only providers (Mistral, Aleph Alpha, Langdock) or self-hosted open-source models (Llama, Mixtral, OLMo).

transparency obligations toward staff and customers

Two audiences:

Staff. When an AI system is deployed in the workplace, information obligations under Art. 13/14 GDPR apply — plus works-council co-determination (where applicable, § 87 BetrVG in Germany). Obligation: a written explanation of which AI system is used, what data it processes, for which purpose.

Customers / end-users. When AI meets end-users (voice agent, chatbot), inform them about the AI interaction. This is both a GDPR obligation (Art. 13) and an EU AI Act obligation (Art. 50 — see our [EU AI Act guide](/blog/eu-ai-act-leitfaden)).

pragmatic steps for smbs

1. Update the records of processing activities (Art. 30). Every AI use case in, with legal basis, processor, data categories. 2. DPA inventory. Conclude a DPA with every LLM, embedding and AI-tool provider — before production deployment. 3. Transparency building blocks. Pre-built notices for voice agents (greeting), chatbots (first-message banner), internal tools (onboarding material). 4. Deletion pipeline. When running RAG, you need a technical workflow to remove data from the index on deletion requests (see also our [RAG explainer](/blog/rag-erklaert)). 5. Data protection impact assessment (Art. 35). Required when "high risk to rights and freedoms is likely" — for high-risk AI systems (applicant scoring, automated decisions) or processing of special data categories (health, recruiting, large-scale employee data). 6. Concept documentation. Recommended under GDPR, partly required under the AI Act. Doing both in parallel halves the doc effort.

what we do at tokyn

We bundle GDPR + AI setup as an integral part of our [consulting](/consulting) and [Company-GPT projects](/company-gpt). Concretely:

• Records-of-processing-activities updates per AI use case
• DPA templates for the LLM providers in use
• Transparency notices (DE + EN, for voice and text)
• Deletion workflows for RAG indexes
• Where needed: DPIA support

If you want to know how this looks for your situation: a 30-minute [intro call](/kontakt) is free and pitch-deck-free.

sources

• [General Data Protection Regulation (GDPR, consolidated)](https://eur-lex.europa.eu/eli/reg/2016/679/oj)
• [German Federal Data Protection Commissioner: AI guidelines](https://www.bfdi.bund.de/EN/Home/home_node.html)
• [EU-U.S. Data Privacy Framework — provider list](https://www.dataprivacyframework.gov/list)
• [tokyn glossary: GDPR + AI](/glossar#dsgvo-ai), [EU AI Act](/glossar#eu-ai-act)