GDPR-compliant AI for companies: what really matters
AI has arrived in the mid-market — unfortunately often through the back door. Employees use ChatGPT because it makes their work faster, copying quotes, customer data and contracts into a tool whose data flows nobody in the company oversees. The legitimate question that follows is rarely "Is AI allowed?", but rather: How do we use AI without losing control over our data?
There is a lot of half-knowledge circulating around this topic — from "AI in companies is forbidden" to "with a German provider you are automatically safe." Both are wrong. This guide clears that up and shows what actually matters for GDPR-compliant AI. Without scaremongering, without wagging a finger.
What "GDPR-compliant AI" really means — and what it doesn't
First, the most important clarification: "GDPR-compliant AI" is not a product you buy, and not a seal a provider sticks on its website. It is a property of your usage — that is, of which data you process, how, where, and on what legal basis.
From this follow two widespread misconceptions that can become expensive:
Misconception 1: "An EU provider is automatically compliant." The provider's location is just one factor among several. A European tool, too, needs a sound legal basis, a data processing agreement (DPA) and correct documentation. Geography alone does not protect you.
Misconception 2: "Local AI is automatically GDPR-compliant." Self-hosting elegantly solves the biggest problem — the transfer of data to third countries. But it does not make you automatically compliant. Even if a model runs on your own server, you still need a legal basis for the processing, you have to limit the purpose, and you have to inform your employees transparently. Sovereignty is half the battle, not the whole of it.
GDPR compliance therefore does not arise from one checkbox, but from the interplay of several levers. Let's look at the most important one first.
The real crux: where do your data flow?
As soon as personal data reach a US tool, they usually leave the European legal sphere. This is exactly where the legal uncertainty sits — and where the market sells the most fear. So here is the sober state of play (as of 26 June 2026):
Transfers to the USA are not categorically illegal. Since 2023 there has been the EU-US Data Privacy Framework (DPF), an adequacy decision by the EU Commission that permits transfers to certified US companies. In September 2025 the General Court of the European Union dismissed a first challenge against it and confirmed the framework — which provides legal certainty in the short term.
The honest assessment, however, is this: the DPF is a valid but not definitively secured basis. An appeal to the European Court of Justice is pending, the framework rests on a US executive order and therefore depends on the respective US administration, and its two predecessors — Safe Harbour and Privacy Shield — were already struck down by the ECJ. Another fall ("Schrems III") cannot be ruled out. Anyone who bases their entire AI strategy solely on the DPF is building on sand that may shift.
Also important: even if the DPF applies, it only legitimises the transfer. You still need a DPA and a legal basis for the actual processing purpose.
In practice, the pragmatic standard looks like this: reputable US providers offer a double safeguard for their business products. ChatGPT Enterprise, for example, can be based on the DPF, keeps standard contractual clauses as a fallback, and offers EU data residency plus, for eligible customers, inference residency. In addition, OpenAI does not use Business and Enterprise inputs for training by default. That is defensible — but a residual risk and an ongoing documentation burden remain. For many SMEs the simpler answer is: don't let the problem arise in the first place.
The three levers for GDPR-compliant AI
From practice, three levers can be distilled on which compliance is decided. Anyone who answers these three cleanly has the essentials under control.
1. The data location. Where does the actual processing — the AI inference — take place? In a US cloud, in an EU data centre, or on your own infrastructure? The closer the data stay to you, the smaller the third-country question becomes. With fully local processing, it disappears entirely.
2. Model and provider. Do you rely on a closed US API or on an open-source model you can run yourself? Do providers release your inputs for training or not? Is there a solid DPA in place? Open-source models have a structural advantage here: you can put them wherever you want, and nobody secretly trains on your data.
3. Purpose, legal basis and transparency. For which purpose do you process which data, and on what legal basis? Are your employees informed? Is it documented which AI tool is used for what? This documentation is not only a GDPR obligation — it is also the basis for your AI inventory under the EU AI Act, which has been placing increasing obligations on SMEs since 2026.
Three ways to use AI in a GDPR-compliant manner
There is no single right way, but a spectrum — with honest pros and cons.
Path 1 — US service with safeguards (DPF, SCCs, EU residency). Quick to get started, the largest feature set, familiar tools. The price: residual risk from the third-country question, an ongoing documentation burden, and dependence on a provider whose prices and terms you do not control.
Path 2 — EU-hosted services. The third-country question eases considerably. But you remain dependent on an external provider and should check carefully where inference actually takes place.
Path 3 — self-hosted or on-premise. Maximum data ownership: the data never leave your premises, the third-country question disappears entirely, and there is no vendor lock-in. The effort for setup and operation is higher — but in return the system is yours, for good. For sensitive data and for companies that don't want to leave sovereignty to chance, this is the calmest path.
Which path fits depends on your protection needs, your budget and the speed you want. There is no universally best answer — only the one that fits your situation.
What this means in practice
The most common mistake is not the wrong tool choice. It is making no conscious choice at all — and letting the team work uncontrolled with public tools in the meantime. This "shadow AI" is not a discipline problem but a missing tool. As soon as your team has a secure, fast alternative they actually enjoy using, the problem resolves itself.
That is exactly the core of GDPR-compliant AI in practice: a clearly defined, documented AI workplace where you know where your data are, instead of hoping.
Note: This article offers professional orientation but does not replace legal advice. For a binding assessment of your specific case, please consult qualified legal counsel.
Frequently asked questions
Is ChatGPT GDPR-compliant? Free consumer ChatGPT is problematic for company data. The business versions (Business/Enterprise), however, can be used compliantly — with the DPF, standard contractual clauses, EU data residency and no training on your inputs — provided you configure and document it correctly. A residual risk from the data transfer remains.
Which AI is GDPR-compliant? None "out of the box." Compliance arises from how you use it: data location, provider and model, legal basis and documentation. Self-hosted or EU-hosted solutions make it considerably easier.
Do I need a data processing agreement (DPA)? As soon as an external service provider processes personal data on your behalf: yes. With fully local processing and no external processor, this point does not apply.
Do my data absolutely have to stay in the EU? Not necessarily — under the DPF and supplementary safeguards, US transfers are currently possible. For sensitive data, however, keeping it in the EU or in-house is the lowest-risk path, because the entire third-country question disappears.
Is local AI automatically GDPR-compliant? No. Local processing solves the transfer question, but you still need a legal basis, purpose limitation and transparency towards your employees.
Want to know where your company stands today — and which AI usage is feasible in a sovereign and compliant way? The Sovereignty Check creates clarity within a week: where data leak today, what falls under the EU AI Act, and which processes can be safely automated. → Learn more