GDPR applies to AI tools whenever personal data of EU residents is processed, including employees entering customer info into AI tools, AI analyzing employee data, AI in hiring decisions, and automated decisions affecting EU residents under Article 22.
There is no AI exception in GDPR. The regulation is technology-neutral. Every principle that applies to a database or spreadsheet processing personal data applies equally to an AI tool processing that same data.
TL;DR: Yes, GDPR applies to AI tools whenever EU personal data is involved, with no exceptions.
GDPR and AI: The General Data Protection Regulation applies to AI tool usage whenever personal data of EU residents is processed, regardless of organization location.
The question is not whether GDPR applies to AI tools. It does. The question is which specific GDPR requirements apply to your AI use cases, and what you must do to comply. Many organizations assume their AI tools are exempt because they use them for "internal productivity." That assumption is wrong if any personal data is involved.
This guide maps the specific GDPR articles that apply to AI usage, explains the critical Article 22 requirements for automated decision-making, identifies when a Data Protection Impact Assessment is required, and lists what your AI vendor agreements must include.
Which GDPR Articles Apply
GDPR's requirements apply broadly to AI tool usage. The table below maps the most relevant articles to specific AI applications and the actions organizations must take.
| Article | Covers | AI Application | Must Do |
|---|---|---|---|
| Article 5 (Principles) | Lawfulness, fairness, transparency, purpose limitation, data minimization | All AI processing of personal data | Document lawful basis, limit data to what is necessary, be transparent about AI use |
| Article 6 (Lawful Basis) | Legal grounds for processing personal data | Feeding personal data into AI tools | Identify and document lawful basis for each AI use case involving personal data |
| Article 13/14 (Transparency) | Information provided to data subjects | AI decisions affecting individuals | Inform data subjects when AI processes their data, explain the logic involved |
| Article 22 (Automated Decisions) | Rights related to automated decision-making and profiling | AI-driven hiring, credit scoring, service eligibility | Provide human review, right to contest, explanation of decision logic |
| Article 25 (Privacy by Design) | Data protection built into processing systems | Configuring AI tools and workflows | Choose AI tools with privacy features, configure data minimization, enable privacy controls |
| Article 28 (Processor Agreements) | Requirements for data processors | AI vendors processing data on your behalf | Execute Data Processing Agreements with all AI vendors handling personal data |
| Article 35 (DPIA) | Impact assessments for high-risk processing | AI profiling, automated decisions, large-scale monitoring | Conduct DPIA before deploying high-risk AI use cases |
This is not an exhaustive list. Other GDPR articles may apply depending on your specific AI use cases. The articles above are the ones most frequently triggered by AI tool usage.
Article 22 and AI Decision-Making
Article 22 is the GDPR provision most directly aimed at AI. It grants EU residents the right not to be subject to decisions based solely on automated processing that significantly affect them. Understanding when it applies and what it requires is critical.
Article 22 applies when:
- An AI tool makes or significantly influences a decision about a person
- The decision produces legal effects or similarly significant effects (employment, credit, insurance, service access)
- No meaningful human review occurs before the decision takes effect
- The data subject is an EU resident, regardless of where your organization is located
Article 22 requires:
- Meaningful human oversight of AI-driven decisions, not rubber-stamping
- The right for individuals to obtain human intervention
- The right to express their point of view and contest the decision
- An explanation of the logic involved in the automated decision
- Safeguards against discriminatory effects
To comply, organizations must:
- Identify all AI use cases where automated decisions affect EU residents
- Implement human review processes with genuine decision-making authority
- Build mechanisms for individuals to contest AI decisions
- Document the logic of AI decision-making systems in plain language
- Test for and mitigate discriminatory outcomes on a regular schedule
The most common compliance failure is treating human review as a formality. Supervisory authorities have stated that a human who always accepts the AI recommendation without meaningful evaluation does not constitute adequate oversight.
When AI Usage Requires DPIA
A Data Protection Impact Assessment (DPIA) is mandatory before deploying AI use cases that create high risk to individuals. The table below identifies common AI use cases and whether a DPIA is required.
| Use Case | DPIA Required | Why |
|---|---|---|
| AI-assisted hiring and recruitment | Yes | Automated evaluation of candidates produces significant effects on individuals |
| AI analyzing employee performance | Yes | Systematic monitoring and evaluation of employees in the workplace |
| Customer profiling for marketing | Yes | Profiling individuals for targeted decisions about service or offers |
| AI chatbot handling customer queries | Likely yes | Processes personal data at scale; risk depends on data categories collected |
| Internal document summarization | Depends | Required if documents contain personal data of EU residents |
| AI code generation (Copilot, etc.) | Usually no | Typically does not process personal data unless code contains PII |
| AI-driven fraud detection | Yes | Automated decisions that produce legal or significant effects on individuals |
| AI content generation for marketing | Usually no | No personal data processing unless generating personalized content |
When in doubt, conduct the DPIA. The cost of an unnecessary DPIA is a few hours of documentation. The cost of a missing DPIA when one was required is a regulatory finding and potential fine.
Map your GDPR obligations. PolicyGuard helps you identify which AI use cases trigger GDPR requirements, track DPIAs, and maintain vendor DPA records. Read our EU AI Act compliance guide for the full regulatory landscape, or book a demo to see automated compliance mapping.
PolicyGuard helps companies like yours get AI governance documentation audit-ready in 48 hours or less.
Start free trial →What GDPR Requires From AI Vendors
When an AI vendor processes personal data on your behalf, GDPR Article 28 requires a Data Processing Agreement (DPA). Your DPA with each AI vendor must include these five requirements at minimum.
- Processing scope and purpose: The DPA must specify exactly what personal data the AI vendor processes, for what purpose, and for how long. Vague language like "to provide the service" is insufficient. Define the data categories, processing activities, and retention periods explicitly.
- Sub-processor transparency: The AI vendor must disclose all sub-processors that handle personal data and notify you before adding new ones. Many AI vendors use infrastructure providers, model hosting services, and analytics tools that also process your data. You need visibility into the full chain.
- Data location and transfer safeguards: The DPA must specify where personal data is processed and stored. If data transfers outside the EU occur, appropriate safeguards (Standard Contractual Clauses, adequacy decisions) must be in place. Confirm whether the AI vendor sends prompt data to servers in jurisdictions without adequacy decisions.
- Training data exclusion: The DPA should explicitly state whether the AI vendor uses your data to train or improve its models. If it does, this likely requires separate consent and changes your lawful basis analysis. Many AI vendors have opted out of training on enterprise data, but confirm this in writing within the DPA.
- Data subject rights support: The AI vendor must assist you in responding to data subject access requests, deletion requests, and other rights under GDPR. If a data subject asks what personal data an AI tool processed about them, you need the vendor's cooperation to answer. The DPA must obligate the vendor to support these requests within defined timeframes.
Review your existing AI vendor agreements against these requirements. Many standard terms of service do not meet GDPR DPA standards. See our 2026 regulatory compliance guide for a broader view of vendor compliance obligations across jurisdictions.
FAQ
Does GDPR apply if our organization is not in the EU?
Yes, if you process personal data of EU residents. GDPR applies based on the data subject's location, not your organization's location. A US company whose employees paste EU customer data into ChatGPT is processing EU personal data and must comply with GDPR for that processing activity.
Are AI-generated summaries of personal data considered processing?
Yes. Summarizing, analyzing, categorizing, or extracting insights from personal data using AI tools constitutes processing under GDPR. The output format does not matter. If personal data goes in, GDPR applies to the entire processing chain including the AI tool.
What if our AI vendor says they do not store prompts?
Processing includes temporary handling, not just storage. Even if the vendor does not persist prompt data, the act of processing it through their system is covered by GDPR. You still need a DPA, and you still need to ensure the processing has a lawful basis. No-storage claims reduce some risks but do not eliminate GDPR obligations.
Can employees use AI tools for personal data if they anonymize it first?
Truly anonymized data falls outside GDPR scope. However, achieving genuine anonymization is harder than most people assume. Pseudonymized data (replacing names with codes) is still personal data under GDPR. Ensure employees understand the difference, and consider whether the AI tool itself could re-identify data from context.
What are the penalties for GDPR violations involving AI tools?
GDPR penalties apply equally to AI-related violations. Article 83 allows fines up to 20 million euros or 4% of global annual turnover, whichever is higher. Supervisory authorities have shown willingness to issue fines for automated decision-making violations and insufficient transparency about AI processing. The penalty amount depends on the violation's severity, duration, and the organization's cooperation.
Get GDPR-compliant AI governance. PolicyGuard tracks which AI tools process personal data, manages vendor DPAs, flags DPIA requirements, and generates compliance evidence for supervisory authorities. Book a demo to see how it works.
