14-day free trial on all website plans
All posts
Opinion·4 min read

A practical GDPR compliance checklist for choosing AI tools

How European businesses can navigate data residency, model hosting, and processor agreements without halting their AI adoption.

European businesses cannot afford to ignore artificial intelligence, but they also cannot afford the regulatory and financial penalties of a GDPR breach. For a long time, the prevailing narrative has been that GDPR and AI are fundamentally incompatible. This is a misconception. You can adopt modern AI tools safely, but it requires moving past marketing promises and looking closely at how these tools handle your data.

Navigating compliance does not mean halting your AI initiatives. It means establishing a clear, repeatable process for auditing the tools you bring into your organization.

Here is a practical framework for choosing AI tools that respect European data privacy laws.

1. Trace the physical path of your data

The cloud is just someone else’s computer, and in the case of AI, that computer is often in North America. Under GDPR, transferring personal data outside the European Economic Area (EEA) requires specific legal safeguards.

When evaluating an AI vendor, you must ask where the data is processed and where it is stored.

  • Data in transit: When a user types a prompt into an AI tool, where is that data sent?
  • Data at rest: Where are the inputs, outputs, and logs stored?
  • Model hosting: Is the AI foundation model (e.g., GPT-4, Claude) hosted in an EU-based data center, or is it routed to US-based servers?

Many major AI providers now offer "EU data residency" or "EU sovereignty" tiers. Ensure these options are active on your account; they are rarely the default setting.

2. Secure a robust Data Processing Agreement (DPA)

A standard terms-of-service agreement is not sufficient for business compliance. You must sign a Data Processing Agreement (DPA) with any AI vendor that handles personal data.

A compliant DPA must clearly outline:

  • The categories of data being processed.
  • The purpose of the processing.
  • The technical and organizational measures used to protect the data.
  • Standard Contractual Clauses (SCCs) if data leaves the EEA.

If an AI provider does not offer a clear, easily accessible DPA, or if they refuse to sign one, they are not suitable for business use.

3. Verify the "No Training" policy

This is the most critical technical nuance of AI compliance. By default, many consumer-facing AI tools use your inputs (prompts) and outputs to train their future models. If a staff member pastes customer information into a public AI tool, that data could theoretically be reproduced in a future output to a competitor.

For business operations, you must ensure that your data is excluded from the vendor's training sets.

  • API vs. Consumer Interface: Most providers (like OpenAI or Anthropic) explicitly state that data sent via their APIs is not used for training. However, data typed into their free or standard web interfaces often is used for training unless you manually opt out.
  • Look for "Zero Data Retention" (ZDR): Some specialized APIs offer immediate deletion of your data once the request is processed, meaning the vendor never stores the logs.

4. Map the sub-processors

AI tools are rarely built from scratch. A software company might sell you an AI-powered CRM, but behind the scenes, they are calling OpenAI’s API, storing data on Amazon Web Services (AWS), and tracking analytics with another third party.

Under GDPR, your vendor must disclose all "sub-processors"—the third parties they share your data with. You must review this list to ensure that none of these sub-processors break your compliance chain, particularly those located outside the EEA.

The Compliance Checklist

Use this quick checklist when vetting any new AI vendor:

  • Data Origin: Does the tool process and store personal data within the EEA?
  • DPA: Is there a signed, legally binding Data Processing Agreement in place?
  • Training Opt-Out: Does the vendor explicitly state, in writing, that our data will not be used to train their models?
  • Sub-processors: Are all third-party sub-processors identified and GDPR-compliant?
  • Access Controls: Can we restrict which employees have access to the tool and what data they can input?
  • Data Portability & Deletion: Can we easily export our data and request its permanent deletion from the vendor's systems?

Terho's take

The most common mistake we see small and mid-sized businesses make is letting fear paralyze their AI adoption, or conversely, letting enthusiasm blind them to the risks.

Here is the reality: you do not need to build your own AI models from scratch to remain compliant. For 90% of business use cases, the safest and most practical path is to use established cloud infrastructure—such as Microsoft Azure or Google Cloud (via their EU data centers)—to access these models.

When you use enterprise cloud providers to run AI, you inherit their enterprise-grade GDPR compliance, security controls, and data residency guarantees.

Our advice is simple: ban your team from pasting company or customer data into free, consumer-grade AI tools. Instead, provide them with secure, company-approved alternatives that run on enterprise APIs with strict "no-training" policies. It protects your brand, keeps the regulators happy, and allows your team to work faster without the anxiety.