Last reviewed: May 26, 2026

How does the GDPR apply to AI? Definition and business implications

GDPR governs all personal-data processing by an AI system operated in Europe or concerning Europeans. Four obligations apply as priorities: explicit purpose, data minimisation, access and opposition rights, and impact assessment for high-risk processing.

The General Data Protection Regulation (GDPR, European Regulation 2016/679) applies to any AI system as soon as it processes personal data (name, email, IP address, purchase history, image, voice). Four obligations structure the analysis for AI deployments. Explicit purpose: an AI system can only process data for uses clearly defined in advance and notified to the persons concerned. Minimisation: only data strictly necessary for the purpose is processed, no more. Rights of persons: access, rectification, opposition, portability, erasure. Impact assessment (DPIA, Data Protection Impact Assessment): mandatory for any AI processing at high risk to rights and freedoms, which covers most non-trivial enterprise use cases. The CNIL published in 2024 specific AI guidelines, which carry authority in France and are taken up at European level via the EDPB.

Concrete example

A French e-commerce company deploys an AI chatbot for its customer service. Three GDPR questions to settle before going to production. First, on what legal basis does the processing rest (consent, legitimate interest, contractual performance)? Second, are the conversations transmitted to a sub-processor outside the EU (OpenAI, Anthropic via API)? If so, a standard contractual clause and a transfer impact assessment (TIA) are required. Third, for how long are the conversations retained? Without a precise answer on these three points, the deployment is legally fragile, and the CNIL can issue an administrative fine of up to 4% of the group's worldwide turnover.

To require contractually

Six GDPR clauses to require from any AI provider processing personal data for you. First, a clear qualification of roles: who is data controller (you, most often), who is sub-processor (the provider), with their respective obligations under articles 26 and 28 of the GDPR. Second, a map of transfers outside the EU and the associated guarantees (SCC, BCR, adequacy decision). Third, the duration and modalities of data retention by the provider (logs, prompts, outputs). Fourth, the right of audit, exercised at your expense, on the GDPR compliance of the sub-processor. Fifth, the obligation of incident notification within 24 hours (against 72 hours for declaration to the CNIL). Sixth, the procedure for exercising the rights of the persons: who receives them, who responds, within what deadlines.

Sources

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR). https://eur-lex.europa.eu/eli/reg/2016/679/oj (accessed 2026-05-24)
Artificial intelligence, recommendations and guides, CNIL, 2024 (resource available in French only). https://www.cnil.fr/fr/intelligence-artificielle (accessed 2026-05-26)

← Back to glossary

How does the GDPR apply to AI? Definition and business implications

Concrete example

See also

Further reading

Sources