Spell-check for privacy
Blog
Compliance and AI 8 min read

GDPR and AI: which measures does the law require for AI use?

The GDPR does not mention AI, but it applies the moment you put personal data into an AI tool. Here are the concrete measures: lawful basis, data minimisation, processor role, transfers, and security.

Privacy officer working out GDPR measures for AI use
Quick answer

The GDPR applies the moment you process personal data in an AI tool, including a chatbot. The core measures are: a valid lawful basis and purpose limitation, data minimisation (only the data you need), a data processing agreement with the vendor, attention to international transfers if the tool runs outside the EU, appropriate security, and a DPIA for high risk. The most practical measure is data minimisation at the source: keep traceable data out of the prompt.

01

The GDPR applies to every piece of personal data you put into an AI tool

02

Lawful basis, purpose limitation, and data minimisation are the starting point

03

A data processing agreement with the AI vendor is usually required

04

For tools outside the EU, international transfer rules apply (adequacy or SCCs)

05

Data minimisation at the source is the measure with the most impact

Bjorn, a planner at a care provider, pastes a referral letter into ChatGPT to turn it into a tidy summary. The name, date of birth, and diagnosis go along with it. Convenient, and done in two seconds. Under the GDPR, though, that is processing of special-category data, outside the organisation, with no one having reviewed it.

The GDPR was written before everyone had an AI assistant in the browser. That changes nothing about the rules: if you put personal data into an AI tool, that is processing, and all GDPR obligations apply. So the question is not whether the GDPR applies, but which measures you concretely have to take. Here is the practical list.

Measure 1: lawful basis and purpose limitation

Every processing of personal data needs a basis, such as a legitimate interest, a contract, or consent. And the data may only be used for the purpose it was collected for. A customer address you hold for invoicing cannot simply go into an AI tool for a different purpose. So start with the question: why is this data in this prompt, and is that allowed?

Measure 2: data minimisation

Article 5 of the GDPR requires data minimisation: do not process more data than needed for the purpose. With AI this is the measure with the most impact, because the problem usually sits in the prompt itself. Rewriting a support reply works without a real name, account number, or IBAN. Sharpening an assessment works without the salary or medical context. Keep the task, drop the traceable data. See also what you can and cannot share with AI.

Measure 3: settling the processor role

Whoever decides why and how data is processed is the controller. An AI vendor that processes personal data on your behalf is a processor, and then a data processing agreement (Article 28 GDPR) is usually required. It sets out what the vendor may and may not do with the data.

Watch the difference between accounts. Many free and personal AI accounts run under a consumer policy without a processing agreement, and may use your input to improve the model. For business use with personal data, a managed business environment with a processing agreement is the starting point.

Measure 4: international transfers

Many AI providers are based outside the EU, often in the US. Sending personal data outside the EU is only allowed with a valid transfer basis: an adequacy decision, standard contractual clauses (SCCs), or another lawful route. This is a reason to check, when choosing an AI tool, where the data is processed. More on this in data sovereignty and AI prompts.

Measure 5: appropriate security

Article 32 requires appropriate technical and organisational measures. With AI use, that includes approved tools and account tiers, agreements on what staff may share, and a way to prevent sensitive data from being sent by accident. So security here is not only about the vendor, but also about behaviour on the work floor.

Measure 6: a DPIA for high risk

For processing likely to result in a high risk to individuals, a Data Protection Impact Assessment is required. Think of large-scale processing of special-category data or systematic monitoring. For sensitive AI use a DPIA is often needed, and it is the moment you test whether the processing is proportionate.

Measure 7: data subject rights

People have the right of access, rectification, and erasure. That means you need to know which personal data is processed through AI tools and where it ends up. See also how to turn off training on your data and request deletion.

How BeeSensible supports these measures

Most GDPR measures come together in one moment: the prompt. That is where it is decided which personal data leaves the organisation. BeeSensible highlights sensitive data while someone types in browser-based AI tools, so it can be removed, replaced with a realistic alternative, or masked before the prompt is sent.

An example: an employee pastes a customer email with a name, an IBAN, and a phone number. The sensitive data gets a highlight. The employee replaces the name with "Customer A" and removes the IBAN. The task, drafting a polite reply, stays intact, but the traceable data does not leave the organisation. That supports data minimisation (measure 2), security (measure 5), and in practice purpose limitation too.

The infrastructure BeeSensible runs on is ISO 27001 certified; BeeSensible itself is not. BeeSensible does not replace your GDPR work, but it makes the most important measure concrete at the moment it counts.

Further reading: Compliance and AI and the AI Act alongside the GDPR.

FAQ

Common questions

Does the GDPR apply to AI tools like ChatGPT?

Yes. As soon as you put personal data into an AI tool, that is processing under the GDPR. Whether the tool is a chatbot, an assistant, or an analysis feature, the rules on lawful basis, purpose limitation, and data minimisation apply in full.

Do I need a data processing agreement for an AI tool?

If the AI vendor processes personal data on your behalf, a data processing agreement (Article 28 GDPR) is usually required. Many free and personal AI accounts run under a consumer policy without such an agreement, which makes business use with personal data problematic.

Can my data go to an AI tool outside the EU?

Only with a valid basis for international transfer, such as an adequacy decision or standard contractual clauses (SCCs). Many AI providers are based in the US, so this point deserves attention when choosing a tool.

What is the most important GDPR measure for AI?

Data minimisation. The fewer traceable personal data you put in a prompt, the lower the risk and the easier it is to comply with the GDPR. The other measures build on it.

When is a DPIA required for AI?

A DPIA is required for processing likely to result in a high risk to individuals, for example large-scale processing of special-category data or systematic monitoring. For sensitive AI use, a DPIA is often needed.